Data Privacy: Today and Every Day

Today is Data Privacy Day. A day dedicated to awareness of how data, often very personal data, needs to be managed and protected. Just about every company you interact with on a daily basis has collected, uses and is responsible for being a good steward of that data.

But we can’t expect those companies, your bank, your doctor’s office, your insurance company, your favorite social media experience and any of the myriad of applications you might have on your smart phone to be the only responsible stewards of our data.

We are also responsible.

Take a moment to take stock of your various identities. We all wear different hats in real life – parent, volunteer, employee, pet owner, what have you. Some cross over to others, some do not. We have equivalents online and a collection of companies are vying to be the holder of the “primary” identity you use online. We are constantly offered the chance to log in or “connect” using Facebook, or Google, or Microsoft, creating additional interconnection between the fabric of websites and mobile apps in our ecosystem.

Today, I challenge you to inventory your online identities and make improvements where necessary. Break out a piece of paper and pen:

  1. List out all your email addresses. Which ones are used for access to which websites? When you create an account on your bank’s website or a shopping website or anywhere, that service has created an identity for you. While it’s true that your bank’s computers don’t connect with the servers that run Netflix, if you are using the same email and password in both places, you have increased your risk in the event that a password breach at one service could allow someone to access your information from the other service.
  2. Document all the popular services you use that all provide the option to use that identity to connect to other sites – the situations where you connect to services or other websites using the credentials from another. In this case, those services may not bother to maintain their own database access credentials, instead relying on the services of another. This “single sign on” feature is great – event potentially more secure than having a less robust system maintain a list of email address and password combinations – but make sure you are combining those services in a way that makes sense for you. I would never sign onto my banking websites “using Facebook” for example, even if it was available. Using my Twitter credentials to connect to a news website, would be a more reasonable use.
  3. Review the list so far and make changes as necessary. Update passwords, change email addresses and consider the “single sign on” options that make sense for how your organize your life. If you’ve used your work email (which is an identity you don’t fully control) as the primary email for a personal service, make sure to adjust that appropriately. You never know when you might lose access to that email service, making it difficult to recovery a lost password or receive notifications.
  4. Turn on multi-factor authentication where available. Those services ensure that additional information is needed to grant access to the service with a phone call, text message or email to an alternative account. Make sure that your contact information is up to date with alternative phone numbers and current email addresses that you can access.
  5. Some services provide printable one-time use access codes that you can store offline. Google and Microsoft are two companies that do this. I print these and store them in a secure location at home, as a backup to all the other multi-factor security options.
  6. Review the recovery related FAQs for all the major services you use. In the past, some have required you to know rather specific information related to your account, like creation date, etc. If necessary, gather that information and store it securely offline as well.
  7. Finally, review the security and privacy settings on the sites where you purposely post personal information, like Facebook and LinkedIn. Make sure you have them set so what you have publicly visible is what you intended.

I know that’s big list.  Make it Data Privacy “Week” if you have to. Your future self will thank you.

Learn more about privacy settings for:

Throwback Thursday: Sessions from TechEd Houston

Today is my final installment of highlights from TechEd Houston! Below are some of my session picks from the last day of the conference.

  • TWC: Hacker’s Perspective on Your Windows Infrastructure: Mandatory Check List (DCIM-B366)
  • Windows 8 Security Internals (WIN-B350)
  • Real-World Windows 8.1 Deployment Note from the Field (WIN-B358)
  • Providing SaaS Single Sign-on with Microsoft Azure Active Directory (PCIT-B326)
  • Delivering Disaster Recovery Solutions Using Windows Server 2012 R2, Microsoft System Center 2012 R2 and Microsoft Azure (DCIM-B421)
  • How IPv6 Impacts Private Cloud Deployments (DCIM-B373)
  • Windows Server 2003 End of Life Migration Planning for Your Workloads (DCIM-B376)
  • Upgrading Active Directory the Safe Way: Using Virtualization Technologies (PCIT-B341)
For my lists of sessions from the other days, you can find them here: Monday, Tuesday and Wednesday.

October is National Cyber Security Month

As a system admin, I like to think that I’m pretty savvy when it comes to online security.  However, it never hurts to look at some current recommendations as a refresher and maybe pass on a link or two to family and friends regarding ways to prevent fraud, theft and other online ills.

Visit the STOP. THINK. CONNECT. campaign or Microsoft’s Cyber Security web page for tips on staying aware and secure online.

Check out my previous security posts for some of my thoughts on cyber security. What are your recommendations for friends and family when they ask you about online security? 

Upcoming Tech Events in 2011

Looking to fill your calendar with some free or low cost tech events in early 2011?  Consider some of these:
  • TechNet Events Presents: Virtualization 101 – Microsoft Evangelists will talk about the creation of the hypervisor and demonstrate usage scenaros ranging from the home user up to multinational corporations. Discussions will also include how virtualization has given rise to “the Cloud”.  The event is free and will be in San Francisco on 2/2/11, but check the list for dates in Los Angeles, Irvine, Denver, Portland and others locations on the west coast.
  • Data Connectors Tech-Security Conferences – Just like the one-day event I attended a few weeks ago, Data Connectors will be all over the west coast in early 2011.   In particular, find it in San Jose, CA on 2/10/11.
  • She’s Geeky unConference – For all those women who embrace their geekiness, save the date for “She’s Geeky Bay Area #4” running January 28-30th. 
  • Register by 1/21 and snag a free Expo Only pass to the SPTechCon (The SharePoint Technology Conference) in San Francisco February 7-9th.  The full event doesn’t fall into the “low cost” category, but if SharePoint is your thing, you might want consider more than just the expo.
  • RSA 2011 – Another one of my favorites, the “Expo Plus” pass at RSA gets you into the expo hall, the keynotes and one conference session of your choice. RSA will be at the Moscone Center in San Francisco, February 14-18th. 
Plan your time well and you won’t have to be in the office for much of the first quarter! 

All I Want For Christmas is my Credit Card

December started out with a call from my credit card company, reporting a suspected some fraudulent use of my Visa card.  After reviewing some recent charges, there was one that I did not recognize and my card was cancelled.  I have to hand it to CapitalOne – they really are on the ball when it comes to figuring out what charges are legit and which ones are not.  It’s a little bit creepy to be honest. Ah, the age of data mining.
As I was jotting down the list businesses I’ll have to contact to updated my information once my new card arrives, I starting thinking about credit card numbers.  With all the talk about the end of the IPv4 address space, I can’t help but wonder about how many possible credit card numbers are left to distribute, especially with the use of temporary cards, like Visa or AMEX gift cards and the like.
I did a quick little search and found some slightly dated information estimating that even if credit cards only had 10 digits instead of the average 16, there would still be enough numbers to give everyone currently alive on the planet a number, with extras for people being born over the next 25-30 years.  Still that doesn’t seem like all that many to me – I know that my Visa card has been reissued at least 3 times now since I’ve had it, so I might have already used my fair share.
Without spending a lot of time pondering this issue, I guess between the various credit card issuing companies and bank numbers used to create card numbers, it’s possible to have some overlap in the customer identifying portion of the card number without causing a problem. Plus, credit card technology is always evolving.  There is always news about the use of chip cards and there are companies like this one, developing totally new ways of keeping cards secure and easy to use.  A flexible, electronic card with a rewritable magnetic strip? Cool.
Meanwhile, I guess I’ll enjoy this unexpected hiatus in my holiday shopping.The economic recovery will have to manage without me for a few more days.

Data Privacy Day: 1/28/10

Next Thursday, January 28th, is Data Privacy Day. It’s a relatively new day of celebration – this is the third year, but the goal is to promote awareness around data privacy and stimulate new development of privacy tools and encourage compliance with privacy regulations. Several events are being held in conjunction around the US, Canada and over two dozen European countries.
As an official sponsor, Microsoft will be participating in a event held in Washington, DC. Here in the bay area, Stanford Law School will be hosting an panel on Money and Privacy that is open to the community. Also, if you are so inclined, the International Association of Privacy Professionals will be having some “Privacy After Hours” evening networking events.
If nothing else, you might want to take some time that day to review some of the publicly available information about yourself. Type your name into your favorite search engine. Double-check those privacy settings in Facebook and make sure only a limited amount of information available is to people who aren’t part of your immediate network. Consider removing your profile from social networking sites you no longer participate in regularly.
The Internet and the growth of social media has made it so much easier to stay in touch with those we care about and connect with others who share our interests. However, don’t make it too easy for others to use those tools to against you.
And one more thing – it’s probably time you changed your password.

Thoughts on Air Travel Security

I know that airport security is probably pushing it when it comes to technology topics, but one can’t help but miss all the recent hoopla regarding airline travel lately.

I travelled to the east coast over the holidays (after the Christmas day incident) and had mixed feelings about the fact that security screenings were no better, nor no worse than they had been the past year. My husband got the extra “pat down” during our return trip, but stated that he’d been physically screened more significantly when going to a music concert. Overall, I find the current system to be more “security theater” than not. I’m sure that the current procedures do discourage some more casual attempts to cause harm, but when someone is determined its possible to circumvent the system.

While it’s important to look for metal items that could be used as weapons, TSA still can not consistently detect explosives on passengers or in carry-on luggage. Personally, I would be willing to bring less into the cabin of the plane and tolerate having it more closely screened, if it meant that I would have unlimited access to those items for the duration of the flight and would not have my movements unnecessarily restricted.

Granted this would mean making improvements in the baggage handling systems and require airlines to charge less for checked baggage in order to restore confidence in handing one’s bag over to an agent. However less carry-on luggage would allow for faster passenger screening – either by hand, machine or trained dog.

On Sunday, EWR was partly shut down due to someone entering through an exit into a secure area. I am surprised this doesn’t happen more often. Airports are busy often confusing places, filled with distracted people who want to be someplace else. What concerns me is that they never found the guy. Clearly airports need to take a sheet from the casino playbook when it comes to installing video surveillance systems. Hundreds of travelers could have avoided being rescreened and flights could have operated as usual if TSA could have simply tracked down the errant man.

Security works best when it’s unobtrusive and consistently applied. While random screening procedures do have their place, it’s not practical to make traveling more frustrating for the majority of the population by adding to the confusion with knee-jerk restrictions that don’t address the obvious issues. If nothing else, TSA does lend itself to some great tweets. Check out this travel blog post that calls out seven of them.