Contributed by Joanne C. Kelleher
A new organization, the Cloud Security Alliance is being launched next week at the RSA Conference. They plan to provide security advice to companies adopting cloud computing products.
SearchSecurity.com has an opinion piece about the challenges the new Cloud Security Alliance (CSA) will face and the RFIDSA gets a mention. The CSA is tackling 15 "Domains of Concern" and several of these items overlap with issues we face with RFID.
-------------------------------------------------------------
Cloud computing group to face challenges ahead
By Eric Ogren at SearchSecurity.com
15 Apr 2009
-snip-
"This is not the first, nor will it be the last, security alliance that was formed to get ahead of security issues that may stunt the growth of enticing new technologies. A search on "security alliances" will quickly uncover similar organizations including the Internet Security Alliance, Voice over IP Security Alliance, Document Security Alliance and Radio Frequency Identification (RFID) Security Alliance. Security practitioners are well-schooled in talking about potential security pitfalls in new technologies and in making best practices recommendations."
-snip-
Read the full piece at http://searchsecurity.techtarget.com/news/column/0,294698,sid14_gci1353872,00.html#
Thursday, April 16, 2009
Saturday, April 4, 2009
Thank God For Academic Interest
I recently had the opportunity to present to a join meeting of the American Society For Quality (ASQ) and The Institute For Supply Chain Management (ISM) on the subject of ePedigree. The title of my presentation was "ePedigree: Security As A Quality Objective" and I was joined by Bikash Chaterjee of Pharmatech Associates.
One of the attendees was Dr. Richard Dawe, an associate professor from Golden Gate University in San Francisco. He teaches about global supply chains, and ee was very intrigued by my presentation. He essentially found it quite interesting that in all the discussions about ePedigree, security issues rarely get any mention.
One of Dr. Dawe's MBA students asked me to assist he with a project she is working on centered on ePedigree. I spent some time explaining the enormous security challenges with implementing ePedigree in general, and also about security challenges in the RFID "portion" of ePedigree.
What I find absolutely fascinating about discussions at this particular level (meaning the academic level) is that I find myself feeling very warmly embraced by the teachers and students. This is because I bring them information they cannot easily find through any of the organizations that claim to specialize in providing answers about ePedigree.
As I mentioned in a previous posting, organizations (like SupplyScape) are working very hard to convince companies (like pharmaceutical companies) to get "ePedigree Ready", and raising the spectre of security obviously throws a huge monkey wrench into the works. It essentially amounts to a cover up of the issues, because many of these ePedigree implementation organizations are well aware of the security issues. For those that are not aware of the issues, ignoring opportunities to become more aware is perhaps an even bigger crime.
When I explain a mere handful of the security challenges and risks associated with insecure ePedigree and RFID implementations, I consistently get the classic "eyes wide and mouth open" response from the audience, who are shocked to learn this new information. What is even better is when I show them documented evidence of what I am discussing.
I hope more academics become involved and spread the word.
One of the attendees was Dr. Richard Dawe, an associate professor from Golden Gate University in San Francisco. He teaches about global supply chains, and ee was very intrigued by my presentation. He essentially found it quite interesting that in all the discussions about ePedigree, security issues rarely get any mention.
One of Dr. Dawe's MBA students asked me to assist he with a project she is working on centered on ePedigree. I spent some time explaining the enormous security challenges with implementing ePedigree in general, and also about security challenges in the RFID "portion" of ePedigree.
What I find absolutely fascinating about discussions at this particular level (meaning the academic level) is that I find myself feeling very warmly embraced by the teachers and students. This is because I bring them information they cannot easily find through any of the organizations that claim to specialize in providing answers about ePedigree.
As I mentioned in a previous posting, organizations (like SupplyScape) are working very hard to convince companies (like pharmaceutical companies) to get "ePedigree Ready", and raising the spectre of security obviously throws a huge monkey wrench into the works. It essentially amounts to a cover up of the issues, because many of these ePedigree implementation organizations are well aware of the security issues. For those that are not aware of the issues, ignoring opportunities to become more aware is perhaps an even bigger crime.
When I explain a mere handful of the security challenges and risks associated with insecure ePedigree and RFID implementations, I consistently get the classic "eyes wide and mouth open" response from the audience, who are shocked to learn this new information. What is even better is when I show them documented evidence of what I am discussing.
I hope more academics become involved and spread the word.
Friday, April 3, 2009
Help Present a Balanced View of RFID Security
Bert Moore, Editor of AIM Global’s RFID Connections, discusses RFID security and privacy in his April 1, 2009 column titled RFID: Legislative Action.
The RFID Security Alliance invites vendors and end users interested in this issue to join our organization.
Burt also goes on to announce the availability of a new technical report from the International Organization of Standards (ISO) which was based on the work of AIM Global. Publication ISO/IEC TR24729-4, Information technology - Radio frequency identification for item management - Implementation guidelines - Part 4: Tag data security is available for purchase from the AIM Global website.
I was pleased to see that this report “offers sufficient guidance to enable users or developers to assess potential risks and determine appropriate techniques to mitigate these risks.” The RFID Security Alliance encourages users and implementers to completing a risk assessment of potential RFID systems.
"At some recent legislative hearings on whether to limit, regulate or restrict RFID in some way, advocates of RFID finally began to get their views heard. Why? Because many of the advocates weren't companies manufacturing or selling RFID, they were companies and agencies actively using the technology. They were able to point out to state legislators how the technology was actively benefitting citizens of the state. And their real world experiences helped put to rest some of the more outlandish claims of some privacy advocates.
At the same time, there are new concerns that some companies and governmental agencies are implementing RFID technology without giving adequate attention to the need for security and, therefore, privacy. Concerns about covert reading of ID cards and similar items must be addressed because they highlight real or potential system vulnerabilities that expose not only individuals but the entire system to unnecessary risk.
It is up to those in the RFID community -- both vendors and end users -- to be heard in legislative hearings and community forums in order to present a balanced view of the technology and point to ways in which it can be implemented securely so that it can continue to provide benefits while protecting the integrity of the system and personal privacy."
The RFID Security Alliance invites vendors and end users interested in this issue to join our organization.
Burt also goes on to announce the availability of a new technical report from the International Organization of Standards (ISO) which was based on the work of AIM Global. Publication ISO/IEC TR24729-4, Information technology - Radio frequency identification for item management - Implementation guidelines - Part 4: Tag data security is available for purchase from the AIM Global website.
I was pleased to see that this report “offers sufficient guidance to enable users or developers to assess potential risks and determine appropriate techniques to mitigate these risks.” The RFID Security Alliance encourages users and implementers to completing a risk assessment of potential RFID systems.
Subscribe to:
Posts (Atom)