Archive for April, 2011


Cellphone Companies Defend Privacy Practices

April 29, 2011

U.S. lawmakers called for closer scrutiny of developers that make software for mobile phones, after wireless carriers highlighted them as a weak spot in keeping smartphone users’ locations private.

The concerns were expressed in a letter released Thursday by Rep. Joe Barton (R., Texas) and Rep. Edward Markey (D., Mass) after the lawmakers asked the four main U.S. wireless carriers to explain their policies for collecting and storing location data.

The carriers—AT&T Inc., Verizon Wireless, Sprint Nextel Corp. and T-Mobile USA—said they seek subscribers’ consent before tracking their location, but said they can’t control how applications developed by third parties use location information that the carriers don’t provide.

Read more:

Visit us at soon


Privacy is consumers’ top mobile app concern: survey

April 28, 2011

Privacy is consumers’ top concern when using mobile applications, according to a survey by online security firm TRUSTe released April 27. Nearly four in 10 consumers (38%) identified privacy as their top concern, and more than half (56%) said the issue is one of their foremost concerns, according to the online survey of 1,000 consumers conducted in February by research company Harris Interactive.

Privacy is an important issue for consumers because of the personal information that mobile devices hold, such as contact lists and emails, said Fran Maier, president and executive chair of the board at TRUSTe. She added that 85% of consumers restrict the information they share through their mobile phones, with “more than half” unwilling to share their location, address, date of birth, phone number and browsing history.

More than half (52%) of consumers said they have read an app’s privacy policy, according to the study. Nearly three in four consumers (74%) expressed dislike of advertiser tracking, and 85% said they want the ability to opt-in and opt-out of targeted mobile ads.

Source Privacy is consumers’ top mobile app concern: survey

Visit us at soon


Security still top concern with cloud, despite Amazon outage

April 27, 2011

Despite the heightened focus on cloud availability and uptime caused by Amazon’s prolonged service outage last week, security will likely remain the bigger long-term concern for enterprises, analysts say.

Amazon last week blamed undisclosed server problems for a partial service outage that either crippled or knocked offline, hundreds of sites, including several major ones. The problems began last Thursday and dragged on for more than two days, causing considerable frustration for some customers of Amazon’s cloud services.

Though the company appears to have fixed most problems, it was still working on addressing a few unresolved ones as of Monday morning. “Obviously these issues are very heightened right now and will continue to be so for quite a while, in light of the outage,” said Kyle Hilgendorf, a cloud computing analyst at Gartner.

“Amazon portrays an aura of invincibility, whether intentional or not, and this outage is going to remind enterprise customers that nobody is perfect and increased due diligence is required,” he said.

Enterprises should be concerned about performance in the cloud, but not any more so than they should be concerned about reliability and performance in other data center or traditional hosting environments, Hilgendorf said.

Security is really the more pressing concern, he added. “I still consider it to be the bigger, long-term concern,” Hilgendorf said. “Enterprises I speak to are more concerned about security than they are about availability, reliability or performance.”

In most cases, cloud security concerns are related to issues such as the accidental release of protected data, user authentication and access control, and the level of access that that a cloud provider might have to an enterprise’s systems and data.

Source Security still top concern with cloud, despite Amazon outage

Visit us at soon


Gartner: Seven cloud-computing security risks

April 26, 2011

Cloud computing is fraught with security risks, according to analyst firm Gartner. Smart customers will ask tough questions and consider getting a security assessment from a neutral third party before committing to a cloud vendor, Gartner says in a June report titled “Assessing the Security Risks of Cloud Computing.”

Cloud computing has “unique attributes that require risk assessment in areas such as data integrity, recovery, and privacy, and an evaluation of legal issues in areas such as e-discovery, regulatory compliance, and auditing,” Gartner says.

Amazon’s EC2 service and Google’s Google App Engine are examples of cloud computing, which Gartner defines as a type of computing in which “massively scalable IT-enabled capabilities are delivered ‘as a service’ to external customers using Internet technologies.”

Customers must demand transparency, avoiding vendors that refuse to provide detailed information on security programs. Ask questions related to the qualifications of policy makers, architects, coders and operators; risk-control processes and technical mechanisms; and the level of testing that’s been done to verify that service and control processes are functioning as intended, and that vendors can identify unanticipated vulnerabilities.

Here are seven of the specific security issues Gartner says customers should raise with vendors before selecting a cloud vendor.
1. Privileged user access. Sensitive data processed outside the enterprise brings with it an inherent level of risk, because outsourced services bypass the “physical, logical and personnel controls” IT shops exert over in-house programs. Get as much information as you can about the people who manage your data. “Ask providers to supply specific information on the hiring and oversight of privileged administrators, and the controls over their access,” Gartner says.
2. Regulatory compliance. Customers are ultimately responsible for the security and integrity of their own data, even when it is held by a service provider. Traditional service providers are subjected to external audits and security
certifications. Cloud computing providers who refuse to undergo this scrutiny are “signaling that customers can only use them for the most trivial functions,” according to Gartner.
3. Data location. When you use the cloud, you probably won’t know exactly where your data is hosted. In fact, you might not even know what country it will be stored in. Ask providers if they will commit to storing and processing data in specific jurisdictions, and whether they will make a contractual commitment to obey local privacy requirements on behalf of their customers, Gartner advises.
4. Data segregation. Data in the cloud is typically in a shared environment alongside data from other customers. Encryption is effective but isn’t a cure-all. “Find out what is done to segregate data at rest,” Gartner advises. The cloud provider should provide evidence that encryption schemes were designed and tested by experienced specialists. “Encryption accidents can make data totally unusable, and even normal encryption can complicate availability,” Gartner says.
5. Recovery. Even if you don’t know where your data is, a cloud provider should tell you what will happen to your data and service in case of a disaster. “Any offering that does not replicate the data and application infrastructure across multiple sites is vulnerable to a total failure,” Gartner says. Ask your provider if it has “the ability to do a complete restoration, and how long it will take.”
6. Investigative support. Investigating inappropriate or illegal activity may be impossible in cloud computing, Gartner warns. “Cloud services are especially difficult to investigate, because logging and data for multiple customers may be co-located and may also be spread across an ever-changing set of hosts and data centers. If you cannot get a contractual commitment to support specific forms of investigation, along with evidence that the vendor has already successfully supported such activities, then your only safe assumption is that investigation and discovery requests will be impossible.”
7. Long-term viability. Ideally, your cloud computing provider will never go broke or get acquired and swallowed up by a larger company. But you must be sure your data will remain available even after such an event. “Ask potential providers how you would get your data back and if it would be in a format that you could import into a replacement application,” Gartner states.

Source Gartner: Seven cloud-computing security risks

Visit us at soon


Cloud computing ‘explodes’ the security perimeter

April 25, 2011

Cloud computing makes the argument for protecting data, rather than the perimeter, stronger, according to encryption solutions provider SafeNet.

This is just one of the issues that the cloud computing trend poses for IT professionals, who, according to a recent report from Accenture and the London School of Economics and Political Science’s Outsourcing Unit, are still on the whole unconvinced by the cloud, due to security and privacy concerns.

Dr Rob Elliss, regional VP of sales, Northern Europe, at SafeNet, said: “You can’t protect the perimeter. When it [the data] is created, at rest, in transit, the data has to be protected. The cloud merely explodes the perimeter beyond your own data centre.”

But the ‘explosion’ of the perimeter makes it challenging for IT in other ways too.

According to security management software provider NetIQ, IT security teams, particularly those in the financial sector, are increasingly required by the business to produce reports on the risks of the organisation. This may be for regulatory or compliance reasons, for example.

“The business demands to understand the security posture of the business. Security is under pressure to deliver reports to the business,” said Jorn Dierks, chief security strategist EMEA at NetIQ.

These reports would now need to extend to incorporate the security risk of the cloud services, particularly if an organisation’s data is in a public or hybrid cloud provider’s service.

“Organisations are very aware of the cost savings of migrating data into the cloud, but the main inhibitor is security, because you are placing it into somebody else’s governance,” Elliss added.

Meanwhile, token-less authentication software provider GrIDsure said that cloud service providers are exploring ways of securing their services in a simple, cost-effective way, in line with the benefits of the cloud computing model.

“A lot of cloud and managed services people are talking to us at the moment. [They want] to offer a service that is secure, to make sure that the right person is logging on to use the service.

“They are looking for something that is very easy to use, so that the support requirements are low, and scalable.”

Source Cloud computing ‘explodes’ the security perimeter

Visit us at soon


10 Security Standards Cloud Providers Should Care About

April 23, 2011

1. SAS70
3. Sarbanes-Oxley
4. ISO 27001
5. Safe Harbor
10. Data Protection Directive

Source 10 Security Standards Cloud Providers Should Care About


Germany says wants clarity on iPhone data storage

April 22, 2011

Apple Inc must clear up “a string of open questions” about user data stored by its iPhone, iPad, and other devices, a spokesman for Germany’s consumer protection ministry said on Thursday.
The call follows a similar request made by U.S. Senator Al Franken on Wednesday, which cited a report by security researchers alleging the company’s iOS4 operating system secretly compiled customers’ location data in a hidden file.

“Apple must reveal where, for how long, and for what purpose the data is saved, who has access to it, and how it is protecting against unauthorized access,” ministry spokesman Holger Eichele said.

“The secret collection and storage of a smart phone’s location data would be a major invasion of privacy,” he added.

Germany has particularly strong data protection laws, and companies such as social networking site Facebook and search engine Google have faced challenges here from regulators.

Source Germany says wants clarity on iPhone data storage

Visit us soon