I wrote earlier this week about Identity and Access Management (IAM) and how it’s important for Infosec (Information Security) to be involved with projects early. The post generated a few comments and some commentary on twitter, mostly from Infosec folks. Some complained I was too harsh on Infosec (I wasn’t) while others worried that I didn’t go into enough depth (I didn’t). In my mind though, it raised the issue of why there is such friction between Infosec folks and the rest of IT.

So, the downloading and use of a Facebook App could create security threats? Who'd have thunk it? Oh, wait...I could, and did right here on Huffington Post.

I spend a lot of time talking about organizations enabling their employees through the use of mobile. It’s truly the only way to ‘win’ at this game. When you enable your users to be more flexible and agile they become more efficient and productive. What more could you ask for? The question always turns to how do you actually enable your people. You start with the FUN principle (Focus on the Users’ Needs) and you build apps that enable them to do what they need to do, when and where they need it. There are many issues with building apps and if you focus on their needs you get most of the way there. Yet, there is still the fundamental issue when building an app that someone can use it anywhere and at anytime. How do you know who that somebody is?

For the second time in as many months, a grave bug has emerged in core Internet security software. In February it was the "Goto Fail" bug in the Apple operating system iOS that left web site security inoperable; now we have "Heartbleed", a flaw that leaves many secure web servers in fact open to attackers sniffing memory contents looking for passwords and keys.

Who should care?

What are the ramifications of Heartbleed?

Should we panic?


The credit card payments system is a paragon of standardisation. No other industry has such a strong history of driving and adopting uniform technologies, infrastructure and business processes. No matter where you keep a bank account, you can use a globally branded credit card to go shopping in almost every corner of the world. Seamless convenience is underpinned by the universal Four Party settlement model, and a long-standing card standard that works the same with ATMs and merchant terminals everywhere.

If anonymity is important, what is the legal basis for defending it?

Against a backdrop of spying revelations and excesses by social media companies especially in regards to facial recognition, there have been recent calls for a "new jurisprudence of anonymity"; see Yale law professor Jed Rubenfeld writing in the Washington Post of 13 Jan 2014. I wonder if there is another way to crack the nut? Because any new jurisprudence is going to take a very long time.

Instead, I suggest we leverage the way most international privacy law and privacy experience -- going back decades -- is technology neutral with regards to the method of collection.

An unhappy holiday for Target customers

A week before Christmas, Target in the US revealed it had suffered a massive payment card data breach, with some 40 million customers affected. Details of the breach are still emerging. No well-informed criticism has yet to emerge of Target's security; instead most observers say that Target has very serious security, and therefore this latest attack must have been very sophisticated, or else an inside job. It appears Target was deemed PCI-DSS compliant -- which only goes to prove yet again the futility of the PCI audit regime for deterring organized criminals.

The Consumerization of Identity: A collision of Worlds

US: Nov 13 1:00-1:30PM Pacific
Aus: Nov 14 8:00-8:30AM AEDST
Register here.

What happens when the irresistible force of Social Logon hits the immoveable object of enterprise risk management?

The webinar will cover:

  • What is the Consumerization of IT?
  • What is Federated Identity?
  • The State of the "identity ecosystem"
  • Pros and Cons of Federation
  • The Two Dimensions of Social Identities
  • What needs to happen for Social Logon to become "Business Grade"?

IBM researchers in Zurich recently revealed a new Two Factor Authentication technique in which the bona fides of a user of a mobile app are demonstrated via a contactless smartcard waved over the mobile device. The technique leverages NFC -- but as a communications medium, not as a payments protocol. The method appears to be compatible with a variety of smartcards, capable of carrying a key specific to the user and performing some simple cryptographic operations.

Data may be defined as Personally Indentifiable Information (PII) if it is potentially identifiable. That is, data may count as PII long before it is actually identified (which only seems prudent after all). The uncertainty about identification and the room for interpretation makes some security practitioners anxious. But I like to think the loose definition provides an opportunity for security professionals to actually embrace privacy practice, precisely because, more than ever, privacy management is about uncertainty and risk. After all, security threat and risk is all about making educated guesses about what might happen in future.