I wanted to take a break from my usual blog post about Microsoft Forefront security to bring some attention to cloud security, personal information protection and corporate responsibility. What is the cloud first of all? A marketing genius took the iconic cloud symbol used by IT professionals around the world that represents the Internet and leveraged it as a concept that now has global recognition. Cloud computing or Software as a Service (SaaS) isn’t anything new, I’ve had my Y! Mail account for over 13 years now. But it is new that more and more people now use cloud services not only for entertainment but also for personal and professional business applications. Your company or school may be using products like Microsoft Office 365, Google Apps and SalesForce, so you have no choice but to go to the cloud. Cloud service usage has increased in general due to recent marketing ads on TV, billboards, etc.; you may need to use it for online banking and to pay your bills. But it doesn’t matter if you are an IT security guru, or live next door to one; you have to put your trust and thus stake your security in that company when you use their cloud space.
Now I know I don’t need to lecture anyone reading my blog about personal security because you are either in this field or have interest in it. But I do want to stress that as IT professionals, it’s our job, really our duty to protect our workplace and our community. Your community is extremely vulnerable, so you should teach your friends, people at your church or clubs, those folks you can, about how to better protect themselves and their families. Below are some basic suggestions for personal data security. Make sure you know how to protect yourself and what to pass on. Also, I would appreciate any suggestions that you can offer to help improve and increase the list:
• Use a personal firewall and updated antivirus as well. Platforms that have been considered safe travelling are now getting criminal attention; keep informed and reevaluate risk. (No need to send any flames, I respect that your evaluation may rightfully indicate you don’t need to exchange privacy/performance for monitoring/security).
• Use a complex password and change it often.
• Use a different password for your email account. Why? Because your email may be a vector for hackers to break into other resources; for example, that online group you used to participate in, or the music stream you paid for. While email providers generally put a lot of money into their systems and monitor them constantly, they can’t protect you if a hacker gets your password from somewhere else.
• Don’t sign up for online/cloud services that you don’t need or won’t use often enough to monitor. Close accounts you no longer use.
• No one is really giving you a million dollars (or anything else) from Africa (or anywhere else); be skeptical and avoid emails from people you don’t know. If you get a suspicious or vague email from one of your contacts, check with them to make sure their email or messenger service isn’t compromised. If it wasn’t compromised and they really want to give you 1,000,000 dollars, then, people – do share their contact information with me.
Why shouldn’t you trust your online bank, social networking sites, or other software as a service companies? It doesn’t matter if they are a multibillion-dollar company, there is bad PR, and getting hacked is it. Going a step further, companies get hacked all the time and don’t even know about it! Your home address, phone number, credit card number, email address, and password could be, as you read, getting traded by criminals.
A company bears the responsibility to use encryption technologies, hire independent security auditors, maintain software updates, employ qualified security personnel, and most importantly, it should encourage HR/IT departments to perform end user online security training. If your company isn’t doing all of this, consider speaking up. There are many great products like Microsoft UAG, TMG and SunFive’s Boole Server that can protect company resources with firewall security, SQL injection protection, DoS mitigation, data protection, and general communication encryption.
Also consider, what could the response be when a company you trust does get hacked? Recent events aren’t necessarily reassuring. I saw coverage on CNN.COM before I heard anything from a company who just had well-known breach through which username and passwords were compromised. I saw another company that posted a very small notice on their website telling users it had been hacked. Interestingly enough, that notice was removed after 5 days. So, did you see the notice I am talking about? Are you one of the folks that could now be compromised?
Come on! Free service or not, People who signed up for a service expect diligence to protect their information and a heads up if the protection fails. If it’s not possible, or practical, it should be stated up front what the risks are and what the response will, or won’t be. I encourage companies to take corporate responsibility seriously and inform users about security breaches that affect them. On the user end of things, people need to start speaking up when they find out about security breaches through third parties instead of service providers; they should contact both the company and elected representatives to ask why details haven’t been disclosed or why they weren’t contacted directly as a victim. http://www.usa.gov/Contact/Elected.shtml
My plan is to speak at community events to teach people how to protect themselves and I challenge you to do the same.
Thank you, and remember. The cloud isn’t going anywhere; it’s our job to spread knowledge to help protect ourselves, our workplace and our community.