Thursday 20 October 2011

Children and Internet Safety... do they mix?

As an IT Security professional and a father, I'm often asked how to filter the internet for their children.  I would suggest there are three elements that need to be looked at including IT security, education and computer location.

My children use a Windows 7 computer, but in order to secure the system, I run Avira Internet Security 2012, which is a lightweight, low footprint but highly effective anti-virus software.  It offers anti-malware, a software firewall and a basic level of web filtering.  I ensure all these components are enabled, updated and running.  I have created limited access Windows user accounts for the children, where no administrative rights are available.

Everyone assumes that controlling the computer or access to the internet is the answer, but your children need to understand why they are in place.  We have spoken to the children that if they encounter anything that they did not expect, then they should make us aware of it.  We have also spoken about password security to them, to ensure that the passwords they use are not shared with anyone beyond the family.

Some people are surprised with the final piece of advice, but I suggest putting the computer, or using the laptop in a high traffic area of the house.  Some recent research has shown that paedophiles are less likely to engage in a webcam chat, if it is in a family area of the house, compared to a bedroom.  We have situated the desktop computer in the kitchen, where the children are rarely using the computer unsupervised.

Some think this attitude may be a little paranoid, but the key component is education and for your children to understand why.

Thanks to Jason Jones for pointing out this Ofsted report, which makes for some interesting further reading.

“To The Cloud…”


For the last year or so, it seems marketing people have moved away from terms such as “... as a Service”, and replaced the words with Cloud.

We are seeing hosted applications, hosted infrastructure, hosted servers, hosted platforms, managed services, VPNs, MPLS networks, distributed networks, hosted virtual servers, remote VDI solutions, all termed with the phrase Cloud.

I understand the drivers that are used to move services out of your own server room, by lowering infrastructure costs, moving capital expenditure to operational expenditure, upgrading or downsizing by modifying your service plan, removing running costs (such as air conditioning, trained server administrators, etc.), having your systems monitored and changing applications on the fly.

I have a few issues with Cloud offerings, which include:

Authentication
  • How do users connect to the solution? 
  • Are they using a username and password?  

There are many issues around authentication, such as weak or insecure passwords, using common words, using easy to guess words (such as favourite bands, football teams, children’s names, car, etc.) and that’s before the fact the password can be told to someone else. 

People often talk about multi-factor authentication, but to surmise it, the factors are “something you know” such as passwords and PINs, “something you’re given” such as a one time passwords from a token, or “Something you are” where biometric devices are used to read fingerprints or iris scanners.

A combination of two of these will be known as two factor authentication, where passwords are coupled with a token generated one time password, offering much improved security.

Encryption
  • How is your data protected?
  • Who has access to your data?

With the Information Commissioner’s Office issuing fines of up to £500,000 for the loss of personal data, it is more critical than ever data is encrypted. 

I would expect the data to be encrypted with to a minimum level of 256-bit AES, although another consideration who has access to your data.  It may be encrypted, but if the key is held by the service provider, then they will have the ability to decrypt your data.

Backup and Archive
  • Is the data backed up?
  • Is the data archived?

Your data should be backed up regularly, giving a point in time that the data can be restored to.  The issue with back up is that it will back up current data, but the ability to roll back and restore can be more destructive and time consuming than working round the missing/lost/corrupted data.

If your data was archived, then it would offer the ability to manage and archive all versions of the data.  Archiving is driven by compliancy and traceability, rather than disaster recovery.

Access to the service
  • Where can you access the data from?

It would be great to be able to access your service from anywhere in the world, wouldn’t it?  A concern is that although this great for remote users, should everyone be able to have access?  Data security may dictate that the service or data should not be access from non-trusted IP addresses, or by specific users or during specific times.  If this level of control is required, ensure your provider is able to deliver this.

Disaster Recovery
  • Are there multiple servers hosting your service?
  • Are there multiple datacentres hosting your service?

One of the draws with a Cloud offering include having your applications and services available from anywhere, so there perfect disaster recovery solution.

The issue will be when the provider has a server failure.  Will they be able to move your service to a new server in a timely fashion?  Whether the services are being run on virtual or physical servers, ensuring your service up time is vital. 

Another concern will be if the provider only has one datacentre or one WAN connection, so if there service is delivered well I would expect multiple datacentres, with multiple links running an active/active configuration, along with an active/active or active/passive server configuration.

Conclusion
My concern with Cloud solutions is the number of providers who are “jumping on the bandwagon” offering cloud services as quickly as possible.  The issue is that some providers offer very favourable pricing, but the infrastructure may not be in place until there is some uptake.  This can only be a bad thing for the early adopter, especially if it is not making money and they stop the service or become bankrupt.

My advice is to proceed with caution, check the provider thoroughly and try not to be price driven.