We all have a vested interest in how data and data privacy is enacted by companies, regardless of the environment, cloud, mobile (laptop, cell phones), private Data Center, or anything else that is a combination of the above. Companies have a vested interest in keeping their customers data private and clear of distortion or error. Consumers and people in social networks also have a vested interest in making sure that the data they share is not abused or misused.
The clear and present problem is that while there are data privacy standards, there are data privacy laws, and sanctions on how data is to be protected, all of these have in many ways failed because of the human implementation of security and security practices. Even something as simple as Google Voice has a major security flaw that allows a hacker to listen to any Google Voice exchange that was recorded without a password, without a login, without authentication of any kind, just use a simple Google search and the wealth of private personal information is yours to listen to, archive, and use.
We have seen far too many instances of hacking activity or general carelessness on the part of people at all levels of an organization, that takes out companies like TJX, or breaches being reported by OSF Data Loss DB. Every day thousands of people have their data and identities lost because of carelessness, improper controls, or security people or regular old employees not doing the jobs they are entrusted with. Every day, every week, and every year millions of people are impacted by poor security practices across the organization. Cloud computing adds to the complexity of the situation, but there is no reason why data in the cloud cannot be as secure as data anywhere else when it is at rest, we have laws to control who has access to data at rest, we still do not implement them well.
Keeping customer data safe is a primary consideration of companies who use data in any form. What should companies be doing to make sure it is protected? First and foremost they should be carefully evaluating the security posture of their companies including people who take customer data home on laptops or other walk out the door systems like USB Keys, portable Hard Drives, DVD and CD-ROMS, Google Mail, social networks, and any other way that data can be transferred.
The problem is with the cut backs in IT, and IT personnel at some of the companies I have visited and talked to lately, there are not enough people to monitor or maintain the networks, backups and other IT security functions (including audit) to do the job that must be done. IT Security and Audit can be a labor intensive job when something is going on, or when a data breach is suspected. Recent problems with Disaster Recovery at Microsoft between Bing and Sidekick shows that controls are slacking at major corporations, recent break-ins to state liquor networks show that break-ins are happening in governmental systems, reports that NASA is too easy to break into shows that the same thing is happening at the Federal Level, TJX was simply the tip of the iceberg, we are now seeing how large a problem this is for companies at all levels and in all sizes.
I will be attending an Industry Expert Panel Discussion on Data Privacy at Secure World Expo in Bellevue as a panel member to discuss this issue. There are no clean answers, we have cut our staffs to the bone, we no longer have budget to support new staff, company employees are rarely trained on a routine basis on data protection, management is worried about numbers and often approaches the idea of information security as something they must do, but dollars do not flow to the right people, or budget is taken for some other high priority project.
I invite you to attend this free panel discussion, we will be talking about how to define private confidential data, regulations, social media, the intersection of people and technology, mobile storage and mobile communications. This will be a very interesting panel discussion about where we think we are going, and what obviously needs to be address.
Related articles by Zemanta
- Cloud Computing Does Not Absolve a Company of Good Disaster Planning (cloudave.com)
- Cloud Security and Privacy (oreilly.com)
- A Plan to Secure the Federal Cyberspace, Part 3 (computerworld.com)
- Sidekick foul-up is not a failure of the cloud (macworld.com)
- The Lego Internet (cloudave.com)
(Cross-posted @ TechWag)