RSS 2.0 FeedJanuary 2009, It's 10:00 - Know where your data is?
It's 10 o'clock. Know where your data is?
When we innovate we are caught up in the excitement of creation. We are urged by investors, stakeholders and management to bring our innovations to market as soon as possible. Time is of the essence; if we don't bring innovation to the market, someone else will. In the frenzy, we cut corners. We don't cross all the T-s and we don't dot all the I-s. This is natural and, actually, fine. Our “version 1” will not be perfect but it will get the job done and we'll have time to make it better in “version 2”.
The key to making this work is to know which corners can be cut and which cannot. In the past, many have allowed security and privacy to be an area where corners can be cut. Most important was innovation and functionality, and once things work then we'll invest in security. This is no longer possible. Today's cyber risks are too many and telecoms are so tightly regulated that they cannot afford to be perceived as being negligent.
According to a US Treasury advisor, at the end of 2005 global cybercrime turned over more money than drug trafficking. Valerie McNiven, an advisor to the US government on cybercrime, claimed that corporate espionage, child pornography, stock manipulation, phishing fraud and copyright offenses caused more financial harm than the trade in illegal narcotics such as heroin and cocaine.
"Last year was the first year that proceeds from cybercrime were greater than proceeds from the sale of illegal drugs, and that was, I believe, over $105bn," McNiven told Reuters. "Cybercrime is moving at such a high speed that law enforcement cannot catch up with it." In fact, multiple sources confirm that the cyber crime world is thriving and is the largest illegal revenue-earning industry today. And while there are certainly law enforcement agencies devoted to combating cyber-crime (maybe not as developed as the Drug Enforcement Agency (DEA) and its counterpart in other countries), this is a much harder battle to fight because it is everywhere; and nowhere. It is more lucrative to “run data” than it is to “run drugs” - and it is safer.
Furthermore, the global cost of identity theft is putting a huge strain on the economy. According to the Federal Trade Commission, the cost of identity theft in 2004 reached $50 billion annually(http://www.fdic.gov/consumers/consumer/idtheftstudy/identity_theft.pdf). Estimates from the Australian Centre for Policing Research place the cost of identity theft at $3 billion each year during 2001-2002 (http://www.acpr.gov.au/research_idcrime.asp). These numbers are obviously much higher today and this is a global problem that impacts all geographies.
And so, if we are going to innovate and create new offerings for the new world, let's do it responsibly. Let's make sure we understand the risks and let's build offerings that address security and privacy concerns. Let's make sure we can measure the risk and that we can prove compliance with regulations and requirements – and let's do it before the auditors come – not after they show up and threaten to shut us down. At the end of the day, beyond the need to do the right thing, it will also be far less expensive if we address security and privacy up-front and build it into our offerings.
This is the topic of this column. Each issue I'll look at issues involving security and GRC (Governance, Risk and Compliance) as they pertain to new telecom, media or computing technologies. I'm not claiming to have all the answers. Some of these new technologies pose a great challenge to security researchers and practitioners alike – but understanding the problem is half the journey toward the solution. So let's innovate – but let's do it safely so that we don't end up regretting our creations.
Dr. Ron Ben-Natan is one of the world's foremost expert on information Governance, Risk Management, and Compliance (GRC), secure application delivery, portals, and data security. He has more than 25 years of experience developing and implementing distributed systems and security technologies. Ron is currently Chief Technical Officer at Guardium, the leader in database security and auditing where he has built the most widely deployed Database GRC platform within telcos. He has been involved in numerous security and GRC implementations across both BSS and OSS.
Prior to Guardium, he worked for companies such as Merrill Lynch, J.P. Morgan, Intel and AT&T Bell Laboratories. Ron has been named an IBM GOLD consultant, a level that is currently held by less than 75 people worldwide. He has authored and co-authored 11 technical books including "Implementing Database Security and Auditing", "How To Secure and Audit Oracle 10g and 11g", "Mastering IBM WebSphere Portal", and "Integrating Service Level Agreements: Optimizing your OSS for SLA Delivery". Ron frequently speaks at database and security seminars.