ISF congress post 4: Keynote session: The view from the advisory board

This was a panel discussion session so flowed around quite a bit, and wasn’t always focussed.  The below covers most of the main points that were discussed;

Focus no longer on China.

Focus more on what enterprises can do to protect data and work with their customers securely.

Snowden affair, and global information security / assurance – living in a globally surveyed world.


I’ve been following the Snowden debacle in the news;

  • Is this something we need to pay attention to?
  • Tell me three key actions we need to take.


  • US has the ‘right’ to monitor all network traffic that goes via it or US companies from ‘foreigners’.  Doesn’t sound to bad until you realise we are nearly all foreigners (around 97% of the global population isn’t American!).  This has huge ramifications.
  • Snowden affair – nearly all the leaks from this have been of ‘Top Secret’ classification, this hardly ever happens, most leaks are of much lower classification.
  • However – Remember, just because we are looking at the NSA, China has not gone away.  Remembering this is critical to your security posture.
  • Everything is stored forever!  Whether NSA or Google, or other email / search service, all your emails etc are likely stored forever, and probably in several places.
  • On the opposite side, many industries are rightly moving to more openness and sharing data with more people and the right people
  • Other nations likely better then the US at sharing the findings of their industrial espionage with national companies – French and Japanese apparently very good at sharing espionage data with companies based in those countries.  NSA surveillance may be pervasive, but questions about how much it shares.  Board members and CEOs need to be aware that this espionage is a reality.
  • Supply chain security is a key factor to consider.
  • Emerging economies have a huge security impact – what they are doing with us, and how we interact and integrate with them.
  • International treaties around how intelligence agencies work abroad around monitoring each other are needed and being worked on.  In democratic countries at least – no comment on what is happening in dictatorships such as Russia and China.
  • Outsourcing data to third parties for processing etc. has been going on for years such as through the use of mainframes.  Cloud services are not a new concept, however the accessibility of these services to many people and the accessibility of the data in them has been a dramatic change.
  • Encrypting data if you own the process end to end can ensure data is securely stored.  Doesn’t really help with processing in the cloud.
  • Who reads the full terms and conditions of the services they use?  How much security and privacy are we inadvertently giving up?
  • We must not confuse Security and Privacy – these are different things.



The internet is a global platform, do you think it will become more balkanised?

  • It was set up by the military, and now they want it back 😉
  • It is already there on many layers – who makes the kit it runs on? Which governments have access to the data or any controls over the data flows?
  • Governments ignored the internet for years, now they all want some control over it, and government agencies all want to monitor and spy on the data on the internet.
    • There is a ‘war’ around who controls the internet occurring right now.
  • The internet and technology are changing very fast, nations / governments are struggling to keep up.



Cloud – is it new or isn’t it?

  • Yes and no.
    • Concept of sharing compute resource and allowing users or companies access to compute resource they couldn’t otherwise afford is not new.
    • Concept of data being anywhere / everywhere, and access to cloud compute and storage is new and the game changer that cloud is advertised to be.
      • Creates many issues
        • Where is your data?
        • Who controls your data?
        • What about international interception / access laws and capabilities?
    • Cost and scale benefits driving use in many businesses
      • How do you best secure this use case?
      • How do you ensure only the right ‘stuff’ gets into the cloud?
      • Do you have the right policies in place?
      • Do you have the right knowledge and skill sets for secure cloud use?
      • Vet staff and people in key positions both in your business and the cloud provider.
      • Encrypt your data – this is true, but I have serious issues around this one based on what sort of processing is required – can Tokenisation or Homomorphic encryption be leveraged?  What other ways do you have to mitigate the risk of data being unencrypted for processing?
    • Cloud is an innovator – gives businesses more opportunities, and also gives us new area to learn to secure.
    • Be proactive – be ready for the cloud, go to the business rather than them coming to you.