![\"Question](\"https:\/\/i0.wp.com\/www.ict-pulse.com\/wp-content\/uploads\/2014\/04\/Question-Mark-by-jscreationzs-FreeDigitalPhotosnet.jpg?resize=400%2C280\")
<\/p>\nWe continue with our 2014 update on insights from network security experts from across the Caribbean.<\/em><\/p>\n
<\/p>\n
In this the second installment in our 2014 expert series, we engaged Aaron Manzano, who participated in our 2012 exercise. Aaron is an IT\/network security professional with over 30 years\u2019 experience in the field. He specializes in areas such as IT Operations and Management, Network Design and Implementation, Information and Network Security, and Systems Development and General Management. Currently, Aaron is based in Trinidad and Tobago and is the Director of HMP Consulting.<\/p>\n
Aaron Manzano:\u00a0 As in previous years, most of the incidents are still kept quiet.\u00a0 There continue to be attacks and some breaches of Government sites.\u00a0 Debit and credit cards fraud has increased to the extent that the local banking association has done some thorough, albeit limited, public awareness campaigns.\u00a0 Insider fraud and unauthorized information leakage have also fueled the awareness campaign, though limited to the institutions affected.<\/p>\n
However, the most disturbing part is the handling of the “Emailgate” affair.\u00a0 It not only showed the limitations of law enforcement, legislation, and the impact of political distraction, but it also highlighted a significant lack of competency and of quality of ICT professionals, especially those offering opinions and\/or solutions.<\/p>\n
![\"Emailgate](\"https:\/\/i0.wp.com\/www.ict-pulse.com\/wp-content\/uploads\/2014\/04\/Emailgate-synopsis-Source-of-quote-Trinidad-Express-Newspapers.png?resize=466%2C279\")
<\/p>\n
AM:\u00a0 Professionally, I don\u2019t think anything major has changed.\u00a0 What we are seeing is new flavours of the same thing.\u00a0 What has happened is a new awareness of Big Brother, though the appreciation is not perceived as a threat.<\/p>\n
What I do expect is some level of\u00a0emulation\u00a0of what larger Governments have been doing covertly by smaller states. Without the appropriate legislation for the individual liberties, coupled with the state\u2019s responsibility to protect against crime and unforeseen risk, smaller states can find intrusive monitoring and screening creep into everyday life quietly.\u00a0 Because of their small size, the voice of protest tends to be murmurs. \u00a0If 0.01 % of any population has the voice of protest, then in Trinidad, that would 100 persons.\u00a0 For a country with a population of 100,000, then that number is 10.\u00a0 No matter the size of the country, protest only has an impact when the number of people involved can be noticed.<\/p>\n
AM: \u2028There has been no real impact.<\/p>\n
The organizations that had this as a concern ten years ago, or five years ago, are still the ones that have it today.\u00a0 What\u2019s really forcing Governments to address change are compliancy issues for traditional markets that make it harder to trade if you can\u2019t satisfy those requirements.\u00a0 The cost of reporting, new competitors, and eroding markets, have a real impact on GDP.\u00a0 Not being able to keep up with treaty commitments means being blacklist and labelled something unflattering.\u00a0 This economic impact is what\u2019s pushing governments and business leaders and; it is not limited to ICT, though in many cases ICT is hailed as the champion.<\/p>\n
AM:\u00a0 I think I answered this question earlier but I hedge a bet that Snowden has gotten people wondering, to the point that Board Members\/Executives are asking questions but not yet testing the answers.<\/p>\n
AM:\u00a0 Most organizations should push on Organizational Responsibility, Individual Awareness and Education.\u00a0 Mobile devices, faster broadband and the penetration of social networks blur the work\/home divide.\u00a0 The average user (and maybe we should start saying, consumer of data) finds it hard to accept that there is a difference between “what I do at work” and “what I do at home”.\u00a0 We have done a great job of making cyberspace a separate place; that is pervasiveness is not really recognized except for marketing or political campaigns.\u00a0 Social networks reinforce this and the advent of Business Social Networking software has individuals wondering “what the is point?” – I might as well use Facebook, it does the same thing and I don\u2019t have to think about it.<\/p>\n
That been said, it is time to put efforts on Rights Management, Content Management and Policy Conformance especially for anyone operating in the cloud.\u00a0 Many people save documents as PDF files to reduce the likelihood of someone else editing it.\u00a0 This is very individualistic. \u00a0Right Management (RMS) goes a lot further than this.\u00a0 Its intent is to be pervasive, not limited to the organization, but to reach everywhere.\u00a0 Based on an organization’s policies, documents can be tagged with the people allowed to open, change, print or email them, and if the work flow is automated, these states can change as it moves through the process.\u00a0 For example, the ability to collect credit card numbers might only exist at the document creation stage and is not visible again until a Credit Officer reviews it.\u00a0 At the same time, Mr. John Doe, can access that information (he being its subject), once he can be verified.\u00a0 This is a simplistic example, however though RMS it is possible to continue to protect a document\/ data indefinitely.\u00a0 For legacy documents that cannot be tagged there are systems that can examine the content each time it is touched or transitioned in a workflow state. \u00a0These systems are not perfect, there are still cross border and jurisdictional issues to be resolved, not to mention the significant interest of groups like the music industry lobbies that would also need to be addressed.<\/p>\n
Using RMS in the cloud or on-premises also highlight another point: Product Features.\u00a0 When our focus was on the desktop, we probably only used 10 % of the features of an application.\u00a0 On the server side, the application was acquired for a specific function, and all other features were typically ignored.\u00a0 Now, the cloud has both the server and the client (desktop\/browser): it is feature-rich and even more underutilized.\u00a0 The vendors thought that the cloud would have brought software metering and billing, based on the features utilized. \u00a0Instead, the availability and the enhancements of the feature set has become a key selling point.\u00a0 The potential of misconfiguration, or even non-configuration on the assumption that the vendor would have done it, is not obvious until IT gets asked “how are we addressing this<\/em>?”<\/p>\n
Still, each major vendor has some level of culpability in this regard.\u00a0 Compliancy requirements in the US and EU have ensured that developers either possess the required capability, or have a roadmap for its implementation. E.g. the ability to place message in a hold state, if the content can expose an organization to litigation, or prevent its deletion until its retention is no longer required legally, exists in all major cloud email solutions. \u00a0It up to IT Strategists to recognize the need, and for Consultants\/Vendors to spend the time to educate and advocate its use.\u00a0 There are a large number of products and services that duplicate or augment existing capability.\u00a0 Refreshing your knowledge of what you have can potentially reduce cost and optimize implementation, while reduce your risk surface.<\/p>\n
Do you have any questions for Aaron? Do you agree with this views? Do share your thoughts in the Comments section below.<\/strong><\/em><\/p>\n
Looking forward to your feedback!\u00a0 <\/strong><\/em><\/p>\n
<\/p>\n
Image credit:\u00a0 jscreationzs (FreeDigitalPhotos.net<\/a>)<\/em><\/p>\n