Security gone crazy

Security gone crazy

John McIntosh, Bloor Research

Guest Commentary
Security gone crazy
by John McIntosh, Bloor Research

I just love it when legislation takes on popular issues and threatens to bring evolution to a grinding halt.

Only in California can people expect to have 100% security and 100% knowledge (this sitting on the most famous and least predictable fault line of them all). It is all the more bizarre when, a few hundred miles up the coast, the World's largest software house says that Trustworthy Computing is a vision not a reality. Then some of us have long harboured the view that, in California at least, the distinction between vision and reality is somewhat suspect.

Legislation in California that requires companies to reveal vulnerabilities on their enterprise networks becomes official July 1. Customers must also be alerted when networks are breached and sensitive data is stolen - all in the attempt to reduce identity theft.

Here we have a clear example of legislators failing to grasp the issue and throwing it to the vendors with a message something along the lines of "you created this problem, you sort it out".

So what is going to happen? Well, the first thing is that it will not reduce identity theft. Why? Because you don't have to hack a Web site to steal someone's identity.

Will it help reduce fraud? Probably not, because the decision to accept or reject a transaction has noting to do with being hacked.

Do

    Requires Free Membership to View

    Login

    When you register, you'll begin receiving targeted emails from my team of award-winning writers. Our goal is to keep you informed on recent service-oriented architecture (SOA) and SOA-related topics such as integration, governance, Web services, Cloud and more.

    Hannah Smalltree, Editorial Director

    By submitting your registration information to SearchSOA.com you agree to receive email communications from TechTarget and TechTarget partners. We encourage you to read our Privacy Policy which contains important disclosures about how we collect and use your registration and other information. If you reside outside of the United States, by submitting this registration information you consent to having your personal data transferred to and processed in the United States. Your use of SearchSOA.com is governed by our Terms of Use. You may contact us at webmaster@TechTarget.com.

we know we are secure? No. We make the best attempts we can, according to good practice. The next surprise is waiting just around the corner.

What is glaringly obvious is that the legislation does not set a hurdle over which retailers must jump. For example, the Web site operator must be accredited to ISO17799 or NIST 800-26 or whatever. Without this, there is no realistic way, other than by brute force, to achieve what the legislators hope, that the regulation will be a model for national legislation.

The other bizarre aspect of this regulation is because it does not set a measurable independent hurdle, it assumes that the public will understand what the retailer is doing in terms of security and whether that is adequate for the consumer to be happy to make a credit card purchase.

Part of the problem resides in the fact that retailers have created unrealistic expectations and confusion when say they operate a secure site because they use SSL. As any schoolboy knows, this does not represent security. Breaches occur where back-end security is poorly implemented and maintained.

The regulation currently applies to any company that stores data electronically and does business in California. Companies must alert customers whenever "unencrypted personal information was, or is reasonably believed to have been, acquired by an unauthorized person".

The plus side of the regulation is that if there is a breach, consumers have to be advised that their personal information, such as credit card details, may have been put at risk.

California's new regulation contrasts with the Bush administration's hands-off treatment of the technology industry who want to see the eCommerce industry develop unhampered, allowing market forces to improve security rather than revert to legislation.

There is a business intelligence company and UK-based software house looking to introduce an online identity verification exchange that should substantially remove the risk of identity theft and fraud. Even this presents two problems. The first is that Web retailers still have to implement security effectively and be properly accredited. The second, that privacy legislation may well inhibit good security.

Copyright 2003. Originally published by IT-Director.com, reprinted with permission. IT-Director.com provides IT decision makers with free daily e-mails containing news analysis, member-only discussion forums, free research, technology spotlights and free on-line consultancy. To register for a free e-mail subscription, click here.

For more information:

  • Looking for free research? Browse our comprehensive White Papers section by topic, author or keyword.

  • Are you tired of technospeak? The Web Services Advisor column uses plain talk and avoids the hype.

  • For insightful opinion and commentary from today's industry leaders, read our Guest Commentary columns.

  • Hey Codeheads! Start benefiting from these time-saving XML Developer Tips and .NET Developer Tips.

  • Visit our huge Best Web Links for Web Services collection for the freshest editor-selected resources.

  • Visit Ask the Experts for answers to your Web services, SOAP, WSDL, XML, .NET, Java and EAI questions.

  • Couldn't attend one of our Webcasts? Don't miss out. Visit our archive to watch at your own convenience.

  • Choking on the alphabet soup of industry acronyms? Visit our helpful Glossary for the latest lingo.

  • Discuss this article, voice your opinion or talk with your peers in the SearchWebServices Discussion Forums.

This was first published in July 2003

Disclaimer: Our Tips Exchange is a forum for you to share technical advice and expertise with your peers and to learn from other enterprise IT professionals. TechTarget provides the infrastructure to facilitate this sharing of information. However, we cannot guarantee the accuracy or validity of the material submitted. You agree that your use of the Ask The Expert services and your reliance on any questions, answers, information or other materials received through this Web site is at your own risk.

Back to top