ITIL Information Security Management – the facebook way February 17, 2009
Posted by ivankamenken in cloud computing, itil, itsm.Tags: CIA, facebook, IT Service Management, itil, SaaS, security, Security Management, service management, SLA
2 comments
When I teach my students about the ITIL process of Information security Management the biggest concept to teach is the acronym CIA:
Confidentiality
Integrity
Availability
of data and associated systems, service assets etc.
What we discuss is that information has to be dealt with in a very cautious manner as there are a lot of potential legal implications when you don’t manage this correctly. Think about breaching of privacy laws and regulations for instance. This goes to the extend of sample data for test scripts: are you allowed to take a sample from the production database, or do you need to create a fictional sample due to the sensitivity of the information?
In order to manage this properly, you need to discuss with the Customers what their service level needs and requirements are and based on this, come up with a security baseline. A minimum level of security that will guarantee the levels of CIA required to deliver the IT Services to our clients as per the agreed service levels.
With this in the back of my mind I am just amazed with the stunt that Facebook pulled last week:
- As per the 4th of February 2009 they changed their Terms of Service (read SLA) without notifying the users in advance… (strike 1)
- The new TOS stipulates that ALL content placed on facebook, including – but not limited to- photos are owned by Facebook. This includes information that are contained in (backups of) closed accounts (strike 2)
AND - Facebook retains the right to do whatever they want with this material. Including – but not limited to – using your image AND name as part of advertising campaigns (strike 3)
So basically, Facebook is doing everything wrong when you compare it to the formal ITIL Framework of good IT Service practices. Availability of content is not just about having it available, it is just as much about keeping certain information UNavailable. You should only be able to get to the information on a ‘need to know’ basis.
Also, what Facebook is doing is playing straight into the cards of everybody who is opposed to Cloud Computing practises. You can just wait for the blogs to appear with titles like: “I told you so, cloud computing is NOT secure”.. A great opportunity for better value for money in the form of Software as a Service, Platform as a Service, Hosted Services and other cloud computing related service offerings has now been compromized.
Companies who are ethical and have a high level of integrity and who WANT to offer cloud computing services to its clients will have a more difficult sales job to do because of the stunt that Facebook pulled this month. Because: “When Facebook can do something like this, what to say that you are not?!”
So what can we do about this? well.. nothing really: it’s a case of ’too little too late’ as information on Facebook’s databases and backups can still be used at random. Even when you close your account and delete your information, it may still be available on backups.
Why do I care?
That was a question I asked myself this morning when I read a waterfall of twitter entries about the updated Facebook Terms of Services. Initially, I didn’t think much of it as I work on the principle that everything I put on the internet will end up somewhere and nothing is really private anyway.
But I drew the line when I read the sentence that I made bold in the license paragraph taken from the Terms of Service:
Licenses
You are solely responsible for the User Content that you Post on or through the Facebook Service. You hereby grant Facebook an irrevocable, perpetual, non-exclusive, transferable, fully paid, worldwide license (with the right to sublicense) to (a) use, copy, publish, stream, store, retain, publicly perform or display, transmit, scan, reformat, modify, edit, frame, translate, excerpt, adapt, create derivative works and distribute (through multiple tiers), any User Content you (i) Post on or in connection with the Facebook Service or the promotion thereof subject only to your privacy settings or (ii) enable a user to Post, including by offering a Share Link on your website and (b) to use your name, likeness and image for any purpose, including commercial or advertising, each of (a) and (b) on or in connection with the Facebook Service or the promotion thereof. You represent and warrant that you have all rights and permissions to grant the foregoing licenses.
I do not wish for my face, name and other personal information to be used for a marketing campaign or commercial or advertising without my explicit approval. I mean: the chance of this actually happening is minuscule but still….. this is where I draw the line.
I just don’t know what to do, apart from removing all photos and lay low for a few years to let this blow over… maybe they use annual incremental backups so with a bit of luck I will be safe in about 18 months or so…
Cloud Computing, SaaS or virtualization… what changes for the end-user? September 24, 2008
Posted by ivankamenken in cloud computing.Tags: business, cloud computing, itsm, SaaS, security, virtualization
add a comment
Yesterday, I talked about the 10 things to consider when you migrate to a hosted solution, and this was mostly from a business owner point of view. But what about the end-user?? Today I try to answer the question: Cloud Computing, SaaS or Virtualization – what changes for the end-user?:
- What is different about the user experience?
– this all depends on how the hosted Software is organised. You can still have an icon on your desktop that connects to the application. It just doesn’t link to the server in the office, but to the server somewhere up in the cloud. The biggest difference is probably that it is browser driven. It can go as far as completely virtual PC’s (have a look at http://g.ho.st/ and you’ll see what I mean) - But surely – there will be tighter security?
If all is well, there shouldn’t be any different security requirements. This is a little bit tongue in cheek as I have had discussions with Chief Architects who were quick to support this argument. Many articles about hosted environments and cloud computing will focus on the security issues and how you need to have your data more secure because it is now hosted on somebody else’s infrastructure. But what does that say about your internal IT organisation?! The fact that you store the application and associated data internally, doesn’t mean that you can leave it at a lesser security level! There will be however certain legislative rules and regulations around international data storage etc. And of course you need to make sure that the data traffic is encrypted and secure. But the same goes for using Blackberries and iPhones in your organisation…
- I don’t know anything about technology, where do I go to get support?
This is an interesting question. Usually you will have a support agreement with your hosted supplier (probably at an additional cost) and this is the reason why you need to look very closely at the service desk / support operating hours. Are you able to access support when you need it? Most large hosting organisations will have local or timezone specific service desk services (follow the sun principle). Most of the support can be done remotely and this is one of the reasons why I talked about the fact that you need to question the hosting provider what type of expertise they expect on the business side. Some hosting providers only provide super technical support and expect you to organise the generic IT support locally. Organisations like salesforce.com and rackspace.com are offering ‘localized’ support to their global client base.
- But what happens when I don’t have an internet connection?
Another question that many people might struggle with, and what might keep them from starting to use cloud computing services. Its almost fear of the unknown. We all know what it is like to have all our applications on our desktop or laptop where you have access to it, no matter where you are. (as long as you have power, I suppose). Many SaaS providers give you the option to have offline access as well to make sure that you can continue to work even when you don’t have access to the internet. For example: MS Dynamic CRM has the offline option, which basically means that you can access your data on your laptop when you are offline and you synchronize with the database the moment you connect again. This is possible in a hosted situation where there is the need for a local client application. When you deal with Software as a Service / fully online offerings, this will NOT be possible. For example – you won’t be able to access Microsoft’s live spaces or Salesforce.com or Google docs when you’re offline. (sorry - Google docs DOES have a setting that allows you offline access, you need to enable this in your settings). Make sure you check this option BEFORE you sign on to anything! (especially when you travel a lot and offline access is important to you!)
The secret to success? Consistency! September 9, 2008
Posted by ivankamenken in Uncategorized.Tags: business, customer service, management, Sales, security, the art of service
add a comment
This morning I am flying to Canberra to meet a few clients and as so many times before, I had to go through the airport security. And you know what happened?? For the first time ever, my bag was taken from the security belt and had to be searched…. reason: an umbrella!!
Not an issue, I hear you think – this is just another security measure, one of many as this has become a normal part of airtravel. Well, but what about the fact that this umbrella has been in my bag for the last 12 months (at least!) and I have been flying with this bag/umbrella combination at least 10 times now. (last time was last week)
The security guy told me that there had been an issue a few months ago when somebody put a knife in an umrella and this wasn’t picked up and since this incident, the security measures were upgraded to the extend that ALL umbrellas now have to be checked.
That is fine, but why didn’t this happen at the other 9 occasions where I flew with my umbrella in my bag? Why today, and not last week?! I find it very hard to take all these security measures seriously, especially as they are not performed consistently.
So what can I learn from this? How can I use this experience to improve my business? Well, the most important thing that we are working on is building a personal relationship with our clients. People buy from people they trust… and you can’t trust a person who is inconsistent. I can’t expect clients to buy from us when we change the rules all the time. So the secret to success is consistency.
Consistency without being rigid, as our customer service ethos is very high! There is a LOT we do for our clients, to help them with their business, to improve the way we contact our clients and the experience we give them.
So where would consistency be important:
- Invoicing terms (when do we expect payment, and when do we start chasing?)
- Inclusions in the courses (do students receive a certificate of attendance or not?)
- Living up to our promises (we have a pass guarantee for our classroom Foundation course)
- Processes and procedures (I always try to send an email within 12 hours after meeting a person to confirm the action items from the meeting)
