Online Services ...Well done!
mrada...@gmail.com
I want to let you know that I think you did an excellent syonpsis on
the Online Services. I look forward to hearing your opinions on best
practices and security concerns. I would love to see this list grow to
include Meetup, Second Life, My Space, Facebook, domains.live.com,...
(Just in case any one wants to help Len out :-)
While we are on the topic of online services, I am evaluating
replacements for the CIPS membership database and/or web site. The
following two URLs have been recommended
* http://www.wildapricot.com/
* http://www.communityserver.com/
They both look like quantum leaps forward for us. What are your
thoughts? Are you aware of any others that should be considered?
Cheers,
Adam
Len Inkster ISP, MBCS, CITP, MIAPP, MIISP
Thanks for the vote of confidence. I too, although being a bit old in
the tooth by current day standards, am an avid supporter of new (and
sometimes not so new) technology that can help us advance the support
to business here in Canada. Where it fits the business model and
provides the necessary security for the data being held, I am all for
it. This is why I'm happy to place names and email addresses into an
outsourced service like Google Groups, or LinkedIn. After all, if we
didn't want to be communicated by the technology solutiuon we choose,
we wouldn't use it would we?
When it comes to Membership repositories, I am a little more
conservative. Membership repositories often have personal information
that is not generally accessible on the Internet. I know that many of
our members can have their contact details accessed by googling their
name and then cross referencing them with a corporate web-site, and/or
via Canada411, but when it comes to membership types, membership
numbers and other identifying factors that might be held in a
Membership repository of any sort, I would hesitate to use an online
service outsourced to anyone.
It is still far too easy to forget that although a service might be
based in Toronto, when you access the details on that service, nothing
in the internet design specifies that the request will go locally, or
even through a route that you are sure of. Often time the information
may cross provincial or country boundaries, and then a whole series of
international privacy legislation kicks in. This would leave CIPS
vulnerable to legislative action should information be leaked by a
third party we were using.
Prior to placing any such information on an outsourced site I would
expect a full study of the organisation, it's background, the
technology and operational standards it uses for data protection, and
full due dilligence of how data is stored, transported and access by
ANY individual no matter what the method of access.
I am not ruling out the use of these services, but would state that
the costs of due-diligence may be too high a price to pay for using
them. This doesn't however stop us from using the same technology
which would still give us the "quantum leap" that you talk of, but
keep the data firmly within the control of CIPS. The cost of doing
the latter, and the befits gained very often proves much less costly
than the due dilligence investigations and constant monitoring of the
out-sourced supplier.
Comments anyone?
Regards,
Len
p.s.
I use the term "repositories" rather than databases because it
identifies that more often than not personal data is being kept inside
LDAP repositories. These are generally not as secure as a correctly
configured relational database, as the technology used to secure the
information relies on PKI certification which is complex (but not
impossible) to uniquely serve on shared servers.
On Jul 8, 10:24 pm, "mradamc...@gmail.com" <mradamc...@gmail.com>
wrote:
> Hey Len,
>
> I want to let you know that I think you did an excellent syonpsis on
> the Online Services. I look forward to hearing your opinions on best
> practices and security concerns. I would love to see this list grow to
> include Meetup, Second Life, My Space, Facebook, domains.live.com,...
> (Just in case any one wants to help Len out :-)
>
> While we are on the topic of online services, I am evaluating
> replacements for the CIPS membership database and/or web site. The
> following two URLs have been recommended
> *http://www.wildapricot.com/
> *http://www.communityserver.com/
Robert Fabian
I've had some experience with the people behind Wild Apricot. I like the ASP nature of their service offering. And the people are known to do excellent work - they've been used by Microsoft (in Redmond) to do some major projects (regardless of your view of Microsoft products, Microsoft is more than qualified to vet suppliers). The service seems very reasonable. I'm just not sure if they can solve the marketing challenge. How do they reach out to enough organizations to generate the necessary customer deal flow?
Bob Fabian
P.S. While I know some of the people, I have no commercial connection to Wild Apricot.
-- Robert Fabian -- rob...@fabian.ca -- 416-769-1885 -- www.fabian.ca
Len Inkster ISP, MBCS, CITP, MIAPP, MIISP
I think the model offered by Wildapricot is a great tool. I am
however concerned about it being a hosted service. Irrespective of
how secure it is claimed to be, the issue is the data that is being
held on the system.
Employing a hosting model that allows members to keep their
information updated, and the organisation using that information to be
able to rapidly, and accurately communicate with the members is the
nirvana I think we are looking for. But the fact that they anyone is
attempting to hold private information on an on-line hosted service,
has always worried me, and still worries me.
Also, the model that Wild Apricot is using is based upon IIS, and from
an initial look is hosted in the states on godaddy.com, in
California. If this is accurate, and not just the pointer to their NS
record, then I am not sure the Privacy Commisioner of Canada who be
too pleased on us putting CIPS members private information (home
addresses, membership numbers etc) on a server in the US.
As for how WildApricot get their message out, they might want to look
at the business model offered by Knowledge Tree. Here is a company
that has 3 models, and open-source cut-down model of their Document
Management offering, and a commercial and enterprise version.
There are many companies out there, and smaller organisation who might
want to be able to host this sort of service internally. Actually
selling their solution to these companies might get the revenue they
need for continued operation. Offering a cut-down version of the
software will get their names out there, and offering a hosted
service, with the ability to hold only public data on the online
service, and providing a secure VPN for connection to a secure LDAP or
secure Database with the private data, hosted on a server in the
province of the datas source might extend their model to appease those
paranoid security freaks like me.
I hope this has helped.
> Robert Fabian -- rob...@fabian.ca -- 416-769-1885 --www.fabian.ca- Hide quoted text -
>
> - Show quoted text -
Len Inkster ISP, MBCS, CITP, MIAPP, MIISP
to look inot them further. I would be interested as to the fact that
whilst their NS registration is with godaddy.com in California, and
their administrative contact (for the domain name) is in Front Street,
Toronto) the server that they are using to front their services, which
is a shared IIS server, is based in Louisville, Kentucky. At least
had the server been in California, it would have been subject to the
Californian Privacy Act, which is about as good as they have in the
US. (I do not believe it would meet with the requirements of the
Privacy Act here in Canada for storing personal information overseas
or out of province.)
As you have contacts inside the company, you might like to enquire as
to the actual architecture of their security setup. Get them to put
this on their web, rather than a lot of links to the Microsoft
Policies and standards, and that would go a lot further in convincing
me. The problem with the Microsoft Policies and standards, and don't
get me wrong, they are very good, is what these policies were meant
for, and how they are applied. I'm fully aware that you understand
that any policy applied in the wrong scenario is worth less tha the
time it takes to write it.
On Jul 16, 8:21 am, "Len Inkster ISP, MBCS, CITP, MIAPP, MIISP"
> > Robert Fabian -- rob...@fabian.ca -- 416-769-1885 --www.fabian.ca-Hide quoted text -
>
> > - Show quoted text -- Hide quoted text -
Robert Fabian
I don't know where Wild Apricot's servers are located, and I can't see that as being such a major concern for an organization like CIPS. Yes, we do hold member's "private" information, but little of that information has much commercial value. We don't hold credit card numbers; we don't hold any meaningful demographic information. There would be only a small value in bad people cracking into our database.
Moreover, I look at the procedures in place in the National Office, and in many Provincial and Local Offices. We're miles (or kilometers) away from a secure operation in almost all CIPS offices - we don't have basic service delivery and service support capabilities in place. The vast majority of commercial services would offer much better security that CIPS, on its own, would be able to offer. And I really can't see that a government body such as the US Government coming after our data - it would have no value for them.
My bottom line is that our practical security would significantly improve were we to go with a reasponsible commercial service (like Wild Apricot). I'm not arguing for any particular commercial offering, only pointing out that it's far from obvious that such a choice would have serious negative security consequences. Whether or not Wild Apricot makes it in the market is a whole different discussion.
The challenge for CIPS is to find a way forward that the organization can afford, that will be accepted by many/most stakeholders, and that requires acceptable transition costs. There are a gaggle of open source systems that could be used to meet our technical needs. I'm less concerned about the technology and more concerned about how we could establish appropriate service delivery/service support procedures (ITIL-like), and appropriate content management procedures. I'm also very concerned about transition costs. The CIPS website may be less than ideal, but there would be some real costs involved in moving that content to almost any other platform.
Yes, we need to pay attention to security, but I just don't see that as the key concern.
Bob
Adam Cole
I had a conversation with Wild Apricot (with Dimitris, Chief Apricot -
cute), and he referred me to their security pages:
http://www.wildapricot.com/security.aspx
(BTW, this page lists their host is Maximum ASP.)
Nothing here to necessarily put us at ease. It is nice to see that they
*claim* to follow best practices - but even if this proved tighter security,
I don't see any easy way to confirm it.
However, as Dimitris pointed out, they are in the business of providing a
reliable service. As such, Are they not better positioned to maintain
security than we are? I am not particularly comfortable that we have the
resources to monitor and respond to threats in a way which you or I would
deem satisfactory.
Wild Apricot does have a model where they will license the software to us
for self-deployment and self-management. As the technology will be the same
the threats are comparable (i.e. IIS is still the underlying web server).
I suppose however the real question is what weighs more, the security risks
or the potential benefits of putting membership management online? I am not
a security expert by any stretch but surely there must be steps we can take
to address the risks to the point where the benefits come out on top.
You are correct, we are looking for that membership management nirvana. I
like the idea of the segmented approach you talk about in your last
paragraph but is that truly feasible? What sort of cost/schedule are we
looking at?
Thanks,
Adam
Adam Cole, B.Math, I.S.P., PMP
Manager SPS Applications & Development - McKesson Canada
(416) 429-6172 x191
Len Inkster ISP, MBCS, CITP, MIAPP, MIISP
question is what weighs more, the security risks or the potential
book, the latter is for nought without the former. It is exactly that
attitude that gets people like CIBC, the CRA, Winners et al in
trouble.
I have no problems in going for the operational benefits of online
servicing. This obviously takes away the issues of support,
resilience, DR & BCM from our door, as we just pay for the SLA.
However, when we are talking about details of individuals, then we
ought to care, especially when we are responsible for looking after
those details.
In conversations with Bob Fabian, I have stressed that hosting a
service is good. hosting the data that is private to our members, and
our organisation is bad. If the hosting service can take an online
feed from the non-private data held in our membership database, and
provide a reverse connection to allow the individuals to keep their
own information up to date, I'm all for that.
Just because we don't have a decent hosted service now, does mean we
shouldn't. just because we don't seem to see a real need for security
over the benefits of this new service now, doesn't mean that we
shouldn't either.
I'd like to see, and this is what I'm working on with Bob, Jim, Jeff
and the National office. whatever we do, we should post the standards
by which we are operating, and not in those nice fuzzy words laid down
in generic security polices, but in hard concrete evidential words,
that actually say, what we are doing, how we are doing it, and what we
will do if things go awry. By controlling who hosts our site, and
where it is hosted with more due diligence than just buying a service
from the web gives us far more flexibility in the long run to manage
these security issues in a more professional way. Do you not agree?
> > >> *http://www.wildapricot.com/*http://www.communityserver.com/
>
> > >> They both look like quantum leaps forward for us. What are your
> > >> thoughts? Are you aware of any others that should be considered?
>
> > >> Cheers,
> > >> Adam
>
> > --
> > Robert Fabian -- rob...@fabian.ca -- 416-769-1885
> --www.fabian.ca-Hide quoted text -
Midgley, Allan
There is much talk here about maintaining privacy...I assume it's in
relation to PIPEDA...I don't personally see the issue with having a
hosting provider in the US as long as they run their business according
to the best practices of security/privacy and inform people of the
location of their data.
Do you realize that most of the credit card processing in the world is
done in the US? Do you realize that the information the you keep as part
of CIPS is not really "private" information (I can look it up on
411.ca...so it's not private).
There is much hysteria/lack of knowledge/fear/loathing etc. but not much
substance.
I'm just as concerned with having a Canadian firm have my data (with a
less than stellar use policy) as having a US or any other geography have
my data.
My two cents....
Allan Midgley
System Architect
________________________________
Infrastructure Rationalization / Data Center Modernization
EDS - Strategic Technology Transformation
________________________________
18 Moorcroft Rd.
Ottawa, ON
Canada
K2G 0M7
( Phone:613-820-9672
( Cell :613-286-4233
+ mailto:allan....@eds.com
________________________________
Adam Cole
Sorry, no $100 from me. I only agree with the points you raise with my own
conditions attached. If the data is valuable/sensitive then I agree. If the
data is benign then I think the compromise between security and benefits has
more wiggle room.
Another way of looking at this is using the old security adage that no
system is 100% secure; however, security can be measured in terms of cost of
"hacking" a system. I am inclined to apply a similar cost benefit formula to
the sensitivity of our data versus the probability of it being unduly
exposed.
What if we only had first and last name in the hosted, online membership
database?
As far as I recall CIBC got in trouble for inadvertently faxing personally
identifiable financial data. If we do not store credit card numbers then our
risk of leaking credit card data is no greater than present.
If we examine all the discrete domains of data we wish to collect I am sure
we can come up with a list of what is in and what is out. We may discover
that we can reduce our list to just those fields that we have relative
comfort with. If not, then I agree and support the additional
cost/effort/delay in going to a segmented database.
Hmmm, I guess the idea of all or nothing doesn't sit that well with me.
Adam Cole, B.Math, I.S.P., PMP
Manager SPS Applications & Development - McKesson Canada
(416) 429-6172 x191
-----Original Message-----
From: cips-o...@googlegroups.com [mailto:cips-o...@googlegroups.com]
On Behalf Of Len Inkster ISP, MBCS, CITP, MIAPP, MIISP
Sent: Tuesday, July 17, 2007 6:05 PM
To: CIPS - Ontario
Subject: Re: Online Services ...Well done!
Ouch! If I had had $100 for every time I had heard someone say "real
question is what weighs more, the security risks or the potential benefits?"
> > >> *http://www.wildapricot.com/*http://www.communityserver.com/
>
> > >> They both look like quantum leaps forward for us. What are your
> > >> thoughts? Are you aware of any others that should be considered?
>
> > >> Cheers,
> > >> Adam
>
> > --
> > Robert Fabian -- rob...@fabian.ca -- 416-769-1885
> --www.fabian.ca-Hide quoted text -
Robert Fabian
I've got a problem with this way of thinking, ... on a couple counts.
First, I can't see that we will ever have really confidential information on our database. Yes, we will have full name, address, and contact information. Yes, we will have full CIPS professional status information. But we should never be keeping things like credit card numbers, or any "intimate" details about our members (or contacts). I just cannot see how we would ever be in a situation "like CIBC, the CRA, Winners et al". We need to take reasonable security precautions, but I don't see the justification for high security measures.
Second, CIPS has very limited resources. Should we do nothing to improve our security, because we can't move to the "proper" security environment? Yes, in an ideal world we would have an externally facing server that the world would see, with all sensitive (or partially sensitive) data on a server that lives behind a strong firewall. There are a number of serious complications associated with such a security architecture for CIPS. It's not one central externally facing server, maintained by a professional staff, but a gaggle of servers maintained by people at all levels in our organization. All of those servers need a path to our member database. And all of those servers may also want to maintain a database of "local" contacts. Is it realistic to expect that volunteers will be able to properly maintain that security architecture?
Next, our current service management procedures are quite short of the mark. We were not even able to move a server without shutting off email forwarding. Reality has repeatedly demonstrated that our service delivery and service support policies and procedures do not exist, or are not applied, or do not work. In short, it's a mess, and one that really should not be tolerated by an organization of IT Professionals. Moving everything to a professionally operated, managed, and maintained server would be a radical improvement. I, for one, am prepared to give up any special security provisions in exchange for effective platform service delivery and service support policies and procedures. A couple hundred dollars a month for a standard dedicated server in in server farm would dramatically improve our operation.
We're in a situation in which "the best is the enemy of better". I can see a number of simple things we can do to make our web service "better", but holding our for "the best" is likely to mean that we never take steps to improve. Pity.
Bob
Len Inkster ISP, MBCS, CITP, MIAPP, MIISP
I think that either I am not explaining my concerns, and subsequent
suggestions correctly, or someone is missing the point. The issue
here is not whether we actually implement something that is secure as
Fort Knox from the get-go. Nor is it that we need to build a model to
protect information we don't have. The issue is that whatever we
choose we do not go down the road of implementing something that puts
us in a position where the trust our members have in us and our
partners is broken by an architecture that cannot be shown to provide
(at some point in the future or now) that level of security that meets
whatever future legislation is implemented here in Canada, or across a
border that requires it.
The difficulty, for any organisation, big or small, public or private,
has always been in identifying that any information that is specific
to an individual, and is not otherwise available in the public domain
is classified as information that can personally identify that
individual, and therefore be used in a Phishing attack on other
information that might eventually lead to Identity Theft.
This doesn't necessarily mean the usual suspects, such as medical
data, or social insurance numbers or credit card information. People
have more and more information on a growing number of computer
systems. Any individual piece of data does not necessarily constitute
a risk to that individual or their identity, however as data mining
techniques are also advancing with incredible speed, do not get lulled
into a false sense of security that it is impossible, using multiple
pieces of, seemingly innocuos, information gained from systems that do
not consider that data private, to find sufficient information to
impersonate another persons identity.
If every organisation took the same attitude with what they consider
to be personal information as we seem to be here, we would be in a
right pickle.
Information that is already held on the CIPS members database includes
things like CIPS Membership number, employment status, personal phone
numbers (that are not always available from trawling the web) and
others. These in themselves would provide no-one with any great
leverage into anyones life one would think. But from this an identity
trail can be started, which can lead to more and more details being
uncovered.
Now I'm not saying that with the limited resources our organisation
has, we should build a highly-available, encrypted database,
accessingle only by strong authentication, and house in a bunker under
9,000 tons of earth.
What I am saying is that there are a number of requirements that we
have to operate a membership service, this means communicating with
our members, allowing them to communicate back, and helping them help
us manage what relevante information we need to ensure that we can
move forward, not just with the communication, but also in the
development of the relevant services we are going to have to put in
place to ensure our gold standard certification is recognised as the
best.
It also means that we have to be able to offer services for purchase,
and somehow tie the fact those purchases have been paid for, even if
we don't actually take the payment online ourselves.
Are we so infrastructure poor here in Canada that the first time we
come up with any sort of online requirement we have to immediately
jump to a service that's provided outside of the country?
Are we so incapable in the IS profession that we cannot come up with a
model that at least allows for the relevant security mechanisms and
due-dilligence to be carried out to ensure those mechanisms can and do
work?
I for one do not think so.
Make no mistake, I am for action, and forward movement on the subject
of getting CIPS into the 21st Century, and this is why we are working
so hard to move this forward at a pace that scares even me. We will
suceed.
I also understand the pressures of the diversive nature of data being
held around our great nation, and the issues of cross-border and cross-
province data transfer, as well as understanding the issues concerning
the US, and EU of making those same transfers.
I recognise that as a voluntary organisation, with limited funds, we
are restricted as to what we can and can't do. But I feel very
passionate about ensuring that what we do, we do right from the start.
Too often systems are developed along the break-fix model. "Get it up
and running, and fix it when it breaks" for those uninitiated.
I agree with Bob Fabian and others that the service management is, and
should be, part of the equation when designing new systems and
services. But security is NOT a break-fix issue. Whether we deal
with it technically, or we deal with it operationally, we MUST deal
with it, and deal with it so we get it right first time, everytime.
This doesn't mean that we hold up implmentation of a system until we
get all the dots and dashes completed, but it also means that we don't
go headlong into offering a service to a company south of the 49th,
without due dilligence and guarantees of cross-border securityies,
that can adequately be handled here in Canada with less risk. Nor
does it mean we disregard private information that we do not see as
being particularly an issue now, which may bite us in the ass later-
on. We put the risks on the table along with the requirements, and we
mitigate those risks wherever possible, and ensure we have an
escalation plan to build in as the time, money, and infrastrucure
becomes available service management policies and procedures, or
technology solutions to reduce those risks to a goal of nil. However
it's no good having a plan like this if we make the wrong decision as
to what we want, and how we are going to go about it in the first
place.
CIPS stands for Canadian Information Processing Society, not Cowboys
In Professional Suits, and I for one am proud to be a certified
member, and do not want the former name to be called the latter
because of a security breach.
Unlike CIBC, Winners, ChoicePoint we do not have a service that is
needed by the public in general, therefore the risk of a security
breach to our organisation is sudden death. Never think otherwise.
If we do we'll end up on the bottom of the list here.
http://www.privacyrights.org/ar/ChronDataBreaches.htm
> ...
>
> read more »- Hide quoted text -
Pat Gaudet
Scientific American site (click on the print icon to get a more readable
view of the article):
http://sciam.com/print_version.cfm?articleID=6A2EF194-E7F2-99DF-3323DA6BA434
6B0B
"June 27, 2007
"Privacy Isn't Dead, or At Least It Shouldn't Be: A Q&A with Latanya Sweeney
"In a post-9/11 world, where security demands are high, personal privacy
does not have to be sacrificed, says computer scientist Latanya Sweeney, who
discusses a few ways to save it.
"By Chip Walter
"As security concerns mount, networks proliferate and ever more data move
online, personal privacy and anonymity are often the first casualties. For
the Insights story, "A Little Privacy, Please," appearing in the August 2007
issue of Scientific American, Chip Walter sat down with Carnegie Mellon
computer scientist Latanya Sweeney, who discusses the new threats to privacy
and ways to fight identity theft and other misuse of information."
<< ... more >>
Regards -- Pat
Len Inkster ISP, MBCS, CITP, MIAPP, MIISP
one who was a believer.
On Jul 18, 11:25 pm, Pat Gaudet <pat.gau...@mac.com> wrote:
> Hi, you might find a couple of interesting comments in this interview on the
> Scientific American site (click on the print icon to get a more readable
> view of the article):
>
> http://sciam.com/print_version.cfm?articleID=6A2EF194-E7F2-99DF-3323D...