In the late 1960s the mathematician Whitfield Diffie, now a well known cryptographer, started his graduate work at Stanford. There he was introduced to the growing prominence of “time-sharing” computing, computers powerful enough to allow more than one user or task to execute at the same time. Contemplating the security implications of these new systems, Diffie and his colleagues realized that our everyday concepts of privacy and security would have to enforceable in the new digital age.
Unfortunately, in the 1980s, the developments of multitasking and computer security were pushed aside for a new vision; computers became independent and personal. They sat on a desk, not in some closed off room. They had all the required resources right there and didn’t require connecting to another system. They just got about doing one thing, in real time, with just one user.
As the personal computer evolved, features from the days of mainframes and minicomputers were introduced. Multitasking and networking made their way into our everyday lives. Soon everyone had an email address and was finding their way onto the “Information Superhighway.” Unfortunately, the vision of an independent personal computer lead us to develop some bad habits and a false sense of security.
Consider what has been mentioned in the previous two posts about data in transit and in storage:
Encrypting and decrypting data requires intense mathematical computation, which can impact processing time and the perception of an application’s responsiveness. In the world of 80s-era personal computing, the computer was not regularly connected to any remote device, was not executing multiple applications at the same time, was not interacting with various users and was not easily portable. At the time encryption was not popular because of the performance hit and limited security benefit.
Unfortunately, this habit of speed over security has continued. Platform and application developers still routinely shortcut security concerns in the name of performance.
The Internet provides a previously unknown sense of immediacy and intimacy despite great physical distances. Email and social networks allow us to view and share thoughts throughout the world as they occur. Ecommerce sites can organize lists of items personalized to one’s tastes and fashions.
This intimacy creates a false sense of security, that one is safe, among friends and trusted institutions. Yet, the wildly successful networking protocol TCP/IP, the foundation of today’s Internet, was originally developed as a research initiative. It forsake some concerns, such as security, for others, such as simplicity of implementation as research drove itself to an initial, small-scale (by today’s standards) implementation.
There are, of course, steps that system architects and developers can take to rectify this situation. But there are also steps that users of these systems, be it end users of a website or proprietor of it, can take:
What information is being requested, can it be considered “sensitive”
Review how data is being transmitted between systems
If it is “sensitive” is it being transmitted securely
Review what data is being stored
If the data is “sensitive” is it being stored securely
Review “roles” assigned to different users who access the data and create unique accounts for each user
Create strong passwords
Use secured network protocols such as SSL and SFTP
Keep all applications and devices up-to-date
Undertake a risk assessment with your web developer and hosting provider.
Like a chain, a complex system is only as strong as its weakest link
Compliance with PCI, HIPPA or other security policies is a starting point
Threats evolve as new vulnerabilities are routinely discovered, don’t get discouraged
Think something is missing from the list? Post it in the comments section below.
What are your thoughts?