Archive for September, 2010

When does protection becomes disruption?

September 24, 2010 Leave a comment

Two recent articles, pointed out to me by a couple of colleagues, serve to highlight a flaw in the over zealous application and misuse of some DRM based content protection mechanisms; basically when does content protection become disruption?

The first article, thanks to Brian Runciman, deals with Games DRM, and describes the fallout of presenting legitimate gamers with ever more complicated DRM schemes which effectively prevents some users from enjoying their legally purchased products. It also highlights some unintended consequences of Games DRM, and concludes with the now old mantra that any good DRM solution should be transparent to legitimate users. We still live in hope!

The other article, thanks to Ian Cole, is really an alert notification a SANS newsletter about multiple vulnerabilities (e.g. buffer and integer overflows) in a critical ActiveX control within Microsoft’s DRM system. According to a Security Focus entry, this control could allow an attacker to execute malicious code on a users machine – talk about content protection becoming a threat in itself!

Conclusion: The continued perception of DRM remains that, at best, it is intrusive and potentially unsafe. This in spite of the fact that DRM is slowly and quietly becoming embedded in the fabric of more and more digital content, including streamed content (e.g. music, movies and electronic games). Oh, and this will have an even bigger impact on the pre-owned or after market for digital content as discussed in a recent post on the BCS Games Blog.


IT Security is Hot & Cloudy!

September 17, 2010 2 comments

Wednesday’s BCS event on IT security certainly made that point on many different levels. If I was a betting man, I’d wager that the IT security industry is on the brink of a major revolution, on the back of that vague and fluffy thing called the Cloud.

Case in point, my question of how many people in the audience actively use the Cloud saw only a pitiful couple of hands raised. However when put in another way, by one of the presenters, i.e. how many people used Android phones for example; a few other hands went up along with looks of dawning comprehension. The Cloud rightfully exists behind the scenes, powering various services that are often taken for granted by the consumer, and the Android example simply confirms that in spite of all the buzz, your common, garden variety, consumer has little understanding or interest in this techie catnip known as cloud computing. And who can blame her, after all was it not the same geeky fads that brought us other similar buzzwords as: Application Service Provider (or ASP), Grid computing, and heck even Web 2.0?

But I digress, what’s this got to do with IT Security you ask? The answer is very simple, if the Cloud is really a behind-the-scenes enabler, then Cloud security should also be behind the scenes; but I get this uneasy feeling in the pit of my stomach (no, not from eating too many nibbles after the event), that it won’t be long before someone gets sued over some security breach emanating from the Cloud. How long before we get Cloud Compliance and Cloud Security Risk Assessment models, regulations and perhaps even some exotic insurance policy for Cloud based services? Furthermore, the Internet (and consequently the Cloud) is essentially borderless technology, which means that various national and international data governance regimes may have a thing or two to say about where data is stored – assuming it can be found in one place!

Finally, we also learnt that some clever Silicon Valley types are actively seeking ways to commoditize The Cloud, and Cloud based services, such that it can be traded as a financial instrument. Now where have we seen that one before – does Collateralized Debt Obligation ring a bell? Suffice it to say there’s a lot of food for thought when it comes to Cloud Security, and far better qualified people than I have pondered, spoken and written about it (e.g. see my  review of an excellent book about Cloud Security), so I shall just leave well enough alone.

Aside from the cloudy issue of cloud security (sic), the event provided many opportunities for attendees to hear and debate other key topics of interest in IT Security, and our four speakers did a great job of keeping people engaged throughout. More information, including presentation slides, can be found on the BCS NLB website.

Categories: BCS, Capgemini, Cloud, Security Tags: , ,