Comments for sentry-com.net Blog http://sentry-com.net/blog This blog is written by Dr. Eli Talmor , SentryCom Ltd. Founder and CEO to discuss latest events related to ID theft. Sun, 27 Mar 2011 10:00:37 +0000 hourly 1 http://wordpress.org/?v=3.1.3 Comment on Why Sending Files Outside Your Enterprise Needs Approval. by Administrator http://sentry-com.net/blog/?p=489&cpage=1#comment-4478 Administrator Sun, 27 Mar 2011 10:00:37 +0000 http://sentry-com.net/blog/?p=489#comment-4478 Mikael, You are probably right : only small percentage of the stored data may be classified confidential. This was true in the 90 ies and this will be true in the new millenium. What changed is our environment. Sometimes we need to communicate confidential data to do business and at the same time our foes want to steal our confidential data to disrupt our business. This business desruption may have catastrophic consequencies. This is a classic "black swan" effect. The change of behaviour I am suggesting is rather straightford : instead of sending a corporate file directly - one should send it for supervisor's approval. This is a small inconvenience . But is there another way? Mikael,
You are probably right : only small percentage of the stored data may be classified confidential. This was true in the 90 ies and this will be true in the new millenium. What changed is our environment. Sometimes we need to communicate confidential data to do business and at the same time our foes want to steal our confidential data to disrupt our business. This business desruption may have catastrophic consequencies. This is a classic “black swan” effect.
The change of behaviour I am suggesting is rather straightford : instead of sending a corporate file directly – one should send it for supervisor’s approval. This is a small inconvenience . But is there another way?

]]> Comment on Why Sending Files Outside Your Enterprise Needs Approval. by Mikael Hertig http://sentry-com.net/blog/?p=489&cpage=1#comment-4477 Mikael Hertig Sun, 27 Mar 2011 05:43:01 +0000 http://sentry-com.net/blog/?p=489#comment-4477 According to european privacy legislation and thinking from the 1990ies, data inside the office building were seen as sevure and trusted. Risk was always connected to bringing them outside, This has some kernel of truth; however, modern working patterns involve consultants and please do not forget internet and social media as LInkedIn. We have to reconsider and what 'leakage' really means. First of all we have to deal with confidential data. I do not know how many organizations which have a strict classification system. Without such one leakage prevention is unnecessary. Secondly, the typical case should lead to the conclusion that only a very small percentage of the stored data were classfied confidential. This means, that introducing DLP may be a nice idea. It is important to introduce a classification procedure. It is even more important to educate and train the involved persons in understanding that "importance" and "confidence" must be separated. Maybe the technical solution at hand first of all is a disturbance because access to important data turns out to be too restricted? The real challenge is to keep data confidential in an open world where the classified group belong to several companies. According to european privacy legislation and thinking from the 1990ies, data inside the office building were seen as sevure and trusted. Risk was always connected to bringing them outside,

This has some kernel of truth; however, modern working patterns involve consultants and please do not forget internet and social media as LInkedIn.

We have to reconsider and what ‘leakage’ really means. First of all we have to deal with confidential data. I do not know how many organizations which have a strict classification system. Without such one leakage prevention is unnecessary.
Secondly, the typical case should lead to the conclusion that only a very small percentage of the stored data were classfied confidential.

This means, that introducing DLP may be a nice idea. It is important to introduce a classification procedure. It is even more important to educate and train the involved persons in understanding that “importance” and “confidence” must be separated.

Maybe the technical solution at hand first of all is a disturbance because access to important data turns out to be too restricted?

The real challenge is to keep data confidential in an open world where the classified group belong to several companies.

]]> Comment on eVoting for online competitions using Managed Authentication Services. by Surge http://sentry-com.net/blog/?p=107&cpage=1#comment-4356 Surge Fri, 02 Jul 2010 01:40:08 +0000 http://sentry-com.net/blog/?p=107#comment-4356 Thanks for the info, things are becoming clearer. Thanks for the info, things are becoming clearer.

]]> Comment on The Economics of Transaction Verification. by Payments http://sentry-com.net/blog/?p=170&cpage=1#comment-2500 Payments Wed, 26 Aug 2009 13:51:39 +0000 http://sentry-com.net/blog/?p=170#comment-2500 Thanks for the info. Found it very useful! Thanks for the info. Found it very useful!

]]> Comment on Heartland credit card data breach – paradigm shift is required. by Smartcard Mike http://sentry-com.net/blog/?p=122&cpage=1#comment-90 Smartcard Mike Mon, 02 Mar 2009 14:28:54 +0000 http://sentry-com.net/blog/?p=122#comment-90 Thanks for the information, was needed! Thanks for the information, was needed!

]]> Comment on eVoting for online competitions using Managed Authentication Services. by Cordny Nederkoorn http://sentry-com.net/blog/?p=107&cpage=1#comment-8 Cordny Nederkoorn Tue, 06 Jan 2009 11:08:38 +0000 http://sentry-com.net/blog/?p=107#comment-8 Hi Eli, now I understand, I hadn't checked your earlier blog posts, otherwise I would have understand this blog post. the Voter's list is used as a validation for the mobile phone number and the email address. Same with authorization. And you still need a verification tool on top of your OpenID. Like I see it OpenID is still in the beginning, but can be used for online voting. Banking and national election, that's a still one bridge too far I guess. Thank you for your detailed feedback Eli. Regards, Cordny Hi Eli,

now I understand, I hadn’t checked your earlier blog posts, otherwise I would have understand this blog post.

the Voter’s list is used as a validation for the mobile phone number and the email address. Same with authorization.
And you still need a verification tool on top of your OpenID.

Like I see it OpenID is still in the beginning, but can be used for online voting.
Banking and national election, that’s a still one bridge too far I guess.
Thank you for your detailed feedback Eli.

Regards, Cordny

]]> Comment on eVoting for online competitions using Managed Authentication Services. by Eli Talmor http://sentry-com.net/blog/?p=107&cpage=1#comment-7 Eli Talmor Mon, 05 Jan 2009 16:02:42 +0000 http://sentry-com.net/blog/?p=107#comment-7 Hi Cordny, In my earlier blog I defined the terminology that I use here : http://sentry-com.net/blog/2008/12/21/authentication-vs-authorization-vs-identity-verification/ Identity Verification or Identity Assurance is the first step of the overall Identity Management process . Its purpose to check user's identity / background/credentials BEFORE he starts using the system. Few examples : 1. OpenID protocol do not specify credentials verification prior to creating OpenID. All you do is to verify that holder of OpenID . But he may remain anonymous. All you need is to generate username and to provide valid email address. Managed Authentication Service does all the rest . This is enough for most websites. 2. But in order to authorization to function (provisioning ) - Identity Verification is a must . So you need to built it on top of OpenID. So Banks cannot adopt OpenID as is. To eVoting application : If you provide your email and your mobile phone , then we can verify from the Voter's list at least that : 1. each can be validated (by email handshake and SMS handshake) 2. no one is using one email with two different mobile phones and vice versa. This is simple online competition - not national election - so the true name of the voter is not an issue. Hi Cordny,
In my earlier blog I defined the terminology that I use here :
http://sentry-com.net/blog/2008/12/21/authentication-vs-authorization-vs-identity-verification/
Identity Verification or Identity Assurance is the first step of the overall Identity Management process . Its purpose to check user’s identity / background/credentials BEFORE he starts using the system.
Few examples :
1. OpenID protocol do not specify credentials verification prior to creating OpenID. All you do is to verify that holder of OpenID . But he may remain anonymous. All you need is to generate username and to provide valid email address. Managed Authentication Service does all the rest . This is enough for most websites.
2. But in order to authorization to function (provisioning ) – Identity Verification is a must . So you need to built it on top of OpenID. So Banks cannot adopt OpenID as is.
To eVoting application : If you provide your email and your mobile phone , then we can verify from the Voter’s list at least that :
1. each can be validated (by email handshake and SMS handshake)
2. no one is using one email with two different mobile phones and vice versa.
This is simple online competition – not national election – so the true name of the voter is not an issue.

]]> Comment on eVoting for online competitions using Managed Authentication Services. by Cordny Nederkoorn http://sentry-com.net/blog/?p=107&cpage=1#comment-6 Cordny Nederkoorn Mon, 05 Jan 2009 14:43:49 +0000 http://sentry-com.net/blog/?p=107#comment-6 Hi Eli, a nice innovation ,but I still have a few questions: about identity assurance, a voter can have emailaddresses and mobile phones under other names, for instance 1 emailaddress from google and 1 from yahoo. How can a organizer validate this in a good way? same with Authorization. How do you wan to incorporate the intermediate step with your Managed Authentication Services, this should be the ultimate validator then, not? Regards, Cordny Hi Eli,

a nice innovation ,but I still have a few questions:

about identity assurance, a voter can have emailaddresses and mobile phones under other names, for instance 1 emailaddress from google and 1 from yahoo. How can a organizer validate this in a good way?
same with Authorization.
How do you wan to incorporate the intermediate step with your Managed Authentication Services, this should be the ultimate validator then, not?

Regards,

Cordny

]]>