Sunday, November 25, 2012

Security and Convenience - The Balance Matters

In our world, where information is the ultimate strategic resource, security is important. Very important. But security usually stands in the way of productivity and convenience.

Take something like strong passwords and the need to change them regularly. We could significantly increase the system security if we mandated very long, strong passwords with 256 characters and if we mandated them to be changed every day. The data would be very safe with these passwords. Of course remembering such passwords would be highly inconvenient, if not impossible, and changing them daily would be annoying. Want even higher security? How about 1024 character long passwords that have to be changed every hour?

Practical security today has to reach a compromise; a balance between security and convenience. We have to keep pushing the barriers on security without annoying users so much that they either give up or develop behavior that actually compromises the security altogether. In my password example above, people would lose productive time every day and they would likely have no choice but to write the password down every morning on a piece of paper kept right next to their monitor. All of those passwords lying around would severely compromise the security of the system which would achieve exactly the opposite from the intended result. If you are interested in learning more about password related challenges, I recommend reading the recent Wired article titled Kill the Password: Why a String of Characters Can’t Protect Us Anymore.

Clearly, there is a constant tradeoff that we have to make between security and convenience. However, not every organization is the same in terms of how strong their security needs to be  and how much inconvenience they can impose on their employees. I often meet customers who are on very different points of the spectrum, from very casual to utterly paranoid.

Of course nobody will admit that they have a casual attitude towards security. However, consider the differences between retail, manufacturing, and, yes, many technology companies which often get by with relatively simple security (I know, there are always exceptions) versus organizations such as military installations, intelligence agencies, and nuclear facilities. These operate on a completely different security level and have no choice but to impose a lot of inconvenience on their employees.

Think about all of the employees working at Internet startups in Silicon Valley and about how much security hassle you could put them through - not much! James Bond, on the other hand, never tires of opening the cafeteria doors using his palm and voice print. Apparently, high security standards come with some jobs (or companies).

What’s important is that one size doesn’t fit all when it comes to security. Different organizations face different security problems and their solutions have to be adjustable. For example, a two-factor authentication may be appropriate in some environments while a biometrics based authentication is a good fit in others.  Getting the balance right between security and convenience is important - the balance matters!

Sunday, November 18, 2012

Social Is Now a Noun

Inspired by the tremendous growth of Facebook and its endless ability to compel users to share, communicate and engage, companies have been trying to convince their employees to do the same at work. They hope that the same type of technology will help employees to share, communicate and engage inside the enterprise just as they do in the consumer world. Sometimes it works, although many companies are learning that just because you build it, they won’t necessarily come.
Social software is a very hot space right now.
What’s interesting, though, is how the industry struggles to find the right way to describe what it is we are doing here. The idea is not new, actually. Collaboration has been around for well over a decade and the benefits this new breed of social software offers is very similar to what collaboration did back in the early days of eRoom and OpenText Livelink. Heck, Lotus Notes has been called collaboration - the history of collaboration goes back to 1989! But of course we can’t use the old name ‘collaboration’ for this new hip, social software, can we?
Dedicated collaboration/social software is becoming rare
So the industry went on a long journey, searching for the right term. We started with extended collaboration, extended enterprise collaboration, collaboration software for the enterprise, team collaboration, and content collaboration and that apparently wasn’t cool enough, even though all these terms are still being used by various vendors. Then we borrowed the term social networking since that was how we used to refer to the thing we did on Facebook back then. That didn’t last very long and new terms came along including social software, social communities, social workplace, social business, and social collaboration. At some point, the industry even briefly toyed with the idea to seriously call this software category the Facebook for the Enterprise.

That, thankfully, didn’t take hold and so the journey continues. The latest trend is using just the word ‘social’. Yeah, I know, it is an adjective but old rules like grammar shouldn’t stand in the way of progress and world domination. And so, social became a noun.

More and more, social capabilities are built into enterprise applications
Well, maybe, the search will be over soon. It is becoming increasingly apparent that ‘social’  is becoming a feature rather than an industry. Social capabilities are increasingly becoming integrated into other enterprise software - from content management, business process management, customer experience management, to CRM and ERP. So, perhaps we don’t have to worry about what to call the space because it is not a space at all - it is an integral part of enterprise applications.

Wednesday, November 7, 2012

The Only Hope for Privacy?

In his interview with TechCrunch in early 2010, Facebook founder and CEO Mark Zuckerberg famously proclaimed that privacy is no longer the social norm. Well, not so fast, Mark. Some of us still think that privacy is important. But Mr. Zuckerberg has a point too. Protecting privacy is becoming increasingly difficult in the Facebook era.

It’s not just Facebook and the information that we voluntarily disclose. We are being increasingly tracked, often without knowing about it. From the websites we visit, our physical location via smartphone tracking, to the ubiquitous TV cameras on city streets - our moves are being recorded and the volume of information about us continues to grow.

So it appears, that our future will be - just like Mr. Zuckerberg predicted - devoid of any privacy. Every one of us will always be monitored by the modern incarnation of the Orwellian telescreen which will continue collecting huge quantities of information about us. Yet the growing volume of information may be our best hope for keeping some privacy after all. Let me explain.

From the film adaptation of Orwell's 1984
Powerful computers can be used by governments and corporations - the good guys and bad guys alike - to weed through all that information collected about you. Monitoring anyone particular is relatively easy but monitoring everyone to find someone or something particular is becoming increasingly difficult. There is just so much information! Finding anything is becoming a tough chore that requires some serious computing power. In other words, collecting a ton of information about you without the capacity to decode and analyse it is pointless.

In addition, the information is increasingly encrypted and comes in formats that are not easy to search and analyse. We all know that any encryption can - at least in theory - be decoded using a brute force attack. But we also know that the higher the level of encryption we apply, the harder it is to decode the data using brute force. This has been an ongoing cat-and-mouse game in which the larger and larger volume of data with increasingly stronger encryption demands more and more computing power to decode and analyse it.

Back in August  2011, I wrote about how the massive amount of recorded video surveillance was making it actually harder to apprehend the suspects after the Summer 2011 riots in London. Contrast that with the famous scene from the Philip Kaufman movie The Unbearable Lightness of Being where the secret police is indicting people based on a handful of photographs after the Prague Spring uprising of 1968. A couple of photos were relatively easy to analyse while terabytes of video have made it practically impossible.

Today, there are a few key choke points on the Internet, such as the intercontinental submarine cables, and it is feasible that a hostile foreign government could tap into them to capture and decode all the data. Back in 2010, China allegedly re-routed and hijacked a large portion of US Internet traffic. But to do anything meaningful with all that data, they’d need to build a really powerful supercomputer. By the time it’s built, that supercomputer will likely become obsolete - the volume of data is simply growing so quickly that the brute computing power is having a tough time keeping up.

So as it turns out, the growth of information volume could become an effective defense against spying and monitoring. Perhaps that works also on a smaller scale. One ‘bad picture’ on Facebook might cause you trouble for years to come, particularly if that’s the only picture of you there is. However, if it is one of 10,000 pictures of you, chances are the compromising one will not emerge during a cursory background check, provided that most of them are “good”.

This approach might even provide an effective defense strategy in an eDiscovery case, where the court subpoenas all information relevant to a given lawsuit. When complying with the subpoena results in a body of evidence comprised of 10 documents, the opposing party will have it easy to find what they need. If the court request, however, yields 10 million documents, the opposing party may need to reconsider whether or not they want to pay their lawyers $500 per hour to review all of that evidence.

Perhaps privacy does stand a chance afterall - when we drown the surveillance in a sea of data.