Policing Cloud and data policies provides good practice
The evolution of big data and the harnessing of data in the Cloud has, with all its technological innovation and wider corporate adoption, flagged up ever increasing policing needs around compliance and information risk management. These must be reviewed regularly and intensely by the CISO to protect the organisation. Failure to do so will make the threat of fines and penalties (which can be more severe than fines) ever more likely.
If strong information security measures and good governance practice are put in place, this can keep organisations ahead of regulatory mandates. The speed of change in data and privacy laws does not make it easy to stay on top but a vigilant CISO will be thinking ahead constantly.
Cloud services may be offered by multiple suppliers using multiple data centres, sending data around the world. This crossing of borders gets complicated as each country has its own jurisdictions, making safeguarding complex especially if the review is triggered by incident versus proactively controlled and selected.
The right of respect for personal information data held by organisations is at the heart of information security. Accordingly, companies need to know what information they hold and whether it is “Personal Identifiable Information” (PII). Protecting PII is the responsibility of the data controller. Apart from names and addresses, PII can include medical records, bank account details, photos, videos, personal preferences, opinions and work locations. It does not however, have to include a name to be PII. Privacy is a compliance AND business risk area.
Approved jurisdictions are recognised by the EU as having an adequate levels of protection under local regulation. Countries which have satisfied the requirements outside Europe include: Argentina, Canada, Israel, Uruguay and New Zealand. The US is a jurisdiction that is missing from the list. Their ‘work around’ is the Safe Harbour Treaty, that allows EU information to be transferred to US based organisations, but this may still not provide sufficient regulatory assurance or liability for some organisations or public bodies.
The decision to use Cloud systems should be accompanied by an information risk assessment concentrating on the complexity not only of the Cloud system, but privacy regulations too – and the level of security required for that data. Once analysed, the right path for each organisation becomes less complex and the knowledge and understanding of the CISO increases, as does the confidence of the Board that they and their data is in “safe hands”.
Reputations are lost quickly in the modern age. Trust which may have taken years to build, when lost, is gone forever – and the swift migration of consumers will always hit the bottom line. Governance is not always present in the information security function and breaches may be more often down to an inadvertent mistake rather than criminal intent, but all steps taken to reduce risk, so long as it still enables the organisation to reach its goals, will smarten the way business operates and reacts. So wake up and smell the coffee: be close to your Cloud provider to know and understand where your information will be stored and processed.
Plastering on the care
A very clever battery-operated, wireless, sticking plaster-sized, patient monitoring patch has been developed by Oxford based firm, Sensium Healthcare. The monitoring patch could revolutionise patient care and increase the amount of time medical staff can give to those patients in greatest need. Currently, patients requiring monitoring are hooked up, immobile and require constant observation, normally in four hour cycles. The new monitoring patch enables the patient to get up and move around (encouraged as part of the process of speeding up recovery) and vital sign data is updated every few minutes, passing the data via a ‘router box’ in each room to the hospital IT system.
It is not intended to replace routine checks, but nursing staff report that it has helped take off some of the pressure on ward rounds. The patches provided early detection of deterioration in 12% of patients wearing them in the tests at the Brighton hospital. With a high incident of 12,000 recorded preventable deaths in England in 2012, of which one third were down to monitoring, this could be a significant game changer for NHS England – and at only £35 each and lasting 5 days, it is a refreshingly cheap solution for the Minister for Health to consider! http://www.bbc.co.uk/news/health-28317509#
The next big thing in Mobile Memory
Tablets have come a long way in the last 10 years: from Windows XP tablet PC edition, to all the options that exist today. But memory is one of the areas where we have not seen great strides. Rice University in Texas is claiming a breakthrough in this field. Their silicon oxide technology – a type of RRAM – has been in development for five years and is nearing mass production, having gone through several refinements. The technology is undergoing prototyping of chips, capable of storing one Terabyte, the size of a postage stamp. The cost of a chip so memory-dense would likely be sky high but the technology also provides all size variants in-between.
When Operating System and Device makers have a lot more memory to play with, how we use our devices could change. Being able to dump all of your apps into memory mean you could access all your information instantly. This can change how we both multitask and perform complex tasks on mobile devices. As always cost and power consumption will be vital in what role this technology does play in the future, but with the right balance struck, this could be a turning point for mobile devices.
MDM vs Containerisation
Last year certain analysts were predicting that traditional mobile-device-management (MDM) was on the way out, to be replaced with containerisation of both data and apps. It would seem the market has taking a different approach after all. Application level management has in fact grown but MDM is still the preferred method for BYOD security. This has led to many a heated discussion on which path is best for mobile security going forwards.
So what is the right choice? Many companies are taking a two pronged attack, taking advantage of the strengths of each to use either, or both, when best appropriate. Just because MDM and containerisation can exist together does not mean that is what is best for your own organisation. Define your own device use cases and security / governance requirements beforehand to decide which solution best suits your needs Then you will be able to deliver the best options for your organisation’s needs.