Yesterday, at Hack in the Box, we decided to have a bit of fun. My Sophos Malaysia colleagues purchased a veritable flotilla of rubber ducks – in traditional bathtime-duck yellow – and tricked me into an autograph session.
Duck signing ducks, geddit?
(It was amusing, honestly, though perhaps you had to be there. In fact, if you are a security techie and will be in the vicinity of Malaysia in October 2011, you might want to be there for HITB2011.)
On a more serious note, several people I met at the conference asked me, “In one word, what do you think will be the big security issue we’ll be discussing at HITB2011?”
That’s a question I asked a bunch of people at Black Hat – and you can see what they said in this one-minute video – so it’s only fair that this time I was put on the spot.
My answer was quick and unchanging: privacy.
If you’ve checked into a hotel recently just about anywhere in Asia, you’ll know that it is a requirement to provide your passport number, and significant other amounts of PII (personally identifiable information). Some countries even ask hotels to record the serial number of your temporary immigration permit, presumably so they can spot when holidaymakers decide that they like tropical beaches, decent weather and drinks with umbrellas in them so much that they “go local” and decide not to bother leaving the country before their visas expire.
But if you revisit any hotel you have stayed in before, you’ll notice that on your second and subsequent visits, you don’t need to show your passport or to fill in your PII on the check-in form. It’ll be pre-printed for you. How’s that for service?
Actually, as service goes, it’s pretty good. It’s convenient. It makes you feel like a more valued guest. It saves you and everyone behind you in the queue a little bit of check-in time.
It’s also a data leakage nightmare – a nightmare made even more ghoulish by the increasing popularity of cloud-based services. Your passport number might be held by any number of hotels on their local servers, where malware or cybercriminals might get hold of it. It might be archived over the internet onto any number of servers owned by any number of other companies, possibly in other jurisidictions, where malware or cybercriminals might get hold of it.
In Asia Pacific, for example, there are no standardised regulations on security standards, little or no requirement for encryption, and few or no rules forcing companies (even multinationals headquartered outside the region) to come clean when data exposures occur. With this in mind, you can see why privacy is my computer security watchword for 2011.
If you’re concerned about privacy, too – your own and that of your valued customers – why not download our free Data Security toolkit?
And for a perspective on cloud computing which isn’t just upbeat marketing material, why not listen to our podcast A lesson in cloud computing and software as a service?