While it’s hard to see the current emphasis on information security training as anything other than a positive trend, the popularity of security programs at many higher education institutions may not produce the next generation of appropriate skilled and qualified infosec professionals without some consideration of how the training is structured. Undergraduate and graduate degree programs in information security (or information assurance, or cyber security, or any of the trendier labels for such programs) are often marketed to individuals based on the anticipated need for workers trained in security, without much regard for the prior educational background or work experience of the prospective students. Most of the institutions offering these programs also try to get their curricula approved by the Committee on National Security Systems (CNSS) or other government bodies, since the Department of Defense and other government agencies use such approvals to determine the validity of the training that information security job seekers have had (along with attainment of certain certifications designated in DoD Directive 8570). CNSS produces training standards for information assurance professionals, which in general specify the set of topics and functional responsibilities that people working in various security-related positions should master.
Institutions and their faculty members face the challenge of taking students from introductory information assurance basics through to a level of knowledge sufficient to establish them as qualified to take on specific infosec responsibilities. This task is made harder in some topic areas by the fact that few technically focused information security textbooks are produced, and the ones that are tend to cover broad ranges of security topics without the level of detail or rigor necessary to develop a thorough understanding of the topic. The materials that are available for this purpose include narrowly focused product or task-specific reference books and manuals, so that supporting a typical graduate course curriculum with such materials might incorporate content from a large number of sources. There’s nothing inherently wrong with this situation, and in fact it reflects business as usual for much of the practice of information security, but both instructors and students often prefer having just one or a couple of comprehensive references to cover a topic, and finding such references often proves an elusive goal.
To use intrusion detection as an example, consider the content coverage necessary for a course that seeks to address all of the major aspects of the topic: network-based and host-based intrusion detection and prevention; signature-based and anomaly-based detection methods; protection against external and internal threats; technical underpinnings of intrusion analysis, related threats and vulnerabilities, and use of detection mechanisms to mitigate those; and positioning of intrusion detection in relation to other related disciplines such as network security monitoring, incident response, forensic analysis, event correlation, and defense in depth. There are excellent technical references available for all of these topics, but no comprehensive coverage of these topics in a single source, in a format that might be used effectively as a course text. In the graduate Information Assurance program at University of Maryland University College (UMUC), the course on intrusion detection and prevention for many years used Paul Proctor’s Practical Intrusion Detection Handbook as one of its core texts, in large part because Proctor tried to address, in a single volume, network-based and host-based IDS, deployment alternatives, behavioral analysis, operational models for intrusion detection activities, and factors organizations typically consider when evaluating vendors and tools in the IDS market. The value of Proctor’s book, like most security references, has diminished significantly over time since the book was published in 2000, and now large portions of it are so out of date that they are inaccurate as well as irrelevant. Due largely to its age, UMUC replaced Proctor with a more recent work in the same general topic area, Ryan Trost’s Practical Intrusion Analysis, which aside from being current also illustrates the two prevalent types of IDS technology through descriptions of Snort and Bro. Trost’s book has some shortcomings as anything other than a reference for some specific sub-sets of intrusion detection topics, particularly because the book was assembled from a separately-produced group of chapters by different authors, and has not been favorably regarded by some expert security practitioners. In the context of a course text on intrusion detection, Trost’s book matches the approach of quite a few others in focusing exclusively on network-based intrusion, which limits the applicability of the material in the book in terms of the relevant threats and organization security objectives it addresses. Practical Intrusion Analysis also reflects a trend seen in many recent books to try to cover only new or unique topics, assuming the reader already has other references available that describe the basic material that serves as the foundation for what’s in the book. This assumption may be valid for security professionals, but is rarely true for students.
In theory, the best way to approach a course purporting to cover — at least at some level — all the major topics related to intrusion detection and prevention would integrate smaller content contributions from a potentially large number of reference sources. This would result in a custom curriculum that might be difficult to replicate from program to program, given the added effort (and often complexity) associated with obtaining the appropriate copyrights for chapters or excerpts from multiple publications. Another alternative might be to assemble the relevant content in a single volume specifically intended to serve as a textbook (which nevertheless might end up being valuable as a general security reference), although such an approach runs the risk of producing an aggregation of content that isn’t well integrated or doesn’t have enough logical flow to be understandable by its target audience. The key advantage to assembling relevant content from ostensibly authoritative sources is that changes to content can be more easily accommodated when there are multiple authors responsible for specific pieces, particularly if the material is made available electronically and not only in bound and printed editions. From a purely pedagogical standpoint, it might be preferable to have a single author responsible for the content, but with respect to intrusion detection, it seems likely that any author or instructor attempting to produce a textbook that fully covers the topic would be dependent on input from multiple other parties.
With the addition of yet another privacy bill to the slate of draft legislation pending in Congress, this time in the Senate in the form of the Data Security and Breach Notification Act of 2010 (S. 3742) introduced early this month by Democrats Mark Pryor and John Rockefeller, there clearly remains heightened interest in protecting personal information, even if none of the bills so far has made it very far towards becoming law. While significant attention has been drawn to privacy, especially privacy of information in online contexts, if the current legislation is any indication, federal legislators seem to be emphasizing individual privacy protections at the expense of considering the benefits of information sharing, both to consumers in some settings, and for the success of major initiatives such as health care reform (and data sharing through health information exchange), proposed financial regulatory reform, and ongoing priorities such as anti-terrorism efforts. In an article posted on the Hillicon Valley blog of The Hill, technology publisher Tim O’Reilly expresses concerns that if privacy practices are legislated by Congress, there is a good chance any resulting regulations will err on the side of heavy-handedness, and fail to acknowledge either the benefits to some forms of information disclosure and that fact that many individuals are quite willing to balance privacy against those benefits, particularly if they are afforded some level of control over what personal information is shared and how it is used. In a similar vein, Emory economics professor Paul Rubin offered a list of 10 common misconceptions about privacy in an opinion piece posted by the Wall Street Journal online. In the aggregate Rubin provides an argument for trying to avoid being too restrictive in information disclosure regulations and focusing too much on increasing privacy protections without considering the potential negative impacts of doing so.
As momentum continues to build for the use of cloud computing services, some significant attention remains justifiably focused on addressing security concerns about the cloud. Valid questions asked about cloud security focus on whether cloud service providers will employ adequate security mechanisms that match or exceed what potential cloud customers might implement in their own environments, and that will satisfy legal requirements for public or private sector entities subject to regulation on security measures. It is against this backdrop that the media and industry point to achievements such as Google’s successful certification and accreditation by the General Services Administration for its Google Apps for Government offerings, which offer at least one data point on the nature and extent of security controls a major cloud service provider is using. For organizations that may not be obligated to adhere to specific security provisions but still want to be reassured that cloud services have sufficiently robust protections afforded to them, another area of focus is what approaches to take when contracting for services in the cloud, as eloquently explained by attorney Tanya Forsheit in an article published by the Bureau of National Affairs. The legal analyses by Forsheit and her Information Law Group colleagues have, over the past several months, included a series of posts on various legal issues associated with cloud computing, especially in the area of privacy.
From a legal standpoint, it appears that while many opinions exist on how privacy can be protected in the cloud, who should ultimately be responsible for that protection, and how law enforcement agencies and other government entities should treat cloud environments, there are more unresolved issues than there are settled ones. One significant area that serves as an example of the inability of legislation and jurisprudence to keep up with the rapid pace of technological evolution is the extent to which reasonable expectations of privacy will apply to data stored in the cloud. A large proportion of seemingly relevant jurisprudence has considered privacy protections only in the context of emails, text messages, and other online methods of communication, but no substantial case law exists that addresses general personal information stored in the cloud, which by its nature cannot necessarily be viewed analogously to data stored in file folders on hard drives owned or maintained by the parties to whom the data belongs. One of the more comprehensive treatments of this topic comes in the form of an article published in the Minnesota Law Review last year by David A. Couillard, then a third-year law student, that provides an analysis of privacy expectations in the cloud in the context of Fourth Amendment principles and case law. Couillard’s article examines the reasoning applied by various federal courts in determining the reasonableness of privacy expectations associated with personal possessions, computers, and various forms of communication, and concludes with a set of recommendations on how courts might apply Fourth Amendment precedents to cloud computing.
Key legal principles gleaned from precedent rulings applicable to cloud computing environments include the intent by at least some users of cloud services to keep private data that is stored in the cloud (satisfying a requirement for establishing a reasonable expectation of privacy following Katz v. United States), the idea that online environments where information is stored receive legal protection as “virtual containers” (following United States v. Andrea), and the limited impact on reasonable expectations of privacy that occurs simply because information is placed with a third-party intermediary such as a cloud service provider (following reasoning Courts applied in both Katz and D’Andrea). In the year since Couillard’s article was published, his opinions with respect to expectations of privacy for information stored with intermediaries have been bolstered by additional rulings, particularly that of the 9th Circuit in Quon v. Arch Wireless, which found under the provisions of the Stored Communications Act (SCA) that a provider of text messaging pager services erred in turning over copies of messages stored on its servers to the City of Ontario (Calif.) police department, even though the department paid for the pager subscriptions of its employees. (The subsequent Supreme Court ruling that reversed the primary finding in Quon did not contradict the 9th Circuit’s reasoning with respect to the service provider’s actions and the protections afforded by the SCA).
Couillard argued in his article that courts should recognize society’s reasonable expectation of privacy in the cloud as they have done previously with respect to other technologies and media of communication. He cites the increasing willingness of people and businesses to put their information in the cloud as evidence that there is some societal expectation that privacy can and will be protected in the cloud, and such societal expectations have been factored in to prior judicial decisions about expectations of privacy as other forms of technology matured and became pervasive. He also recommends that courts consider, as the court did in D’Andrea, online storage environments like web servers equivalent to physical containers when considering their protection from searches, including recognizing concealment mechanisms like passwords and encryption as satisfying individual expectations that privacy will be maintained. Finally, he posits that courts should treat cloud service providers as “virtual landlords” and apply third-party doctrine narrowly to data stored in the cloud.
The amorphous nature of cloud environments raises a challenge to conventional legal procedures such as obtaining search warrants, since the scope of the warrant has to be specified, which in online contexts means the boundary of virtual containers needs to be established. Delineating such boundaries is further complicated by the fact that in networked environments, data need not be uploaded to the cloud to be accessible via the cloud, but clearer legal precedents apply to data stored by businesses or individuals on local computer hardware than they do to data stored online by a third party. These boundaries are potentially least clear when data from multiple parties is collocated in the same storage environment, but courts have previously held different user accounts or even different file folders to be separate “containers” for the purposes of defining search boundaries, and the same sort of reasoning that would allow data belonging to different persons to be treated distinctly, even if it resided on a single hard drive.
With so much of the current privacy and Fourth Amendment debate centers on privacy of electronic communications such as emails (including the storage of those emails after they have been sent and received), what remains to be seen is how general content stored in the cloud will be treated. The simple analogy applied to things like email communications is the sender and receiver information in an email are much like the destination and return address on an envelope (to which no reasonable expectation of privacy applies) but the contents of the envelope are subject to expectations of privacy, even if no stronger protective mechanism exists than that adhesive seal. The courts’ recent distinctions between transactional information and content are not always straightforward to apply in cloud computing contexts, especially given the potential to describe common user interaction with online data sources, such as searches, as transactional exchanges. In addition, because many of the underlying statutes were written at a time when current communications technology did not exist or was not widely used, some aspects of the nature of those technologies are still openly debated. For example, when the Justice Department filed a Section 2703(d) order against Yahoo to get the company to turn over the contents of email messages, the government argued that “previously opened email is not in ‘electronic storage'” and therefore did not deserve the protection of the SCA. (This seems to take the email-postal mail analogy to its logical extreme, implying that the greater privacy protections afforded communications contents evaporate once the envelope is opened.) On this point no authoritative ruling will be made, since the Justice Department withdrew its request for the emails, opting not to pursue the matter, perhaps in part due to the strong objections from both online service providers and consumer privacy advocates.
On balance, it seems entirely justified for current or prospective cloud service adopters to harbor concerns about the disposition of their data stored online, not just in the face of threats to data loss, theft, or corruption, but also to keep the data private from searches. Most major online service providers, including Microsoft and Google, have existing policies and procedures in place with respect to making customer data available to law enforcement, at least when presented with a subpoena or other valid legal order, but perhaps more important is understanding whether and under what circumstances warrantless searches of cloud environments might be allowed. For their part, cloud providers could do their customers and prospects a service by making explicity their practices and policies in this area. As the Yahoo scenario shows, such policies may not prevent attempts by government agencies to gain access to data stored in the cloud or other online environments, but they would help cloud users know where their providers stand.
In the continuing aftermath of the financial industry meltdown and the contribution to that failure of insufficient oversight of large portions of the securities markets, the Securities and Exchange Commission has proposed significant changes to its Regulation AB, which provides rules for registration, disclosure, and reporting requirements for asset-backed securities, including mortgage-backed securities issued by entities other than government-sponsored agencies such as Fannie Mae, Ginnie Mae, and Freddie Mac. While the vast majority of mortgage-backed securities are issued through one of these agencies, the increase in data disclosure requirements are mirrored in some provisions applying to assets underlying government-backed securities as well. There have been valid concerns raised over the level of due diligence that goes into the securitization process, particularly given the recent problems with sub-prime lending and lender’s willingness to offer mortgages to borrowers with little or no documentation. The proposed rules amending Regulation AB would, among other provisions, greatly increase the amount of asset-specific information that must be disclosed by an issuer in support of their asset-backed securities. In the case of securities backed by residential mortgages, the rules would require 137 discrete pieces of information, most of which relate to individual mortgages rather than groups of mortgages pooled for securitization, and many of which are personal data about mortgage holders. For example, information required to be disclosed about each obligor (person or persons responsible for repaying the mortgage to the issuer) would include:
This information is in addition details about the loan and data that must be provided about the property itself, including its location, purchase price, appraised value, and other attributes which, even if they are not explicitly attached to a named individual, make individual identification trivial. Numerous privacy advocacy organizations have decried the “unprecedented release of individual-level financial data” that would result should these rules take effect in their currently drafted form.
The intent of the proposed rules is clearly to increase the level and quality of information about the assets underlying asset-backed securities, particularly to provide more visibility into the financial soundness of the individual assets. Given the lessons learned in the past few years about the risks of not conducting more rigorous evaluations of these assets, the desire to improve the transparency of these securitized assets seems entirely appropriate, but so the privacy concerns are equally valid. The information the SEC would require will presumably be available to a wide variety of entities, particularly including investors of all types that might consider buying the asset-backed securities once they are offered. This practical consideration presents the SEC with a significant problem in terms of limiting the disclosure of personal information, presuming it has an interest in doing so.
As reported by local Seattle media outlets, the Seattle School Board — with oversight for public schools in a district serving 46,000 students — voted last week to adopt an update to its student Code of Prohibited Conduct, which among other provisions will now apparently apply to student-authored content posted online such as on social networking sites. The intent appears to be to try to prevent students from posting messages or other information about other students or teachers that could result in a disruption to school operations. The newly enacted rules seem to extend those already in force related to off-campus behavior, notably including a provision declaring the “District will respond to off-campus student speech that causes or threatens to cause a substantial disruption on campus or interference with the right of students to be secure and obtain their education.” In a Seattle Post-Intelligencer article calling the policy controversial, a school board representative is quoted emphasizing the school board’s focus on student safety and the desire by the board to be able to respond to any disruptive behavior. The district’s policy defines a substantial disruption as “significant interference with instruction, school operations or school activities, violent physical or verbal altercations between students, or a hostile environment that significantly interferes with a student’s education.”
Initial objections to reports of the policy’s enactment for the coming school year have unsurprisingly questioned the rules in light of free speech protections under the First Amendment. The language in the school district code of conduct — specifically its use of significant disruption of school activities — would seem to be an explicit and intended reference to legal principles established by the Supreme Court in 1969 in Tinker v. Des Moines Independent Community School District, the foundational judicial precedent covering student expression. In Tinker, the Court ruled that student expression (including speech, although the “speech” in question in the case was actually wearing armbands to protest the Vietnam War) could not be censored unless the speech “materially disrupts classwork or involves substantial disorder or invasion of the rights of others.” This broad endorsement of free speech rights on campus served for almost 20 years to protect student speech in many forms, notably including student-authored content in school publications such as student newspapers. In 1988 however, the Supreme Court chose to constrain student free speech rights (or more accurately, to extend school administrative abilities to censor student speech) in Hazelwood School District v. Kuhlmeier, which affirmed the right of school administrators to censor content in student newspapers. A key distinction in Hazelwood is whether the speech appears in a public forum, as opposed to a school-sponsored ones such as school newspapers and yearbooks (and presumably websites). Since sites like Facebook and MySpace are clearly non-school-sponsored and also clearly generally available to the public, school administrators cannot claim the right to censor student speech in these environments. However, to the extent the speech is not just disagreeable to the school district, but might actually be disruptive to school operations or constitute threats, hazing, or other proscribed speech or behavior under existing school policies, administrators would appear to be on solid legal ground if they choose respond to student speech expressed outside of the school environment.