Where Does Security Architecture Fit Or Not Fit With Enterprise Architecture (EA)?

In the video below on CxO Talk, I asked Edna Conway, CISO of Cisco about how architectures fit into each other.

In my view, Security Architecture is a subset of Enterprise Architecture. However, since security is important at all levels, a Security Architecture gets deep into and can work in parallel with Enterprise Architecture. At the user level, perhaps we should know the threats that are out there.

Processing…
Success! You're on the list.

What Questions Do You Have For Sundar Pichai Of Google?

Sundar Pichai, the CEO of Google, testified before the House Judiciary Committee on December 11, 2018, to discuss “the widening gap of distrust between technology companies and the American people.” Prior to the hearings, Sundar Pichai’s prepared statement was released to the public.

Following is the prepared written statement of Sundar Pichai, along with a list of my own questions at the end:


HEARING BEFORE THE UNITED STATES HOUSE JUDICIARY COMMITTEE ON “TRANSPARENCY & ACCOUNTABILITY: EXAMINING GOOGLE AND ITS DATA COLLECTION, USE, AND FILTERING PRACTICES”

December 11, 2018

Chairman Goodlatte, Ranking Member Nadler, distinguished members of the Committee: Thank you for the opportunity to be here today.

I joined Google 15 years ago and have been privileged to serve as CEO for the past three years—though my love for information and technology began long before that. It’s been 25 years since I made the US my home. Growing up in India, I have distinct memories of when my family got its first phone and our first television. Each new technology made a profound difference in our lives. Getting the phone meant that I could call ahead to the hospital to check that the blood results were in before I traveled 2 hours by bus to get them. The television, well, it only had one channel, but I couldn’t have been more thrilled by its arrival! Those experiences made me a technology optimist, and I remain one today. Not only because I believe in technology, but because I believe in people and their ability to use technology to improve their lives. I ’m incredibly proud of what Google does to empower people around the world, especially here in the US.

I’d like to take a moment to share a bit of background on that. 20 years ago, two students—one from Michigan and one from Maryland— came together at Stanford with a big idea: to provide users with access to the world’s information. That mission still drives everything we do, whether that’s saving you a few minutes on your morning commute or helping doctors detect disease and save lives. Today, Google is more than a search engine. We are a global company that is committed to building products for everyone. That means working with many industries, from education and healthcare to manufacturing and entertainment.

Even as we expand into new markets we never forget our American roots. It’s no coincidence that a company dedicated to the free flow of information was founded right here in the US. As an American company, we cherish the values and freedoms that have allowed us to grow and serve so many users. I am proud to say we do work, and we will continue to work, with the government to keep our country safe and secure. Over the years our footprint has expanded far beyond California to states such as Texas, Virginia, Oklahoma and Alabama. Today in the US, we’re growing faster outside of the Bay Area than within it. I’ve had the opportunity to travel across the country and see all the places that are powering our digital economy—from Clarksville, to Pittsburgh, to San Diego, where we recently launched a partnership with the USO to help veterans and military families. Along the way, I’ve met many people who depend on Google to learn new skills, find jobs, or build new businesses. Over the past year, we have supported more than 1.5 million American businesses. Over the past three, we have made direct contributions of $150 billion to the US economy, added more than 24,000 employees, and paid over $43 billion to US partners across Search, YouTube, and Android. These investments strengthen our communities and support thousands of American jobs.

They also allow us to provide great services to our users to help them through the day. It’s an honor to play this role in people’s lives, and it’s one we know comes with great responsibility. Protecting the privacy and security of our users has long been an essential part of our mission. We have invested an enormous amount of work over the years to bring choice, transparency, and control to our users. These values are built into every product we make.

We recognize the important role of governments, including this Committee, in setting rules for the development and use of technology. To that end, we support federal privacy legislation and proposed a legislative framework for privacy earlier this year.

Users also look to us to provide accurate, trusted information. We work hard to ensure the integrity of our products, and we’ve put a number of checks and balances in place to ensure they continue to live up to our standards. I lead this company without political bias and work to ensure that our products continue to operate that way. To do otherwise would go against our core principles and our business interests. We are a company that provides platforms for diverse perspectives and opinions—and we have no shortage of them among our own employees. Some of our Googlers are former servicemen and women who have risked much in defense of our country. Some are civil libertarians who fiercely defend freedom of expression. Some are parents who worry about the role technology plays in our households. Some—like me—are immigrants to this country, profoundly grateful for the freedoms and opportunities it offers. Some of us are many of these things.

Let me close by saying that leading Google has been the greatest professional honor of my life. It’s a challenging moment for our industry, but I’m privileged to be here today. I greatly appreciate you letting me share the story of Google and our work to build products worthy of the trust users place in us.

Thank you for your attention. I look forward to answering your questions.


The committee members asked questions on behalf of the Google users in general and the American public in particular. Along the same lines, I have compiled the following questions that might help:

  1. What do you define as political bias?
  2. How would you verify/account for political biases in your search results?
  3. Do you think Net Neutrality hurts or harms freedom of speech for your information-based products?
  4. Will you be censoring search results and other information products based on the origination of the inquiry?
  5. Do you have tools to make sure and verify countries aren’t blocking information?
  6. Do you think a US version of GDPR is needed? How will this affect your business?
  7. What recourse do you have for those whose data was breached under your company?
  8. Can you share the report of the independent study related to political bias and what steps have you taken from that study to improve your search results and other information products?
  9. What steps are you taking or plan to take to reduce information bias at Google?
  10. Can you walk through what happens to data at rest and in motion across search, Gmail and Google’s other information products?
  11. What is the lowest threshold in term of money for anyone to advertise on Google and how is the validity/reality of these ads done?
  12. What processes and tools you have in place that makes every employee and business conscious of their responsibility for safeguarding Google users’ data?
  13. Which other social media outlets are also responsible for the spreading of fake news?
  14. How is Google going to work with governments, United Nations (UN) and other international entities? What data are you going to be sharing with these entities?
  15. How will Google strike a balance between free speech and censorship (intentional and unintentional)?
  16. What background investigations would you be doing on businesses that are on Google?
  17. How are you proactively looks at threats at all levels from a broader prospective?
  18. Does Google’s culture give preference to moral obligation versus profits only?
  19. How many independent studies have occurred across all of Google’s information products to check for misinformation threats?
  20. How much do you think is the personal responsibility of Google users’ biases when it comes to sharing fake news on purpose or by accident? What would happen to these users?
  21. As you utilize Artificial Intelligence, these systems can also have inherent biases leading to false positives. What are you doing to address this?
  22. What would Google do if asked by friendly governments to interfere with what information other countries’ get across all information products?
  23. If your user’s data is stored outside the country whose laws would you abide by, the users’ country or the country where data resides or where data is in motion?

Since Google is the most used search engine in the world along with its active participation in many industries, it is your right to ask your questions through your senators and representatives. Feel free to ask questions below as well.

So, what questions do you have for Sundar Pichai of Google?

Processing…
Success! You're on the list.

5 Questions to Ask About Your Information Security

The term information security is used to describe the practices, methodologies, and technologies that are used to protect information physically (e.g., locked doors, security guards, etc.) and in cyberspace (e.g., firewalls, anti-viruses, etc.). In order to accomplish this, we determine information confidentiality (e.g., who can access the information), information integrity (e.g., is the information from a reliable source) and information availability (e.g., would the information be available in time to people who are authorized to use/see it).

According to Gartner, by 2015 the spending on information security around the globe would reach $76.9 billion. To put this number into perspective, this amount of money is close to what the US Federal government spends on technology in one year. By looking at this, in the near future, more money would be spent on securing personal and organizational information than actually creating information systems. But despite the importance of information security and its effects on individuals and organizations, very few people understand the kinds of threats that are out there. Security threats are always evolving and in the digital century, geography is not a limitation. Individual and organizational information can be potentially compromised from a local intruder to someone sitting on the other side of the globe. Thus, before you can mitigate information security risks, understand what is out there. Here is a non-exhaustive list of how information security can be compromised:

  • Adware – Pay to remove advertisements.
  • Bacteria – Overwhelms computer resources by making copies.
  • Botnets – A network of compromised systems.
  • Bots – Derived from robots and refers to automated processes.
  • Buffer Overflow – A program goes beyond the boundary of the buffer.
  • Clone Phishing – Legitimate email resent with malicious link/attachment.
  • DDoS – Multiple systems attack a single target.
  • DNS Attacks – Determine types of devices in the network.
  • Easter Eggs – Hidden code in the software to show control.
  • Emerging Technologies –Security is not considered in new technologies.
  • Evil-Twin Wi-Fi – Impersonates an access point (e.g., router).
  • Exploits – Vulnerabilities in scripts, servers, browsers, routers, computer networks, devices, software, and hardware.
  • Hardware Attacks – Exploits system bus, a peripheral bus, chips, power/timing, interrupts and RAM.
  • Human Error – Unintentional legitimate errors caused by people.
  • ICMP Scanning – Identify open ports (e.g., port 81).
  • Keylogger – Track keystrokes when logging on to legitimate sites.
  • Link Manipulation – The destination link is different than what is displayed.
  • Logic Bombs – Performs some action when certain conditions are met.
  • Malware – Malicious code.
  • Masquerading – Pretends to be authorized access.
  • Metamorphic – Code that modifies itself.
  • Network QoS – Service interruptions and performance issues.
  • Old technology – Outdated technology that is too costly to replace.
  • Pharming – Redirecting web traffic to a fake site and more sophisticated.
  • Phishing – Emails/instant messages asking to click a link/attachment, sign up for some kind of service and/or take you to a site that looks legitimate.
  • Phone Phishing – Call to ask for information.
  • Polymorphic – The same underlying code used for multiple purposes.
  • Rogue Wi-Fi – Compromised wireless access points (e.g., routers).
  • Script Kiddies – Amateur use of scripts developed by professionals.
  • Social Engineering – Psychologically manipulating people.
  • Spear Phishing – Directed toward specific individuals or organizations.
  • Spyware – Typically free software that collects information about you.
  • SQL Injection – SQL code is entered into the input fields of a database.
  • Trapdoors – Secrets in the code that allow access to the system.
  • Trojan Horses – Impersonates another software, prompts to install software and prompts to go to a certain site.
  • Viruses – Adds code to an uninfected copy of the host program in the network and then replicates itself.
  • VoIP Attacks – Software and hardware exploit in Internet telephony.
  • VPN – Only as secure as the most unsecure system in both ends of the network.
  • Weather – Mother Nature and lack of disaster recovery.
  • Whaling – Attacks directed at high profile individuals and organizations.
  • Worms – Copies itself across the network, runs by itself and does not need a host.
  • Zero-Day Exploits – Vulnerabilities in software unknown to anyone.

Now that we understand the potential risks that are out there, let’s look at what motivates people to do this. While there are many theories in what drives human motivation, for our purposes we look at the following two frameworks used by the top clandestine organization in the world. These frameworks are:

  • MICE looks at human motivation in terms of Money (e.g., cash, stocks, insider information, etc.), Ideology (e.g., religion, patriotism), Coercion or Compromise (e.g., blackmail) and Ego or Excitement.
  • RASCLS looks at human motivation in terms of Reciprocation (e.g., feel obligation to repay), Authority (e.g., prestige), Scarcity (e.g., supply vs. demand), Commitment and Consistency (e.g., trustworthy flip-flopper vs. untrustworthy but consistent), Liking (e.g., share same attributes) and Social Proof (e.g., correct behavior).

In order to understand the complexities of information security and motivations behind it, let’s ask the following questions:

Today

Tomorrow

Who is responsible for information security?Who should be responsible for information security?
What happens when information is compromised?What should happen when information is compromised?
Where is information security a priority?Where should information security be a priority?
When is information security thoroughly reviewed?When should information security be thoroughly reviewed?
Why information security was compromised in the first place?Why information security would continue to be compromised in the future?

When you are asking the above questions across all levels of the organization, keep in mind that information security is not something that you just “bolt-on” at the end but in fact, it should be a top priority at every juncture of your organizations. Thus, information security spans across people, processes and technologies and simply paying lip service do not help anyone in the long run.

While there are many laws, regulations, and guidelines to safeguard information but they do not mean much if you cannot apply them across and within your ecosystem of vendors, partners, suppliers and any external entities. In short, information security is a collective effort that requires organizations to be self-aware from the lowest ranks to the highest executives.

Information Security Views
Information Security Views

References:

  1. http://www.gartner.com/newsroom/id/2828722
  2. https://www.cia.gov/library/center-for-the-study-of-intelligence/csi-publications/csi-studies/studies/vol.-57-no.-1-a/vol.-57-no.-1-a-pdfs/Burkett-MICE%20to%20RASCALS.pdf

Processing…
Success! You're on the list.
%d bloggers like this: