What's More Important: Security or Privacy?

There are lots of changes being created by new technology. From one direction we see how businesses want to use clouds, mobility, big data and social tools to create new capabilities externally to do business in new interactive ways with customers. In the other direction, it presents challenges to IT departments and in particular to the role of the CIO. Right now the role of IT and the CIO is pretty well-defined, but only in respect to the existing technologies and their role in supporting business procedures internally, or securely, behind the firewall.

This leads to definitions 'inside-out' to define traditional IT as 'inside' the firewall with any external usage, using both the client server technology and governance models of enterprise IT. And 'outside-in', the use of Internet web architecture to deliver 'services' for customers, workers, etc that are 'outside' the firewall in their primary activities with limited web-based connectivity to the enterprise IT. As an example of this, I posted a use case recently on http://ld2.in/444.

Redefining security architecture

When we say 'security', the natural definition that comes to mind around traditional IT is:

"The need to protect the core assets of an enterprise in terms of its commercial information and its ability to do business internally at the right cost and level of efficiency."

Traditional IT also means 'based on PCs', using client-server architecture in a computer-and-data-centric manner around enterprise applications onsite and under the control of the CIO and the IT department. Throw the use of clouds or remote hosting into this and the security still applies to the notion of 'secure inside a firewalled perimeter' with the question shifting to ask how this is achieved.

Lots has been written about this and there is some pretty good progress by the Cloud Security Alliance https://cloudsecurityalliance.org/, which is worth checking to see both what and how the subject is being approached and the real progress made.

But there is a less obvious and growing issue about where your data is being held or used and the legal consequences. This may not be the 'security' issue that first comes to mind, but as more enterprises use external data centers, it is certainly a governance issue that your enterprise may well care about. Bruce Schneier has a good blog and discussion on this to bring you up to speed on what the issues are. You can read it here: http://ld2.in/445. But it's down to Peter Cartier to offer the best straightforward description of what the US Patriot Act is all about and what it covers--http://ld2.in/446.

Given that many of the big names are American and offer global resources to manage your data, this is an issue to understand, as your data will, quite legitimately, be examined by the US Government if they feel they need to. Clearly something to understand along with conventional questions as to how secure is the data center and how effective is the operator's governance.

The role of employees

For many CIOs, the security question is rapidly becoming about people and the range of devices that they use at work, frequently as BYOD, Bring Your Own Device. This isn't necessarily the security issue it might seem if full 'inside-out' access to Traditional IT is not granted, and instead the people and devices are positioned outside the firewall on the 'outside-in' model. If you don't know about this model then I really recommend you find out more from the Capgemini white paper--http://ld2.in/448.

And if you don't think it's for your enterprise then you may be very wrong. A Swedish Bank recently told me that they thought up to 40% of their staff should be moved outside the firewall to an 'outside-in' environment to improve security. By removing them from being able to access the enterprise's core systems and data, this will improve their effectiveness in facilitating services for their customers.

Moving people and their devices outside the firewall and denying access to enterprise applications is surprisingly effective and easy, but whereas computers and their data need security, people need privacy. From 12th March, Google implemented a revision of their Privacy Policy-http://ld2.in/447, and you may have noticed their home screen contains a box stating 'We're changing our privacy policy and terms. This stuff matters'. And it does as an increasing number of court cases prove. It's difficult to get any simple guidance in the form of a free online download for what is obviously a complex subject. The best I can find — and now I guess I should say that this link is not a recommendation or any other legal construction that I am liable for this, it's just my view that I found the content personally useful. So make up your own mind on the topic starting with a site offering practical guidance in the form of a message to be placed on a web site to alert users--http://ld2.in/449.

Other places I found useful include: Website Law, which is a guide to UK law on Privacy, http://ld2.in/44a and a US site that claims to be able to generate an enterprise-specific privacy policy http://ld2.in/44b. Frankly I don't think these are the answers but just useful ways to read what and how the topic is addressed. The answer is to do some proper due diligence with your enterprise legal department about what and how Privacy is an issue for your own staff when supporting them online.