No doubt most people are aware of the recent issues highlighting state sponsored surveillance and monitoring of world-wide internet usage. The purpose of this blog post is not to discuss the intricacies of government intervention or moral implications, but rather the security impacts for the protection of services. While the threat of state sponsored and criminal activity has always been high on our list of threats to be mitigated, the scope of the alleged surveillance has been significant and unlawful access to private data by either criminal or state-sponsored groups presents a risk to the reputation, compliance and operations of our customers and all online business.
We have always advocated a very security focussed approach to delivering services, however, the extensive scope of the activities uncovered have reinforced this view and have prompted a review of all solutions over the next few months in line with ensuring the best possible levels of security and privacy.
The IETF (Internet Engineering Task Force – responsible for many of the internet standards) released the below policy in response to recent events and a statement available at http://www.ietf.org/media/2013-11-07-internet-privacy-and-security.html.
1 "WE ALL BELIEVE THAT PERVASIVE SURVEILLANCE IS AN ATTACK AND THE IETF NEEDS TO ADJUST OUR THREAT MODEL TO CONSIDER IT WHEN DEVELOPING STANDARDS TRACK SPECIFICATIONS, SO WE SHOULD CONSIDER THIS EVOLVED THREAT MODEL WHEN CONSIDERING WHETHER TO STANDARDS TRACK SPECIFICATIONS ARE ACCEPTABLE OR NOT"
2 "THE IETF SHOULD INCLUDE ENCRYPTION EVEN OUTSIDE OF AUTHENTICATION WHERE PRACTICAL."
3 "THE IETF SHOULD STRIVE FOR END-TO-END ENCRYPTION EVEN WHEN THERE ARE MIDDLE BOXES IN THE PATH."
4 " THE IETF SHOULD CREATE SECURE VERSIONS OF POPULAR NON-SECURE PROTOCOLS"
What does all this mean? All managed applications and solutions hosted with us already adopt best practice security measures including encryption, access control, intrusion prevention, intrusion detection, network firewalls, application firewalls, security zone segregation and may other policy and technology measures designed to limit the ability to compromise any applications. We are committed to maintaining the highest levels of uptime and security so we will be systematically reviewing all solutions, technologies and implementations to ensure that they continue to provide the best possible protection.
We also recommend that all customers who do not have a managed services agreement and manage their own environments take a regular action (at least 6 monthly) to review their security strategy and technologies to ensure they remain up to date and effective.
If you have any questions or would like to understand how we can help you with this review, please do not hesitate to contact us at support@manageddatasolutions.com.au.