Every day the theme of Cyber Security is becoming increasingly important: all human activities, in the most developed countries, are managed electronically. But is this huge amount of information actually safe? How can the cloud help us?
On the subject of cyber security has been said everything and the opposite of everything. Every computer expert can safely claim that cyber security is one of the three main themes of his work. The other two are their areas of specialization and continuing vocational training.
No computer system is guaranteed to be 100% secure. Much less a computer system created by man.
By definition, every computer system is secure in an inversely proportional form to its ability to communicate with the outside world.
The safest system is the one totally disconnected and not physically accessible. Obviously this is not possible and the situation we have to manage is the exact opposite: every modern system works in close symbiosis with connectivity and offers services exclusively in interconnected form.
Cyber Security and the culture of information
Compared to a decade ago, Cyber Security has changed enormously, introducing new paradigms and new professionalism. Nowadays practically all medium-large companies have a staff of experts dedicated to cyber security.
The need for highly qualified and specialized staff is closely linked to the value of information (see Part 4 of the “Cos’è il cloud computing” series of articles – actually only in Italian) and to the constant document dematerialisation that we make of all information.
Nowadays only criminals, or secret agents, use paper or verbal form to communicate the most important information.
The Italian borders
Sometimes we cannot decide for ourselves how to manage and protect our digital information.
Italy is one of the many countries that has equipped itself with laws and software tools for the collection and certification of its citizens personal information.
The introduction of “Certified E-mail“, “Legally Compliant Archiving” and lastly “Electronic Invoicing” have applied in Italy a high number of constraints and obligations for citizens. All these innovations in Italy are under direct government control.
These innovations should help us in communicating to third parties in a certified and guaranteed way. The Certified E-Mail guarantees the inalterability of electronic communication via e-mail, the Legally Compliant Archiving guarantees the conservation and inalterability of official documents and, finally, the Electronic Invoicing guarantees the communication, sending and inalterability of commercial transactions.
Have you noticed that inalterability is the basic theme of every innovation?
Is it because tax evasion and untraceability, through false or counterfeit tax records, is one of our nation’s biggest shortfalls?
Italian cloud providers
To guarantee the service to the entire population, the government has asked Italian cloud providers to perform the role of collecting, storing and sending all this information and documents to government IT systems.
The change brought by these innovations has also been very impactful for Italian cloud providers. Cloud providers operating in Italy, which wanted to tackle these markets, had to adapt very quickly, offering services that until recently were practically non-existent.
The chart above shows the amount of electronic invoices sent to the Exchange System (ES) of the Revenue Agency (aka Internal Revenue Service in USA), since January 2019. Approximately two and a half million invoices are exchanged between the cloud providers and the ES each month.
The workflow is: Citizen => Authorized Cloud Provider => ES.
For more information about ES read here.
Starting this year, in Italy, all invoices, including those related to health services and all other activities, pass through the computer systems of private cloud providers.
What is the level of security and data protection they must respect?
Are current laws adequate to protect citizens’ data?
Not all the time.
Current laws have been designed for other purposes and not for gathering and transferring information from private cloud providers.
De facto private cloud providers are forced to raise their safety standards enormously in order to lower the risk for the citizens.
Italy and the rest of the world
In October 2018 Google announced with a tweet that there are 1.5 Billion active GMail accounts, that is 1 in 5 people on the planet has an email with Google. In Italy there’re about 38 Million active internet user (Source: ISTAT), about half use GMail as primary email account (Source: SendGrid “Global Engagement Benchmark”).
Do you know that the number of personal or sensitive information that we exchange via email between 2 and 5 years, either voluntarily or unintentionally, is greater than all the information we provide in written form throughout our lives?
This tells us that, despite all the privacy policies we sign almost daily, much of the information we disclose is out of our control.
Much of this information is entrusted to foreign cloud providers and mainly outside the European Community’s control, which should protect and control the dissemination of personal information of Italian and European citizens.
What is the level of cyber security that we can expect from these cloud providers, national or international, regarding our personal or sensitive information in transit?
Cloud and transnational obligations
One of the prerogatives of modern cloud providers is data redundancy.
Only with redundant systems there is reasonable certainty that information can be successfully retrieved in the event of loss or destruction.
The need to offer increasingly competitive cloud services, while simultaneously increasing the quantity and the variety, has forced Italian cloud providers to look beyond national borders.
This has contributed to the emergence of data centers in other countries. In this way the information is redundant in geographically distant sites at competitive prices, protecting information from national geopolitical events.
The security of communications between multiple sites is crucial and must be guaranteed as much as their safekeeping.
The information we send to our cloud provider must be adequately protected, just as it must be within the cloud provider’s network.
The European Union, through the GDPR, has also established the need to protect information in transit through end-to-end encryption.
The same protection methodology has been adopted by Skype, Whatsapp, Facebook and many others, see Wikipedia for a brief description.
Every security aspect must be carefully considered when choosing a cloud provider for your business.
Given the very high technical capability achieved by hackers, it is necessary to know how to choose a supplier based on all the security factors that can come into play.
The EU Members immediately adopted the GDPR, with some particular adoptions such as the German BDSG (Bundesdatenschutzgesetz), which imposes even more restrictive limits. Moreover, the first law on the protection of personal data (1970) is German .
All this indicates a need, which is felt very strongly by all the citizens of the EU, to feel protected. As a result, citizens are aware that they do not have the technical and economic means to defend themselves without support.
Digital Cyber Security
There are two complementary aspects to cyber security: physical and digital.
The digital aspect represents much of the information that the media use to “turn on” our tension towards the topic.
Let us take as an example the news of 28th October 2019 concerning the Unicredit Data Breach of about 3 million of customers personal data.
This news refers to a data breach occurred in 2015 and is only being brought to light by the media now. Although it is not the only one related to Unicredit in the last 12 months.
If our personal information has fallen into the hands of bad guys now it’s too late. After four years we can no longer make any really useful action. But the news has bounced in the international media and…sells, because the topics of privacy and data breach are really actual.
Now I ask you a question: how many records regarding personal or sensitive information have been the subject of successful attacks in the first 6 months of 2019?
The figure is impressive: 4.1 billion records !
In short, 2019 is set to become the year of records.
If we take China out of account, virtually every person in the world, since adolescence, has hypothetically suffered a theft of personal data.
From this data we can understand how the defense of our digital data, and consequently digital cyber security, is crucial for anyone and difficult to implement.
Physical Cyber Security
Physical cyber security issues are less “publicized” because unauthorized physical access is more difficult to implement and much rarer.
However, not everyone knows that almost every digital data breach event is carried out thanks to voluntary or involuntary help from within the institution or company affected.
Analyses have shown that employees are the main cause of unauthorized leakage of sensitive information:
Employees, through physical access to the company’s premises and IT infrastructure, are a constant cause of possible security problems. But their role is fundamental for the company, so it is necessary to protect company’s data and protect them, putting them in a position to be less exposed to these risks.
The adoption of an external data center greatly facilitates access control and timely verification of accessed data.
What we see below is the scheme of a modern data center:
The Data Center is accessible only by qualified and authorized personnel through a first level of control (Area 1).
After gaining access to the data center rooms, technicians can operate on their machines by interacting through special computers (Area 2) connected directly with the servers.
Only a small group of users can physically access the servers (Area 3) and only their own, in fact you can see the green icon to indicate the ability to access only their racks.
The data center contains additional protected areas inside, those you see at the top behind an additional wall behind the customer servers.
These areas contain the control infrastructure, as well as servers that offer managed services to customers (such as a SQL Server or MySQL database). These areas are only accessible to cloud provider staff.
Thought and action
In a protected environment, defended by armoured walls and controlled by cameras and biometric access systems, it is clear that every person feels intimidated and every movement they make is subject to ex ante and ex post control.
A data center is a way to make people aware of the burden of responsibility for their actions on the information it contains.
I guarantee you that the presence of physical servers on the company’s premises, despite the initial reverential fear, does not even remotely arouse the same level of attention. In the long run, they are seen as commodities and the level of security tends to decrease.
The different approach to information also leads to a different approach to the problems arising from its management.
The action to be taken, in the event of an alleged or actual data breach under current legislation, is initiated ex officio by a cloud provider, through its internal control bodies.
Within a company, however, it is much more difficult to find the development of a proper process of notification to the Data Protection Authority, as well as information to its customers, employees or suppliers affected by the event.
Conclusions
The topic of information security has been on the table for decades, the first official act on data security dates back to 1967 with the Ware report.
Despite more than thirty years of experience, this year is about to be the worst in the history of information security.
But what are the causes?
It’s simple: more and more people are accessing information systems that contain more and more personal and sensitive information.
Have you ever tried to enter your credit card details in a search engine? Don’t do it!
I can assure you that the next day there will be dozens of attempts at illegal use. So, who do you think has unlawfully given away information about your searches?
Not the board of Google or Microsoft, however, someone has access to these databases of information, the famous “big data”, through which we are profiled every day.
The only IT and cyber security that has real value is the culture of honesty and it’s something you can’t buy.
To be exact, you cannot buy it directly, but you can buy it indirectly.
It is bought through the people we hire, the suppliers we select and our personal propensity that we develop every day by studying and educating ourselves.
See you soon!