27 August 2016
27 August 2016
21 August 2016
Friday afternoon I participated in a really interesting meeting. Some application managers got a request from researchers to implement a new application to support pharmacological studies. The new application collects information from some business critical application. The researchers combine and enrich the information, evaluate the new information with numerical models and, if the results are promising, it is transferred back to the source systems.
With this, it is very likely that the new application will create and store business critical information, even if the information collected from the source systems may not be critical.
The application managers were particularly concerned about the impact of the security requirements on the usability and the development and operation costs of the application. Thus they decided to start the security discussion as early as during the development of the project proposal.
Great! That is the best phase to start with application security, indeed. Security by Design is the key to sustainable and cost-effective security. We had a very fruitful discussion about role concepts, clearance of users and encryption.
The application managers were actually surprised when I began talking about the solution life cycle. To talk about the solution life cycle during the development of the project proposal sounds really strange, but the architecture of a solution has a major impact on the security and the operation costs.
In R&D we talk about application lifetimes of 10 or more years. With this we have to change applications just because application components are discontinued by the suppliers and need to be replaced by either newer versions of the same component or, in the worst case, by components of other suppliers. In addition, we have to apply an endless stream of security patches to all components which leads to high effort in application operations.
If the application architecture does not support the easy replacement or patching of components we have to apply additional technical measures to secure the application, which leads to increased operation costs and complexity. Thus it makes sense to start talking about the solution life cycle as early as possible.
That reminds me of Dan Lohrmann’s post “Idea to retire: Cybersecurity kills innovation”, which was published in the Brookings TECHTANK blog some month ago:
Security is a necessary enabler of opportunity and innovation. Improved cybersecurity enhances innovative projects and is a core requirement for their success.
Now we have to convince the research department to spend some additional effort and time during the development of the project proposal to build a really innovative application.
Have a good weekend.
6 August 2016
On 26 July, the Register reported that “Hackers have gained access to customer data on UK telco O2 – and put it up for sale on the dark web.” The BBC Victoria Derbyshire Programme and Graham Clueley brought similar reports.
All reports made clear that O2 has not been hacked. BBC reports that “The data was almost certainly obtained by using usernames and passwords first stolen from gaming website XSplit three years ago to log onto O2 accounts. When the login details matched, the hackers could access O2 customer data in a process known as “credential stuffing”.
Poor user habits, like recycling of usernames and passwords, are indeed a major problem. But in my opinion many service providers are at least co-responsible because they do not sufficiently protect their customer’s account details.
Many service providers still have not enforced Two-Factor Authentication (TFA), although this technology is easy to implement and to use, in particular for high-tech businesses like O2. Even if account details are stolen, the likelihood of cyber-crime is dramatically reduced because the cyber-criminals have no access to the second factor.
From my point of view it is time that the regulatory authorities finally do their job and protect the citizens and businesses from cyber-crime. We need a European regulation which makes the use of TFA compulsory for all service providers. Unfortunately, this will not have any impact on the O2 customers because of the Brexit …
Have a good weekend.
Trying to benefit from education & (a little) from unemployment!
Outdoors, Environment, Wellness, Writing
And So It Goes
A Blog about Keepin it Simple