Phew... The last month was absolutely hectic, with all those conferences falling within the same short period of time! With all that, I was privileged enough to have been asked to speak at both Internet World and Infosecurity Europe. Two very different experiences... Whilst it is expected to be talking about security at an infosec conference, it is always welcome to be asked to present about security matters at an event with a different focus - in this instance, everything digital... (see my previous post on the subject). It was nevertheless surprising, walking the show floor at Internet World, talking to vendors and poring over the agendas in the various theatres, how little security featured. With everything about the show related to "cyber", not many had made the obvious leap to "cybercrime"... So, on the way to our Devil's Tower, our quest is still to find our curwen hand signs to communicate with the third (party) kind...
Let's not forget: the excellent DataLossDB.org keeps highlighting that 100% of breaches involve third parties... This year, the trend is even more worrying as 2012 is already showing an increase of 58% in the number of data breaches compared to the same period last year. So, if the third parties themselves, on the main, have not realised how important security is to their business, what chance do their customers - individuals and businesses alike - have?
One little test...
This is easily verified, and as I will not point the finger at anyone, just randomly pick a web host, shopping cart, CRM solution or shopping cart an look at their product brochure. Where and how does security feature? If it features, is there enough detail (e.g. accreditations you recognise - and I don't mean self-assessment... or a specific section related to security)? When faced with a purchasing decision, do you know where to turn? I suspect not...
I started discussing this topic in an earlier post, and this eventually led to further posts on the security implications of cloud computing (part 1 and part 2), you may also find these of interest. The angle I'd like to explore in this post is how we can better reach out to the third parties themselves...
The differentiation...
There are numerous third parties and cloud providers around. A few have already achieved a dominant position, but this recent article highlighted that "others have opportunities to get into the act by offering more security and protection". So here you are, for third parties, security can be a unique selling proposition, and some already use this to great advantage.
In the payments world (I know a bit about that...), it used to be a simple model, where you had a card holder, using a card issued by an issuing bank, purchasing goods at a merchant who processes the payment via an acquiring bank who bills and settles via the card schemes who link back to the issuing bank, and hey presto, goods are purchased, money changes hands and all is well... In those days, the third parties were easy to recognise as they were essentially payment service providers directly involved with the business of processing payments. With the rise of e-commerce, mobile services and cloud computing, the model is now far more complex:
See what I mean, everything in amber above is in scope... If we stop for a minute and consider that in 2011:
- 91% breaches occurred where the assets were owned by the breached entity
- 46% breaches occured where the assets were managed by a third party
- 23% breaches occured where the assets were hosted by a third party
So, if you are one of the organisations providing services in the amber boxes (e.g. web hosts, digital agencies), you are about to be under a lot of pressure (and not just from the new EU data privacy laws)...
And if you are in any doubt, see this...
If you are a merchant and you use those services, make sure they are listed on the following lists as a first step in assessing the security posture of these suppliers:
http://www.visaeurope.com/en/businesses__retailers/payment_security/service_providers.aspx
http://usa.visa.com/download/merchants/cisp-list-of-pcidss-compliant-service-providers.pdf
https://www.visamerchantagents.com/about-merchant-list (NEW)
http://usa.visa.com/download/merchants/cisp-list-of-pcidss-compliant-service-providers.pdf
https://www.visamerchantagents.com/about-merchant-list (NEW)
If you are not a merchant and you use third parties, it is still a good idea to check whether or not these are listed above. After all, payment security is information security by another name..
Until next time...
Banks are based on trust. Trusted by there customers. As we see in this emerging internet world transactions between customers, bank and merchants is rapidly changing. The links between various party's is expanding and so is visibility (or no visibility at all due to electronic payment). Question is who becomes the trusted person. Is trust shifting from the bank towards the merchant or the customer? Who's got to check the check? Man in the middle?
ReplyDeleteYes Rob, that is a good question! Everyone in the value chain must become a trusted party, which means everyone must take their security responsibilities seriously...
ReplyDeleteTrusted Computing creates a safer computing environment, identify the device before identify the users,THIS IS Security by Design, Miss Neira, this make sense ? i am working @wave and meeting large financials organization, and Trustedcomputing becoming a key for security Benefits Include: Protect Business Critical Data and Systems Secure Authentication and Strong Protection of User IDs Establish Strong Machine Identity and Integrity Ensure Regulatory Compliance with Hardware-Based Security Reduce Total Cost of Ownership Through "Built In" Protection i am follower @belkacemo
ReplyDeleteToto Site Eating and Running Verification is a process of verifying the capital power of private Toto companies and determining whether the refund of the prize money can proceed smoothly. Both excellent safety playgrounds and sports Toto sites are major Toto sites that have passed the eat-and-run verification. 토토사이트 먹튀검증 안전놀이터
ReplyDelete