Posts Tagged security
Wow, for you naysayers out there that think the government is slow, archaic, and behind-the-times, you may have to reconsider your position. The House of Representatives has OK’d the use of Skype and ooVoo within its hallowed halls. Up to now, security concerns had impeded adoption of these popular Internet phone and video conferencing tools, respectively, but now that those concerns have been addressed, the House is ready to move forward on its plan to improve communications and transparency with its constituents.
In these tough economic times where government budgets are strapped, leveraging technology solutions that tout cost efficiencies are gaining traction. Moreover, technological enhancements and plentiful bandwidth are driving the government to look at other real-time alternatives. Applications like Skype and ooVoo allow for virtual town hall meetings, facilitate responding to constituent inquiries, and obviate the need for travel in many instances. The net effect is a fluid, cost-effective communications channel between representatives and their constituents.
Now, the House had every right to take its time in blessing the use of Skype and ooVoo. Security concerns are justified, given the abundance of horror stories involving security breaches in government and other industries as well. The problem with social media and other Web 2.0 applications is that their ubiquity opens whole new vectors for malware and other types of evil to infiltrate the corporate or government network. The proliferation of content on these types of sites is mind-boggling – photos, videos, wikis, blogs, tweets, and the list goes on and on. But, each one of these types of content can be a springboard for malware.
Given the viral nature of social media and the breadth of the social graph, it doesn’t take much for a virus to spread. A simple, innocent click on a link to your friend’s supposed Morocco vacation pictures may not yield camel pictures, but rather, expletives flowing out of your mouth when you see the Blue Screen of Death.
That’s why you see so many security software and hardware vendors in the marketplace. They’re there for a reason. Not the sexiest technology, but definitely critical to your sanity and to the long-run viability of your company, or in the case of this blog entry, the House of Representatives. Having security systems and policies in place to control the glut of Web 2.0-type applications out there (Skype and ooVoo are just two of the thousands) is downright essential.
Without granular controls of social media, instant messaging, video conferencing, and the like, safely managing that fluid communications channel between government and the constituents becomes that much more difficult. Throw into the mix potential national security implications and one can see why security breaches aren’t taken lightly in government circles.
So, bravo to the House for giving the green light to Skype and ooVoo. Now, I can Skype my congresswoman to fix that pothole in front of my driveway.
I was lucky enough to be invited to speak on a panel hosted by @JulianaKenny of @tmcnet at the ITEXPO West conference and exhibition being hosted in Austin this week. Actually, the exhibition is just kicking off now. Juliana hosted a great panel, and I was seated alongside @gunnr (Greg Gunn), VP of Business Development for Hootsuite and @ronankeane, Ronan Keane of XO Communications.
Our Topic? Securing Social Media for Compliance Collaboration. The mission? Talk to the specific security and compliance requirements of social media that organizations must consider.
Well, we certainly wandered all over the education, regulation, legislation, education, personal vs.professional, education, ethics, controls, education – wait, you see where I’m going with this? I have to say thank you to the audience, who pretty much led us all the way on this one – with insightful comments, killer questions, and input (ah, it certainly makes it easier when that happens). There’ll be more on this later, but where you wonder, does the blog title come from?
Well, the title speaks to a retort that I made to fellow panelist Greg Gunn of Hootsuite – when we were discussing the tribal nature of social networks and a user’s natural instinct to trust the content that a user that he or she connected with (and therefore trusts) sends them. Greg will no doubt correct me if I have this slightly wrong, but I recall a comment along the lines of “trusting users to use social appropriately and comment in the same fashion.” It was in good humor that I offered him a cloth to wipe his rose-tinted glasses, and it was in good humor that he took it.
Don’t get me wrong. I’m a social networking user. I trust me, but I’m fallible. I’m also sarcastic, which is what kicked off my comment and this blog title… and I’m naturally untrusting (it comes from a background in the UK IT security industry). Back to my fallibility. It’s the fact that I’m human that makes me fallible.
We trust every other part of our electronic life to technology. There’s rarely spam on email, rarely viruses, since the “Melissa” and “I love you” viruses we’ve been protected against. We’re protected from websites that we visit by our Web filtering technology.
So why is social any different?
|I may need to wear a shirt like this in the office.|
Most readers of this blog are savvy social media users. I would include myself in that category. Well, I would have until last Sunday.
Yes, I will come out and admit it for once. I got suckered into clicking on a Twitter malware link that was forwarded to me by one of my ‘trusted’ venture friends. Now that I got that off my chest (and demonstrated that I could be just as naive as thousands of users out in the Internet), I think I can talk about this incident somewhat objectively.
It turns out that this particular malware spreads by getting a Twitter user to click on the shortened t.co URL that’s sent via private message. When an unsuspecting recipient clicks on the link, it automatically sends the same tweet to all of the recipient’s followers as a private message. Very sneaky.
It was quite an embarrassing moment when I realized what just happened (I even had to update the new Twitter app to follow the link on my iPhone). Thanks to a couple of my co-workers and good Twitter citizen @DevonAlderton, I came to my senses only after a few hours had passed. Once a few seconds of disillusionment of my malware ‘detect-o-meter’ had passed, I regained my composure to delete all of my private tweets to all my followers (thank goodness I don’t have Kim Kardashian’s follower base) and took remedial action to shore up my defenses.
Last week, it was announced that Steven VanRoekel would be replacing Vivek Kundra as the CIO at the Office of Management and Budget (OMB). It’s a high-profile position that essentially puts VanRoekel in charge of the federal government’s IT budget – currently about $80 billion a year. A tidy sum of money.
So, as VanRoekel assumes his new role, all eyes will be focused on how he handles the projects he’s inheriting from Kundra as well as new initiatives. Of the former, issues such as data center consolidation and the “cloud” are top-of-mind. Recently, much of the buzz, both in the government and in the private sector, has revolved around Web 2.0 and social media. However, they’re just two components of an overall security strategy.
VanRoekel must also take into consideration other types of application that factor into a comprehensive cybersecurity strategy. These days, hackers are pretty sophisticated and are quite adept at exploiting encrypted traffic to pass along viruses or other types of malware. For instance, unified communications (UC) platforms, such as Jabber, Microsoft OCS and Lync, and IBM Sametime, all enable federation, which is the ability to communicate with others who are not members of your UC community. The danger here is federating with outside networks that may present unknown risks, like viruses, hackers, enemies mining for confidential information, etc.
The same analogy holds for the “cloud” initiative. Cloud computing is all the rage, but there’s no shortage of companies and government agencies that are incredibly leery of turning over key computing processes and applications to the cloud. Security is almost always the first issue mentioned when talking to skeptics of the cloud. Multi-tenancy (i.e., sharing physical appliances that have been logically partitioned), data storage off-premises, and the relatively short history of this computing paradigm send shivers down the spines of the most experienced IT practitioners.
With the Internet being a global resource, the potential scope of security breaches is immense. Sophisticated hackers might reside in the US, China, Russia, Iraq, North Korea; you just never know. It is under this backdrop that VanRoekel will have to drawn upon his experience in the private and public sectors to devise a strategy addressing all of these security concerns. A daunting challenge for sure, but absolutely attainable, given today’s technology.
Wouldn’t you agree?
Recently, Chief of Naval Operations, Admiral Gary Roughead commented that the Navy is ‘irreversibly’ committed to engaging in social media. Junior officers are now maintaining their own blogs and Facebook pages to form online communities and to communicate on behalf of the department.
Adm. Roughead is clearly a realist and knows that blocking social media altogether is not only a wasted opportunity but also an entirely futile effort.
The epic rise and adoption of Facebook, Twitter, and other social networks and their integration into mobile computing, BlackBerry, or I mean, smartphone (we don’t get paid a royalty for every time we mention a particular ‘fruit’, by the way) makes connecting with friends and loved ones super easy, regardless of timezone or war zone.
Of course, the trouble with social networks is that you are essentially communicating on an unsecured line. Social networks, by their very nature of encircling you with your twenty closest friends and 200 nearest acquaintances, enable oversharing. Who’s to judge what is sensitive information?
Across the pond, the United Kingdom’s Ministry of Defence is taking this threat so seriously that it has debuted slick videos with an educational message – that spilling the beans on the likes of Twitter and Facebook could land you and your dearest in a situation that only Jack Bauer could appreciate.
If you think sifting through the copious amounts of real-time chatter generated by hundreds of thousands of military personnel via social media channels seems more stressful than sitting through an episode of “24,” then happily, I’m glad to say this challenge can be met by the technology available to us today. Bauer, you can stand down now.
Well, it’s been four months since FINRA reconvened its task force to revisit Regulatory Notice 10-06. Anticipation’s been building within the financial services and technology communities as to what additional guidance FINRA will come out with, having had a year to assess 10-06 in action. Whatever new guidance FINRA does come out with, however, must be approved by the mothership (aka the SEC).
FINRA’s only been around since 2007, its creation having been approved by the SEC. So, in many respects, FINRA still maintains close ties to the mothership, just by the very nature of the industry they oversee. Many financial institutions are countries unto themselves with countless subsidiaries and offshoots left and right. Inevitably, the line blurs between investment advisories (IAs) and broker-dealers (BDs) since many of these institutions are dually registered, making it difficult to determine which rules to apply – the SEC’s, FINRA’s, or both.
Since the changes implemented by the SEC in the 1990s regarding instant messaging storage and retention, we’ve seen the importance of both engaging with the regulators to keep abreast of what’s happening in the regulatory world and keeping them up-to-speed on what technology is capable of doing. I just had a call this morning with some attorneys from the SEC’s Office of the Chief Counsel on the topic of social media. Not surprisingly, they keep close tabs on what FINRA’s doing with respect to this emerging area. There aren’t any social media-specific guidelines from the SEC, at least not yet. But, judging by the questions I was asked by the SEC attorneys, I got the feeling they are keen to see how IAs are using technology to remain compliant with rules such as 204-2 and 206(4)-1, pertaining to recordkeeping and advertising, respectively.
Their concerns were consistent with what we’ve heard in similar discussions with other regulatory bodies – the FSA in the UK, IIROC in Canada, and, of course, FINRA here in the US. It’s the gnawing feeling that guidance was necessary, given the rapid spread and adoption of social media, but that the guidance needed to be well thought out before being issued.
I’ve got no problem with things taking time. The financial services industry and its regulators have historically leaned toward the cautious, conservative tack. Certainly, that approach hasn’t changed, even if social media moves at a breakneck pace. It’s like the ol’ race between the tortoise and the hare. Slow and steady will win out over “irrational exuberance” 99% of the time. At least, that’s what your mother would have you believe.
New York City has long been viewed as the financial and media center of the US, if not the world. So, it comes as no surprise to hear that NYC is aiming to be the premier digital city in the country. It has formed partnerships with social media powerhouses, including Facebook and Twitter, to produce content that will enable New Yorkers to better interact and communicate with local government.
On paper, it all sounds great. But, horror stories abound of social media being used improperly or inappropriately. Take, for instance, the Chrysler F-bomb fiasco. All that hard work that went into the image rebuilding of Detroit was torpedoed due to an errant tweet of a PR guy. You’ve also got the example of Gilbert Gottfried’s insensitive tweets about the tsunami in Japan. His jokes cost him his endorsement deal with Aflac and sullied his reputation. Then, there’s the higher-up at HP who leaked a bunch of confidential information through his LinkedIn profile.
The fact that government agencies are so visible raises the stakes that much more. Additionally, government is arguably held to a higher standard, bound by countless rules, statutes, and guidelines. That’s why it’s so interesting to see NYC enthusiastically embracing social media.
Social media is the exact opposite of government. Social media is the poster child of dynamism, energy, chaos, youth, exuberance – all rolled into one. Government, on the other hand, has been the quintessence of bureaucracy, inertia, procedures, and predictability since the dawn of time. This collision in cultures and philosophies will be tested in NYC.
I’m sure Rachel Sterne, NYC’s first chief digital officer, has been briefed on the potential pitfalls of social media (check out some of the above examples, Rachel, if you haven’t). However, theory and reality are two different beasts. NYC could have all the policies in the world in place to address the security and compliance concerns Ms. Sterne has no doubt considered, but to actually have controls in place to ensure that those management and security requirements are met is even more important.
There are too many evils out there that yearn to bring government to its knees – viruses, malware, terrorists, radicals – you get the idea. Also, one has to believe that there are disgruntled employees looking to leak secrets or confidential information on upcoming trials, projects, etc. Don’t forget that government is the largest employer in the US – be it at the city, state, or federal level. This means that the potential for security or compliance breaches is compounded, given the number of government employees and the viral nature of social media (Retweets, Likes, Shares, etc., come to mind).
So, all eyes will be on NYC. If the project goes well, I’m sure we’ll see other cities jumping on the social media bandwagon, joining what will surely become known as the Big @. Who knows? Perhaps the day will come that you may never have to visit a government office ever again. Ahhhhh, we can only dream.
Most social media interaction relies on a fairly immediate response. A tweet has a half life of 3 hours for instance. Whether it’s responding to a customer query, discussing the latest piece of industry news with a partner or just a bit of friendly banter with colleagues, joining in the conversation an hour later can be an opportunity missed. It’s one of the reasons so many of us take our mobile or cell phone wherever we go. I might only be the other side of the office, but I can still respond instantly to something pertinent, without having to walk back to my desk.
Mobility has become an important part of our lives, but it has also added a complexity to the IT aspect of controlling data. A couple of years ago most enterprises standardised on PCs, laptops and mobiles. Today, users want to be able to choose not just the device that helps them do their job the best, but also the one they feel most comfortable using. Some prefer proper keyboards on their mobile, others like electronic; iPads are really popular with sales guys doing a lot of presentations, hated by others for their lack of true multi-tasking. Users even consider the personal aspects of their devices – can they continue reading the latest thriller on the commute to work, video conference with their family when away from home.
The end result for the poor IT guy is that he has to control and record information coming in and going out of the network through a myriad of devices. It’s one of the reasons we developed our technology to focus on the data stream to the social media application, not the method of communication. We already provide full support for recording conversations on Facebook and LinkedIn regardless of device and will be extending this to include Twitter in May.
However, providing support via a direct connection to the API of the social network is only half the story. It won’t surprise you to learn that social media sites are constantly updating their offering, but it may surprise you to know how many changes are made on a weekly basis that directly affect how third party systems such as those provided by Actiance function. The top three sites Facebook, LinkedIn and Twitter average around twenty changes a week, though for a couple of weeks in March they nearly topped forty. Some are minor changes or tweaks, others have a significant impact in the way data is handled.
Fortunately, our close relationship with the major social networking sites means that we are frequently aware of changes ahead of time and can easily make any necessary changes to our own technology in response. In addition, the constant moving of goal posts is nothing new to Actiance. Our heritage in dealing with the instant messaging networks from way back when in the early 2000’s where the introduction of new networks and protocol changes were profuse has enabled us to develop processes that enable our research and technical team to react swiftly.
As the workforce becomes more mobile, the problem of different devices isn’t going to go away. The mobile phone was once touted as being the de-facto communications tool, but the impact of tablets has shown that this might not be the case. I can’t predict what I’ll be using in the future to communicate with customers, partners and colleagues, but I do know that a point solution for devices or specific applications to enable it isn’t the long term answer. A scalable platform that enables the secure, compliant use not just of social media, but UC and Web 2.0 is.
- May 2013
- April 2013
- March 2013
- February 2013
- January 2013
- December 2012
- November 2012
- October 2012
- September 2012
- August 2012
- July 2012
- June 2012
- May 2012
- April 2012
- March 2012
- February 2012
- January 2012
- December 2011
- November 2011
- October 2011
- September 2011
- August 2011
- July 2011
- June 2011
- May 2011
- April 2011
- March 2011
- February 2011
- January 2011
- December 2010
- October 2010
- September 2010
- August 2010
- June 2010
- May 2010
- March 2010
- February 2010
- January 2010
- December 2009
- November 2009
- July 2009
- June 2009
- April 2009
- February 2009
- January 2009
- December 2008
- November 2008
- October 2008
- September 2008
- August 2008
- July 2008
- June 2008
- May 2008
- April 2008
- Application Filtering
- Electronically Stored Information (ESI)
- Employee Behavior
- Enterprise 2.0
- Enterprise IM
- Financial Services
- Guest Post
- New Internet
- personal v professional
- Product Announcements
- Public IM
- Retail banking
- RSA Conference
- Securities and Exchange Commission
- Social Networking
- Unified Communications
- Web 2.0
- Web Security