Fears of the Patriot Act forcing US companies to repatriate data stored overseas for international customers are unwarranted, given that the Act has yet to be tested, according to Mike Denning, general manager security business for CA Technologies.
Mike Denning
(Credit: CA)
The controversial legislation has received attention from US companies involved in hosting user data for customers located offshore. Microsoft admitted recently that the company would have to comply with US government requests for customer data regardless of where it is stored.
Denning, who joined CA in November 2010 after leaving VeriSign, told ZDNet Australia that while data sovereignty is a major issue, the Patriot Act is, at this stage, a "very theoretical threat" and a "boogeyman", because the Act has not been used to get private customer data yet.
"[I won't be worried] until I see a bunch of people being dragged into court, using the Patriot Act, for [obtaining] data," he said, adding that he thought that the bigger issue for nation states in terms of security was simply about ensuring that personally identifiable information remains within the jurisdiction of a sovereign country for accountability reasons.
As more and more organisations move to utilising software as a service (SaaS), and move into the cloud, Denning said that this would drive uptake for second-factor authentication. But the days of hardware-based second factor authentication were numbered, with cloud services lending themselves to software-based authentication. He said that it would be much easier for large organisations with services in the cloud to deploy software-based second factor authentication, rather than tokens.
"We don't expect everyone to throw away their tokens, [but the] scalability of giving everyone a token just doesn't make sense," he said.
Denning said that as businesses move more sensitive data to the cloud, it is an inevitability that security has to improve. Much of this would have to do with having the perception of security, but not the inconvenience of security, he said. If a system's security gets in the way of a person doing their work, they will just try to find a way around it.
"Security is only as good as long as your users don't try to circumvent it," he said.
He said that IT "needs to move from the security of 'no' to the security of 'know'", where a company has strong management over who has access to what data at what time, rather than reflexively and automatically denying access.
He said that better control over access rights would go a long way to reduce the emerging trend of the rise of the "insider threat", where employees or former employees gain access to information that can threaten the company.
"From a threat perspective, it's moved from annoyance to a targeted approach from insiders," he said.
Josh Taylor travelled to Las Vegas as a guest of CA Technologies.
Linkedin 
RSS Feeds 
Newsletters 
Alerts
Thats is a very silly thing to say Denning. Just because a legal grounds for data sovereignty vs Patriot Act is untested doesn't mean it shouldn't be a big concern. It is a very valid concern for many organisations large and small on who has copies of your data both on privacy as well as from a legal point of view.
Would you be willing to share your back account details with your friend ? How about your neighbour ? The police ? Feds ? See the point ?
This is why as a cloud provider we ensure our data stays within Australian borders. Our clients know exactly where the data is, and its away from countries where security and privacy laws are either ensure government control or absolutely lax.
Remember how when we want to go to the US we have to be willing to give nothing less than our DNA ? Well, Patriot Act allows this to extent to data. Once the data is accessed by a "security agency" you don't know how the data is going to be used and also for what purpose.
Additionally, Australian cloud services are now propping up everywhere including Telstra. For a nice exorbitant price a lot of Australian companies can keep their data in the cloud away from foreign spying eyes. Always better to be safe than sorry.