Security gone crazy
by John McIntosh, Bloor Research
I just love it when legislation takes on popular issues and threatens to bring evolution to a grinding halt.
Only in California can people expect to have 100% security and 100% knowledge (this sitting on the most famous and least predictable fault line of them all). It is all the more bizarre when, a few hundred miles up the coast, the World's largest software house says that Trustworthy Computing is a vision not a reality. Then some of us have long harboured the view that, in California at least, the distinction between vision and reality is somewhat suspect.
Legislation in California that requires companies to reveal vulnerabilities on their enterprise networks becomes official July 1. Customers must also be alerted when networks are breached and sensitive data is stolen - all in the attempt to reduce identity theft.
Here we have a clear example of legislators failing to grasp the issue and throwing it to the vendors with a message something along the lines of "you created this problem, you sort it out".
So what is going to happen? Well, the first thing is that it will not reduce identity theft. Why? Because you don't have to hack a Web site to steal someone's identity.
Will it help reduce fraud? Probably not, because the decision to accept or reject a transaction has noting to do with being hacked.
Do we know we are secure? No. We make the best attempts we can, according to good practice. The next surprise is waiting just around the corner.
What is glaringly obvious is that the legislation does not set a hurdle over which retailers must jump. For example, the Web site operator must be accredited to ISO17799 or NIST 800-26 or whatever. Without this, there is no realistic way, other than by brute force, to achieve what the legislators hope, that the regulation will be a model for national legislation.
The other bizarre aspect of this regulation is because it does not set a measurable independent hurdle, it assumes that the public will understand what the retailer is doing in terms of security and whether that is adequate for the consumer to be happy to make a credit card purchase.
Part of the problem resides in the fact that retailers have created unrealistic expectations and confusion when say they operate a secure site because they use SSL. As any schoolboy knows, this does not represent security. Breaches occur where back-end security is poorly implemented and maintained.
The regulation currently applies to any company that stores data electronically and does business in California. Companies must alert customers whenever "unencrypted personal information was, or is reasonably believed to have been, acquired by an unauthorized person".
The plus side of the regulation is that if there is a breach, consumers have to be advised that their personal information, such as credit card details, may have been put at risk.
California's new regulation contrasts with the Bush administration's hands-off treatment of the technology industry who want to see the eCommerce industry develop unhampered, allowing market forces to improve security rather than revert to legislation.
There is a business intelligence company and UK-based software house looking to introduce an online identity verification exchange that should substantially remove the risk of identity theft and fraud. Even this presents two problems. The first is that Web retailers still have to implement security effectively and be properly accredited. The second, that privacy legislation may well inhibit good security.
Copyright 2003. Originally published by IT-Director.com, reprinted with permission. IT-Director.com provides IT decision makers with free daily e-mails containing news analysis, member-only discussion forums, free research, technology spotlights and free on-line consultancy. To register for a free e-mail subscription, click here.
For more information:
- Looking for free research? Browse our comprehensive White Papers section by topic, author or keyword.
- Are you tired of technospeak? The Web Services Advisor column uses plain talk and avoids the hype.
- For insightful opinion and commentary from today's industry leaders, read our Guest Commentary columns.
- Hey Codeheads! Start benefiting from these time-saving XML Developer Tips and .NET Developer Tips.
- Visit our huge Best Web Links for Web Services collection for the freshest editor-selected resources.
- Visit Ask the Experts for answers to your Web services, SOAP, WSDL, XML, .NET, Java and EAI questions.
- Couldn't attend one of our Webcasts? Don't miss out. Visit our archive to watch at your own convenience.
- Choking on the alphabet soup of industry acronyms? Visit our helpful Glossary for the latest lingo.
- Discuss this article, voice your opinion or talk with your peers in the SearchWebServices Discussion Forums.