Subscribe to the RSA blogs and podcasts for the latest posts and security updates!
Ian Farquhar is an Advisory Technology Consultant for RSA, the Security Division of EMC. In this role, he advises organizations throughout Australia and New Zealand in areas including information security, cryptography, compliance, privacy and data protection. Ian also contributes to R&D at RSA in the area of hardware security. Ian has over 20 years of experience working in the IT security industry.
I have recently been asked if the research paper about key leakage across VMs running on a hypervisor invalidates the position I advanced in this series of blogs? No, it doesn’t, although key management is something which deserves far more attention than it gets from the general INFOSEC community, outside of the government COMSEC agencies. Oh, and by the way, this is a very cool piece of research.
Are we trusting a third party with our data? Yes, we are, and have been for years. In the past many companies used bureau computing, where they sent out workloads on magnetic or paper tape, and got the results (usually a print-out) back a few days later. Sometimes this was Software-as-a-Service, sometimes this was Platform-as-a-Service, although we didn’t use those acronyms then. It was just service bureau computing.
Many readers will be familiar with the concept of a cognitive bias. A cognitive bias is an irrational decision made because of a “bias” or mental short cut. Sam Curry has written on this subject previously, as it applies to multi-factor authentication. It is theorized that cognitive biases may have once provided mental short cuts in certain high-risk situations, giving early humans a time advantage in survival situations. Unfortunately, many of these biases have passed their “use by” date, and now cause irrational thinking and poor outcomes.
On what basis do we make risk choices? When in an unfamiliar retail store, and facing a POS terminal whose design one has never seen before, what reassures the average person that it is safe to swipe their card and type their PIN into that machine? Worse, even if the POS machine is a familiar design, what is the rational basis for assuming it adequately protects card details? It certainly looks like a solid piece of hardware, but is it really?
