My time on Twitter (@CDMmedia) recently brought me to Steve Francia (@spf13), CIO at Portero.com, an online retail site that sells pre-owned, luxury goods. Steve’s blog, spf13.com, as well as his Twitter feed focus on technology and social media. His IT expertise includes development, technology turnaround, strategy, organizational planning, restructuring, cost reduction, funding, productivity, and the translation of business needs into technical implementation and delivery. My questions below focus on IT security. Enjoy!
What is your security plan for Portero.com in 2010 and how has your strategy changed from the previous year?
My approach to security has consistently been to provide access to the smallest possible group. I joined Portero in late 2007 and stepped into a position where the prior policy had been one of convenience. We decided as a company that one of our primary concerns in 2008 would be security. We established critical policies and held many security focused training meetings. We found this combination provided us excellent compliance with the policies. In 2009 we built on the successful foundation laid by taking a more proactive approach to security.
Success in security is largely conditional on the users following the policies. Through training and effective policies we have brought security to the forefront of our employees thoughts. Having laid a solid foundation the prior two years enables us to really utilize 2010. One area we will be focusing on is furthering our disaster recovery plan and abilities. We will continue with the practice of holding user training and education sessions. We will continue to hold self audits.
There have been plenty of stories in the news lately of customer’s information being stolen, what strategies do you use to ensure that Portero’s customer information is safe?
Portero prides itself on trust and authenticity. Naturally, I’d love to say we have this insanely intelligent and complex system and strategy to protect customer or other sensitive data, but in all honesty, this is a romantic, but unrealistic notion. In each story I’m familiar with, each failed to adhere to even the most basic of best security practices. In reality, adhering to the best practices will take you farther than an overly complex system.
Largely, we make sure that all our bases are covered, strictly enforcing best practices including: using secure pass phrases instead of passwords, forbidding customer and other sensitive data from leaving secured servers, restricting all information and access on an absolute need to have basis with fine-grained ACL, all data transfer over secured encrypted tunnels, storing encrypted archives in a secured location, restricting physical access to all server rooms, and keeping all systems patched and up-to-date. Lastly, we hold training sessions to ensure that policies are understood and followed. I could provide a long list, but the point is to cover all your bases, especially the ones that are not enforceable through technology which are all too often forgotten.
You have a blog and are an active Twitter user, what precautions do you take in order to protect your personal information while using these social media sites?
In this, the information age, privacy is rapidly eroding. Generation Y is growing up in this public environment and seem unable to even recognize the loss. We live in an era where so much of our personal information is either public or in the hands of enterprises, to think one could be truly “off the grid” seems unrealistic. So the question becomes, how does one apply the right safeguards to protect their personal life and family?
I realized a few years ago that every professional is a celebrity in their own right in that each has a public brand to maintain. Name/Brand recognition is critically important, and obtainable through social media in a way the world hasn’t seen before.
Personally, I maintain two separate online presences. A professional one via my blog (http://spf13.com) and sites like LinkedIn and Twitter. I rarely tweet anything about my family or my personal life. On the personal side, I maintain a separate “invite only” family blog. Truly sensitive information is only posted on the blog, which is really only intended for close friends and family.
In your opinion, what is the biggest security concern with regards to cloud computing?
I see two major concerns:
What is a cloud? In the past couple years, it has become a heavily overused marketing term. Since each “cloud” is built on completely different technologies and concepts, speaking of security as it pertains to “cloud computing” is a dangerous proposition because of how vague the question is. Since each implementation possesses it’s own unique set of technologies and problems, it’s difficult to have a meaningful discussion on security.
2. We don’t know what we don’t know yet
It’s obvious why there is all the hype surrounding “cloud computing.” CFOs love it because there is no upfront cost, no depreciation, and a pay for what you use model. But, cloud computing is relatively young and I’d be concerned about putting any mission critical or ultra sensitive information in the cloud. I think people typically think of a cloud as being engineered from the ground up, but in reality, each is composed of piecing together many different pieces, some very mature, some very immature.
We typically understand the points of attack (or vulnerability) in a traditional hosting environment. The cloud with its multi-tenant nature presents all sort of new potential concerns. The vendor is now providing their (largely) home built separation layers between customer data and access.
I remember a few years ago people were saying that they didn’t need an SLA from Amazon because their infrastructure was so redundant and reliable and AWS hadn’t had any meaningful outages. Many built businesses on this mentality. Here we are years later and with more mature technology and a handful of major outages have occurred this year alone including ones on Amazon and Google. Use common sense. Just because we haven’t yet experienced a widespread security breach in the cloud doesn’t mean that we won’t.
No provider currently has a PCI compliant cloud. Does PCI compliance ensure something is safe, or that something that isn’t PCI compliant isn’t? No. But this does speak to the immaturity of cloud computing that not a single provider has a cloud secure enough to store credit card data.
I believe that the cloud is a fantastic resource and has great potential. I was an early adopter of the AWS cloud when I was at Takkle.com. We built a transcoding farm on EC2 to process a huge volume of user uploaded video. Without EC2 we would have had substantially higher hosting costs, which would have prevented us from incorporating this feature. However we never transmitted any data to EC2 that wasn’t already public, nor did we put any mission critical services on it. We used common sense, mitigated risk and benefited largely as a result.
What security trends and issues do you foresee for 2010?
As budgets have been trimmed industry-wide, my biggest concern is that enterprises shortchange security, gambling with their (or their customers) data. I don’t believe that anyone intentionally would weaken security, but as staff is thinned out, essential processes become forgotten. Proper training may be elusive. Seemingly small removals here or there could quickly add up to disaster.
As social media and mobile computing converge and continue to penetrate into more aspects of business, privacy will become increasingly challenging to enforce. The smart phones on the market are capable of recording or capturing data of any kind, via camera, audio recording or by acting as a network, Bluetooth, or USB drives. They also have the ability of transmitting and/or broadcasting any of this data instantly and bring their own unmonitored network. Today’s smart phone is the ultimate spy device, even James Bond would be jealous.
Social media is very powerful. Used correctly it can be a fantastic tool. Used incorrectly it can have catastrophic results. People don’t realize that once they hit that send button the tweet, post, message, email, etc. is instantly and irrevocably being broadcast to the entire world. Yes there may be a delete button, but once it’s public, it is broadcast, copied and cached and that can never been undone.
I think proper education and instruction is the answer here. Proper instruction enables an organization to embrace all the good that social media provides, but even a perfect execution would only minimize the risk. While some groups (e.g. NBA) may be able to control usage of social media, doing so will prove extremely challenging for most businesses.