I went along to an evening lecture at LSE in London several weeks ago, entitled: “What have you got to hide?” The topic was that of cyber-security, and particularly the legal basis of this subject, following the recent Edward Snowden and NSA data leaks. With an excellent speaker panel, the talk was really engaging – questioning to what extent the state should be allowed to infringe upon personal data privacy for the purpose of preventing damaging actions by unscrupulous individuals.
The legal context to this topic is relevant and immediate, but the most obvious underlying theme was the impact that technology and mass production of personal data has for a legal system that is based on sometimes-antiquated laws which are trying to keep pace with technology developments.
In a post on the “Pragmatic Cyber Security” Capgemini blog, “Better to live in interesting times,” Lee Newcombe, Chief Information Risk Advisor at Capgemini UK, describes the rationale behind security policies, and most notably, the importance of strategy – questioning the efficacy of targeting protection against national security-type information monitoring, rather than concentrating defences against more threatening and targeted malicious attacks.
In Lee’s words: “am I saying that I agree that the intelligence agencies should have carte blanche access to all data? No. I’m just saying that the impact of such access on most data owners is minimal and so there is little point in investing time, effort or cash in trying to prevent such access.”
I contacted Lee during researching this blog article, and he had the following to add:
“Given more recent information disclosures, e.g. the release of the NSA ANT Catalogue of exploits and implants available to the NSA’s Tailored Access Operations (TAO), the futility of attempting to prevent any access by nation state actors is further revealed. If you are genuinely of interest to the NSA then you highly unlikely to be able to prevent them achieving their goals – particularly when you consider the possibility of hacking the human as well as the technology.”
An interesting angle to take on the topic – and one which may not sit comfortably with all readers.
This has implications for the field of security; in a general context but also in the enterprise setting. To this effect, Lee has also been writing recently on the subject of enterprise cloud security, in particular the implications for cloud hosting options.
In his opinion article for Computer Weekly, entitled “A pragmatic and practical guide to secure hybrid clouds,” Lee describes the implications of private, public and hybrid cloud hosting platforms – the benefits, limitations and risks inherent in each model. The impact upon flexibility, information privacy requirements, and contractual and commercial implications are all addressed. Lee emphasises the importance of an “upfront investment in security architecture”, which “enables you to support your business stakeholders to adopt cloud services, rather than frustrate their desire for agile, flexible, service provision.”
This article is important reading material for anyone looking to get a useful insight into the security implications of cloud hosting.
I was also fortunate to attend an evening talk by Lee several months ago, as part of the IISP series, in which he described these points in greater detail. Between giving such talks and writing these blogs, he is disseminating the cyber-security agenda to a non-subject matter expert audience; an important exercise, as this topic is not confined to the realm of those working in the field, but to everyone who places personal or professional data online.
For those wishing to hear more about the subject, Lee will be speaking at Cloud Expo Europe this Wednesday 26th February at the London ExCel arena, making a presentation entitled ‘Cloud Security; Theory, meet Practice’ which will expand upon the nation-state actor angle of security mentioned earlier. He will also be chairing a panel at the same event, titled: “Security and encryption – is this the silver lining for the cloud, or the poisoned chalice?” Tickets are available from the Cloud Expo website.