Wednesday, December 28, 2011
Thursday, December 15, 2011
Monday, November 21, 2011
I used the example of Stanford Health Clinic that transferred patient information to a collection agency only to have it posted to a public site on the Internet, a gross and egregious violation of the privacy of their patients.
I left you with the idea that our professionall objective is to arrive at a state in which all parties understand their roles and responsibilities and carry them out in such way as to produce the intended results.
I had decided to elaborate on that advice this week. I came up with a list of policy, technical, and legal guidance for use with out sourcing.
I was going to suggest that enterprises should have a policy that spells out its risk tolerance in general and in regard to the use of outside sources in particular. It might specify which data and applications could be outsourced and which could not. For example, it might specify that the enterprise's intellectual property and personal information should not be outsourced. It might also specify insurance coverage for any risk that exceeds the specified tolerance.
I planned to say that agreements should enumerate the laws, regulations, and contracts to which the parties are subject and all standards that they had adopted. They should also spell out any limitations such as the requirement to disclose information in response to legal service.
I was going to suggest that enterprises should prefer to do business with vendors that were part of such organizations as the Cloud Security Alliance and the Cloud Auditing Data Federation Working Group (CADF). I would have suggested that using enterprises might want to participate in the Cloud Standards Customer Council.
I would have stressed that your contract should provide for audit or for a service auditor report, I would have cautioned you about the limitations of service auditor reports, for example, that they are limited to controls asserted by the auditee and that they are as of the time of the audit.
I had planned to suggest that agreements should be service by service and application by application.
I intended to suggest that agreements should enumerate all existing controls, who is to operate them, and under what conditions. That the agreements should spell out the intended use of the controls as well as what record the use of the controls would produce. Examples of such controls include, Identification, authentication, access control, encryption, administration, provisioning, confirmations, messages, alerts, alarms, measurements, and reports.
I would have emphasized the importance of provisioning controls in The Cloud and pointed out that compromise of those controls might enable others to use services and charge them to you. I had even planned to stress that all use of such controls result in automatic out of band confirmations. I would have given a caution about error-correction and vendor over-ride controls.
Fortunately, while doing my research, and before I had embarrassed myself with all of this irrelevant advice, I came across a report in the New York Times by KEVIN SACK Published: October 5, 2011. Here is part of what I learned.
First, there was no evil here, no recklessness, not even gross negligence, just bad judgment all around. To the extent that there was any motive, it was efficiency, just getting the job done. No greed, no lust, not even sloth.
Stanford Hospital and Clinics (SHC) is a 600 bed general hospital. It is not Kaiser-Permanente or UPMC but it is a major enterprise in its community.
Multi Specialties Collection Service (MSCS) is a collection agency for medical services in the same market as SHC. It bills about $0.5M per year and employees 5-10 people. One might call the relationship asymmetric, one-sided.
The identity and role of the sender of the information is not public, but should have required significant management discretion and rare privileges to access and send it.
The receiver of the information was a contractor to MSCS. He often represented himself as an officer of MSCS and had an MSCS e-mail address. Been there, done that. He decrypted the data, put it in a spread sheet, and, among other things, gave it to an applicant for a job with him.
While SHC says the information was for "permissible hospital billing support purposes," the consultant says that it was for a "study." In any case, the information was not passed in the normal course of "collections," the service. I believe that both the sending and receiving of the information probably was outside the agreement between SHC and MSCS.
The actual posting to the public web-site, StudentofFortune.com, was by a job applicant to the consultant. He had given the applicant the spreadsheet to convert it to charts and graphics as a test of skill
Second, none of the policy, technical, or legal measures that I wanted to recommend would have prevented the breach. If asked in advance, management might well have accepted the risk that so many controls and people would fail at once, However, SHC is now the target of a $20M class action law suit and will almost certainly be penalized by the regulators. MSCS has lost a major client, has closed its web site, and is not answering its phone.
I am not sure that the penalties fit the crime but they sure are getting our attention However, to the extent that the breach impedes the urgent move to electronic health records, or even the efficient use of cloud resources, perhaps they are proportional.
I like to think that my lists above are useful, if not necessary, but they are clearly not sufficient or even the place to start. No, we are back to management and security 101. There is no substitute for training and supervision.
"Outsourcing" makes this even more important. Note that StudentofFortune.com is typical of free or low-cost collaboration "cloud services" that help our employees get their jobs done and are within the discretion of most of our employees. We are going through a major change in how we organize production and resources. It is being driven by the falling cost of information technology. As this new model matures we need to evolve a culture of personal due care, one in which people automatically ask "should I do it" rather than simply "Is it efficient?" A culture in which people automatically consult with others before they act, a culture of caution.
Security must start with our most effective controls, training and supervision. We should focus on or use our other tools only to the extent that they are more efficient. Then we will be called professionals and be paid the big bucks.
Thursday, November 17, 2011
Wednesday, November 2, 2011
Tuesday, October 25, 2011
Because there is only a vanishingly small chance that two samples of a biometric will be identical, any sample that matches one previously submitted could be thrown out as a possible replay.
Wednesday, October 12, 2011
On September 30, 2011, SANS Institute NewsBites reported the following story:
--European Union to Introduce Liability Rules for Cloud Vendors (September 28 & 29, 2011) The European Union (EU) plans to introduce the "Binding Safe Processor Rules," which would hold vendors of cloud services in the EU liable for data security breaches. Vendors would sign up for what amounts to an accreditation. Consumers are likely to feel safer doing business with a company that is willing to stand behind its services. The rules are an update to the Data Protection Directive. The companies will be required to demonstrate their compliance with certain data protection standards for approval under the rules. Current law holds data owners responsible for data loss.
They cited two sources, SC Magazine and V3.co.UK, The Frontline.
The NewsBites editor added the following comment by me.
[Editor's Note (Murray): The devil is in the details and the rules may be helpful. However, the idea that one can transfer the responsibility for protecting the data from the owner to the custodian by fiat, or any other way, is absurd on its face. The decisions about protecting the data cannot be separated from the decisions about collecting it and using it.]
While I confess I misread the details, they are where the devil is hiding. It turns out that this rule is nothing like it sounds either in its name or in this report. Instead it was sought by Amazon, Google, and others to say that EU enterprises may rely for security of their data upon service providers that are certified by an EU country as complying with these rules and without regard to location. It is a response, in part, to the fact that Europeans will not do business with US service providers because they are subject to the USA Patriot Act. They are concerned that they would be accused of improper reliance. The EU has never been happy with the idea of data on Europeans being stored in the US.
This week NewsBites reported this story:
--Stanford Hospital Pins Breach Responsibility on Third-Party Billing Contractor (October 6, 2011) Stanford Hospital & Clinics says that a data security breach that compromised the personal information of 20,000 patients is the fault of a third-party contractor. One of the patients filed a US $20 million lawsuit against Stanford following the breach disclosure last month. The data were exposed because a spreadsheet handled by a billing contractor somehow was posted to a student homework help website. The compromised information includes names, diagnosis codes and admission and discharge dates.
Now, I have to tell you, the Hospital tells a really great tale. Mind you, it does not excuse them for the breach. However it might have confused a jury if they had not attempted it to try it out in the media first.
Seems they turned the data over to a collection service, MCSC, in encrypted form. This is allowed under HIPAA rules but requires that they have security of the data as part of their agreement with the service provider.
Needless to say the collection agency, MCSC, decrypted the data. It converted it to a spread-sheet before turning it over to an "unauthorized" third party, This third party posted it, as an attachment to a request for assistance, to a site called Student of Fortune where it remained for a year. Student of Fortune is a site where students can solicit assistance with their homework assignments. It seems this third party wanted assistance with a graphical representation of the data in the spreadsheet. It would probably be unfair for one to infer that someone familiar with such a site is a recent student. There must be some truth here. You can't make this stuff up.
It seems clear that there is plenty of blame to go around here. However, the question is not blame but responsibility, ethical, legal, financial, and otherwise.
Public and private enterprises are increasingly relying upon contractors and other enterprises, "partners," to carry out duties and responsibilities that historically have been performed by employees and within the enterprise. Therefore, it is timely to revisit the question of responsibility.
Both of these stories suggest that the responsibility rests with the custodians of the data, The first story suggests that the responsibility can be assigned to the custodian by order of the state or the consent of the custodian. The second suggests that the responsibility moves with the data.
Ultimately, the legal questions raised by these stories will be decided by courts. I can hardly wait. I am a great fan of court records and decisions. While subject to error, they are much more reliable than the statements of the parties.
In Information Assurance, we have traditionally assigned protection duties and responsibilities in terms of roles, i.e., management, staff, owners, custodians, and users. We have argued that, by definition and default, the responsibility to protect the data rests with the "owner," the manager responsible for all the decisions about the data.
For example, the owner makes the decision to collect and store the data. The owner, again by definition, makes the decisions about who can use the data. The owner makes the decision as to the sensitivity of the data, how much to spend on protection and how much risk to accept. The owner's responsibility includes communicating these decisions to custodians and users.
It is difficult to see how this control and discretion can be separated from the responsibility for its exercise.
Our colleague, Bob Johnston, likes to argue that "When entrusted to process, you are obligated to safeguard." However, as a custodian I would respond by asking how much and at whose expense? Clearly a custodian would not want to spend more than the owner would and would expect to be reimbursed or compensated for what he does spend.
What is really at issue here is how we identify and select custodians, describe their duties, compensate them for those duties, what penalties they must pay for breach of those duties, and to whom. Obviously, this begins with negotiations between the owner and the custodian. I will continue to argue, both as matters of definition and practicality, that the responsibility for the results, the success, of those negotiations must start and end with the owner.
As a matter of law and good public policy, we want the responsibility in the same hands as the discretion. The alternative would permit the owner to pick the low cost service provider and then escape responsibility for any consequences. One might call that moral hazard.
Service providers are in the role of custodians of the data. Their duty is to the owner of the data, the party that pays them, not to the subjects of the data. They must be diligent in the execution of the duties that they have agreed to and for which, in part, they are being paid.
Stanford Hospital had a duty to their patients to protect the data. That duty did not go down when, for their own convenience and efficiency, they decided to give a copy to another party, a party of their choice. That they encrypted it for purpose of transfer, did not protect it from that agency, to whom they also gave the key. The agency's duty was to Stanford Health, to protect the data in accordance with their agreement, the provisions of which we are left to guess. While it is unlikely that Stanford Hospital specifically contemplated the possibility that MCSC would give a copy to a contractor, their agreement should have resisted it.
One might argue that as a collection agency, the agency owed a duty to the subjects of the data. However, it would be hard to argue that that duty relieved Stanford Health of its responsibility..
As security staff, some for the owners, some for the custodians, our role is to assist the business managers and lawyers in expressing the security requirements in such a way that all parties understand their duties and are likely to discharge them in manner that will produce the intended results. Our job does not stop there; we must go on to measure and report the results, note variances from the expected and intended, and recommend timely corrective action on a timely basis. "Timely" is before, rather than after, any breach. To the extent that this is difficult, we are called professionals and are paid the big bucks.
Thursday, September 15, 2011
I know that is not a popular position and this is not a popular time to take it. I expect to take some flack for saying it. I identify with the little boy that pointed out the naked emperor, but the emperor was not a danger and the little boy had no obligation to say anything.
I have had the Principle of Proportionality on the list to talk about for a while but something always trumped it. This weekend has elevated it.
Terrorism is defined as an attempt to effect political change through fear and intimidation, usually by attacking civilians. When an act of terror produces political change out of proportion to the act, by definition, the terrorists win.
For example, the Blitz was terrorism. Dresden was terrorism. Hiroshima and Nagasaki were terrorism. The IRA bombing of London was terrorism. 9/11, as terrible as it was, barely ranks with the least of these. The Blitz did not affect the intended political change. It did not turn the British people against the war. Dresden did not achieve the capitulation of Nazi Germany. The terrorists did not win.
In response to 9/11, we have fought two major wars at a cost of more than 100 thousand lives, $1T, and our reputation as a moderate and moderating influence in the world. We are locked in those wars to the tune of $2B per week with no honorable way to withdraw. That is called disproportionate. The terrorists won.
We have betrayed our own principles. We have engaged in torture, imprisoned people without charge or trial, and spied on our own citizens. We have denied Habeas Corpus, public trials, a jury of one's peers, and surrendered the Common Law principle of "innocent until proven guilty." That is called disproportionate. The terrorists won.
We are more divided than at any time in this century. We are so divided by party that good policy is no longer politically possible. We are divided by region, religion, and origin. The terrorists would delight.
We now spend $8B a year on TSA. Of all the bad things that can happen when one gets on an airplane, this addresses only the least of them. That is called disproportionate. The terrorists won.
We have created a huge, expensive, and secret bureaucracy. There are 1000 of them for every identifiable terrorist in the world. They have built themselves a headquarters second only to the Pentagon. We did not even notice. Speaking of the Emperor's suit, no politician has the courage to question this budget. We are no more than one election from having this monstrosity, in an excess of caution or zeal, turned against the citizen. That is called disproportionate. The terrorists won.
As I write this, CNN is reporting three stories. One is about a the catastrophic flooding of the Susquehanna River, a river that is awesome even when it is not in flood. The second is about the loss of electric power to 5M people in the southwest on a day when temperatures reached 115 degrees Fahrenheit. The third is about a "specific, credible, but uncorroborated," not to mention "secret," threat, linked to Al Qaeda, and involving three "terrorists." That is called disproportionate. The terrorists won.
We have become a fearful and timid people. We are incapacitated by fear. We behave as though terrorism were an existential threat, the equivalent of thermo-nuclear war. It is sad to see the tourist in the airport, justifying the removal of her diaper as "it makes us safe." This is called disproportionate. The terrorists won.
Even when their plots that fail they win. Can you say "No shoes, no belts, no suspenders, no diapers, no liquids, no nail files?" That is called "disproportionate" not to mention "locking the barn after the horse is stolen."
At their most ambitious, the terrorists never imagined that we would afford them such disproportionate leverage. They won big time.
Of course "security" has also won. There are at least ten of us today for every one of us a decade ago. Dozens of new security and intelligence businesses have sprung up along the beltway, mostly on contract to DHS.
Proportionality is the fundamental principle of security. "Do not spend more mitigating a risk than tolerating it will cost you." A fundamental principle of our professional ethics is that we must not give unwarranted comfort or unnecessary alarm to our constituents. While I understand how difficult that balance is, I suggest to you that we have not served our constituents well over the last decade. We have not deserved the right to be called professionals or to be paid the big bucks.
Yes, I did see the photo of Presidents Bush and Obama. I did hear Renee Fleming sing Amazing Grace and the New York Philharmonic play the Resurrection Symphony. I saw the Concert from the Kennedy Center. I know that New York's Bravest are still ready to go into harm's way to protect me. I am hopeful.
However, there will be other terrrorist attacks, some successful. Hopefully these will be at the limits of our abilities, but it is simply not possible even to identify, much less deter, all the crazies. Our leaders have already set us up to see these as "failures of security," as justification for even more drastic measures. That is what government does. If what they are doing does not work, they simply do it harder.
It is our professional responsibility to ensure that America sees these attacks as the inevitable price of freedom, as the price of our values, as the price of greatness. Then we will be professionals and deserve the big bucks.