Since the revelations about Facebook and the analysis and fallout, I have had a question in my head. No, not "Should I delete my Facebook Account?" (there is that one too!). I began to wonder what the real issue was. Is it trust in the people we give our information to or is it as many people have suggested, myself included, about privacy of information. However, are they so intrinsically linked that you cannot have one without the other?
This was also brought to my attention, front and centre following my last post - Compliance or Security? (https://www.infosecisland.com/blogview/4135-Compliance-or-Security.html) through a comment made by Cloud Ninja and the documentation that I should read and offer my thoughts and comments on. I did respond as some of you may be aware with a very quick high level response, but this post covers the issue as above and my more measured response to the documents posted.
I want to focus the post on two specific companies - Facebook and Microsoft. Facebook started lie as a secure network restricted to those with a .edu e-mail address in the US. As time has gone on and as the volume of users have risen, the restrictions were reduced to almost, until this week at least, "everything is public" default. I can only speak for myself, but I don't think it's any coincidence that the reduction in restrictions had the same trajectory as the levels of trust in Facebook.
Trust with anything is all about perspective, so ultimately this is the key to the issue. I think the general acceptance is that to use the Internet, you have to at least give up some information, therefore we, as users need to be convinced about the companies we give our information to. Facebook's problem is that they have made many changes to privacy settings with little or no communication and the communication this week to start to rectify some of these changes, felt like too little too late. As with any relationship when the trust goes, it is very difficult to get it back.
There is a different slant to this - we give our information to Government agencies. Her Majesty's Revenue and Customs (HMRC) in the UK have now had two major data losses in two years, but we have no choice but for them to see our information. We may not trust them but we have to share our information with the Government hence little furore in comparison to the Facebook issues.
At the start of this post I mentioned a comment to an earlier post by Cloud Ninja and the documents they linked to. I attach them for information.
I cannot think of a bigger company where there is such intensity and mistrust as Microsoft. However, they are victims of their own success, particularly within the PC/Desktop market. In April 2010 (http://en.wikipedia.org/wiki/Usage_share_of_operating_systems) Microsoft products on average garnered almost 91% of the market in Desktop operating systems. Therefore, users see that they need to update their machine on a monthly basis, or have had to recover from a blue screen of death to give two examples of issues. This impacts on the perception as a trustworthy and secure company. Potentially the biggest hit came in January 2010 through the publicity surrounding Google being hacked in China, whilst allegedly using Microsoft's Internet Explorer 6.
To defend Microsoft, for a second, when you have an OS with over a 50 million lines of code as Vista had (http://www.nytimes.com/2006/03/27/technology/27soft.html) it is impossible to assess and close every loophole or figure out where the vulnerabilities lay. Especially with such a vast user base and people and teams who are willing hackers looking at this software so intensely to break it. At this point a comparison could be made with regard to the speed at which the iPhone OS is "jailbroken."
Reading all the documents, the breadth and success of the security program came as a surprise to me. My main issue is, that if I was part of Microsoft and continuously being hounded about security levels I would be shouting things like this from the rooftops. Particularly when what I read related to security and compliance within the Cloud Computing Space, and could give Microsoft the edge over many of their competitors. This is particularly true, when they have a business outside of the Desktop space, any negativity around the Desktop could impact on other parts of their business.
The research paper "Cryptographic Cloud Storage" shows a large step forward in how data could be protected both through the cloud and in its storage at the other end. It is research papers like this coupled with the compliance strategy that could give, as I have already said, Microsoft the edge. It could indeed be the game winner.
So is trust merely marketing? I think it has a huge part to play but it's not the be all and end all. Eventually your actions have to speak louder than any words, and trust is gained by keeping our information private. Security is a strange organism, if things go well and nothing happens, then people question its necessity. When things go wrong they tend to be spectacularly wrong, security takes the brunt of the blame.
Therefore in the good times you should harvest the good stories you have to tell. It is only by doing this that when things go wrong, the levels of trust may not be irrevocably damaged.
This blog was originally posted on my blog at http://markg1975.wordpress.com