Pass? No, This Encryption Bill Gets a Failing Grade

Fail copy.jpg

The Australian Government’s has pushed through their encryption assistance access bill, using the excuse that potential terrorists use encrypted messaging apps. Believing the notion that a ‘local’ (read national/federal) government can geographically ring fence ‘people-of-interest’ into a group that can be secretly listened is nonsensically out-of-touch. In fact, this rushed bill simply illustrates the government’s profound lack of understanding of technology, the web and the global digital economy, which includes everything from email and ecommerce to banking online. 

The Australian Government’s has pushed through their encryption assistance access bill, using the excuse that potential terrorists use encrypted messaging apps. Believing the notion that a ‘local’ (read national/federal) government can geographically ring fence ‘people-of-interest’ into a group that can be secretly listened is nonsensically out-of-touch. In fact, this rushed bill simply illustrates the government’s profound lack of understanding of technology, the web and the global digital economy, which includes everything from email and ecommerce to banking online. 

Some points to consider:

  • Where is the data stored and where is the company based? The majority of companies that have messaging apps (the use case the government puts forward is needing to listen into encrypted messaging) don’t have meaningful legal presences in Australia, nor do they store their data here.

So, under what legislation would they be compelled to provide the data and functionality?

  • Who is going to change their software? Generally speaking, Australia is, at most 5% of a multinational company’s total revenue (and these are typically providing the messaging services that the government is currently focusing on). There is no commercial incentive for a multinational to hack their technology. 

This is particularly true for what is, essentially, a vague idea cobbled together by a foreign (Australian) government to compel them to secretly give access to some of their customer’s data when said government requests it.

  • Precisely who is being targeted? How many pseudonyms do people have on the web? Ask a company like Facebook or Google and they would likely answer – a lot… a whole lot. 

Using the example used by the Australian government, which focusses on encrypted communication going between individuals, how can the government specify the exact (read correct) username(s) to listen into?

  • Who is going to enable the listening? To enable listening software developers would have to introduce ‘hacks’ into their software to enable backdoor access. If they did they would a) never get a new sale and b) most probably be sued by businesses using their software for breaking the terms and conditions of the confidentiality and data protection/security provisions. 

The reality is a) there are hundreds of thousands of software developers in the market – most of whom deliver some form of encrypted functionality (e.g. accounting packages, bank transfers etc.) and b) there are magnitudes more companies operating said software - and they can be anywhere in world. 

So, how is the hack going to be implemented and who is going to operate on behalf of the government?

  • In what instance is someone declared to be ‘of interest’ and who would control the data if it were to be provided to the government? Since there appears to be no set parameters delineating what data can be asked for and about whom, it is possible that highly confidential business information will be captured. Broadly speaking, governments do not have a stellar reputation around data security and data controls. For instance, rather than only the intelligence service that is doing the investigation having access to the captured data, it would certainly not be impossible for a government IT person to, potentially, access, copy it and post the data elsewhere. 

Without strong, independently verifiable process and data controls there is prodigious potential for abuse of this power.

  • Will there be ‘scope creep’? Once the government has this power what else could it be used for? Recent examples show how broad legislation can have unintended consequences as with the Patriot Act being used by the IRS to track down tax dodgers rather than just being used for anti-terrorist actions.

  • And what about PII (Personally Identifiable Information)? Legislation like the EU’s GDPR (General Data Protection Regulation) are specifically designed to protect users data from abuse by individuals and organisations looking to profit off their data without their knowledge or consent - along with the right to be forgotten (i.e. the removal of their data from the company that had it. 

It is not at all clear how a government attempting to get backdoor access to data and not allowing data to be deleted does not contravene the very ideals of the legislative protection around PII. A potential side effect is that any Australian company complying with the Australian legislation could, in effect, be prevented from doing business in Europe and any other jurisdictions that have these data protection legislations in effect.

It appears that the thinking behind this legislation is from an age group that grew up watching FBI shows in the 70’s and 80’s, where ‘the good guys’ could listen into the ‘bad guys’ in the next room or get a wiretap from the country’s one Telecommunication company (there was only one at that time). 

The world has changed immensely and it is time to wake up, keep up and rethink how to address the global problems of the 21st Century without attempting to recast antiquated ideas.

Blockchain: What’s Trust Got To Do With It?

Blockchain- What’s Trust Got To Do With It? Image.jpg

By Michael T. McDonald

Given the enthusiasm and hype surrounding Blockchain, it may confusing for some to understand why every business and institution isn’t rushing to take it up. For instance, following its $700,000 budgeted investigation into the capabilities of Blockchain, the Australian Digitial Transformation Agency (DTA) this week admitted to a lessening of its enthusiasm for the technology being particularly effective in delivering governmental services. As Peter Alexander, CDO (Chief Digital Officer) at the DTA told the Senate Estimates hearing, “without standardisation and a lot more work, for every use of blockchain that you would consider today there is a better technology.

He went on to say, “Generally speaking when the government is engaging with someone, we want to have a trusted relationship with them.” Unfortunately, Blockchain is only good for “low trust engagement.”

Trust IS all its Cracked Up To Be

When you get beyond the overblown hype, the fact of the matter is, it is difficult to find any business or government use cases that don’t rely on trust. Computing solutions have, since their inception, been designed to answer this need; however, at some level (business and/or technical infrastructure) there is a trusted party (or parties) that facilitate transactions by providing:

  1. Authentication of Transactors - Verifying and “vouching” for who is party to the transaction;

  2. The marketplace - So buyers and sellers can find each other;

  3. The Trading Floor - So transaction details can be viewed by all parties; 

  4. The Transaction - Changing the state of the parties to reflect the Transaction e.g. transferring money – one account balance goes up, the other down;

  5. Transaction Verification - All parties confirm/agree the completed state of the transaction is correct (i.e. The account of party ‘A’ went down by $100 and the account of party ‘B’ went up by $100);

  6. Arbitration - What happens when any of the parties do not believe the transaction met the conditions agreed to due to issues such as fraud, faulty goods, non-delivery, incorrect delivery, etc.

These provision points are essential for doing the vast majority of business, be that in commercial/government (private/public sector) marketplaces/ecosystems.

Who Do You Trust?

The touted value of Blockchain is the ability to do transactions in a “trust-less” marketplace i.e. removing the need for an intermediary, trusted parties. The premise being that, by using a distributed ledger built by using marketplace/network trusted/verified transactions, any participant can ‘do business’ using an anonymous (but known/dedicated) identity. They are able to do this because they can determine what the ‘truth is’ by creating their own ledger, using this trusted network transactions independently.

So in relation to the provision points noted above, what this means is:

  1. Authentication of Transactors - Blockchain authenticates an ID. It does not vouch for who the party is;

  2. The marketplace - This only works if you use the same blockchain network;

  3. The Trading Floor - This only works if you use the same blockchain network; 

  4. The Transaction - This only works if you use the same blockchain network;

  5. Transaction Verification - This only works if you use the same blockchain network and is currently very slow and extremely expensive in computing time;

  6. Arbitration e.g. - This is not handled by blockchain.

As you can see, Blockchain does not cover off the majority of use cases in both Commercial and Government eco-systems.

Who Controls the Chain?

It is important for users - individuals, governments and institutions - to see through the hype and hoopla being pushed by enthusiastic vendors, many of whom many not actually understand the technology (and its inadequacies). To do this it is important to understand a few things. 

First, Blockchain networks come in a myriad of incompatible varieties; for instance, Bitcoins can’t be used on an Etherium blockchain network. Even two Etherium networks can’t spend each other’s currency. The result is a random collection of currencies which cost a hefty amount to exchange for another currency - be that real or crypto. (Fees are unregulated and the actual value of said crypto currency can vary massively, even on the same day.) One could say the it is comparable to, if not worse than, travelling and spending in Europe, prior to the Euro.

Additionally, party ‘A’ needs to have an ‘account’ within whatever particular network is in question and party ‘B’ must have an account in that network as well. Think of the thousands of regional banks - which, in this instance, equate to networks - that exist in the world and extrapolate that to internet-scale and you can get some idea of the result: a massive mess.

It is also important to know that, in an attempt to mitigate the requirement failings inherent in majority of Blockchain-based Proof of Concepts, proponents and vendors have:

  • Created closed Blockchain networks to make the Proof of Concept easier to manage;

  • Tightly control who can use the network;

  • Pick one ‘flavour’ of Blockchain, which is difficult due to a bugs, version and architectural incompatibilities;

  • In many cases, control the Blockchain wallets of the participants (including private keys).

These mitigations negate the much touted Blockchain ‘benefit’ of removing a trusted third party/intermediary and, as noted above, does not ‘tick all the provision point boxes’ required for doing good business.

The issues with Blockchain technologies aren’t limited to crypto currencies; they apply to any assets that are tokenised in a Blockchain. This includes such things as the much hyped smart contracts from the likes of Etherium, which are equally locked into specific, individual Blockchain networks and isolated from any other networks. 

There is no standard as to how, or even if, this will ever be resolved. The result is a muddled mess of isolated, competing Blockchain networks that have no standard set of policies, practices or legal protections.

It is, perhaps, ironic that the vast majority of Proof of Concept use cases can be achieved, with all ‘boxes ticked’ and trust intact, far faster, cheaper and more securely, using other technologies instead of a Blockchain equivalent. 

Data Security: Why you'd better stop using unencrypted integration platforms (which is most of them) right now!

encrypted-lock - blog 3 image.jpg

by Michael McDonald and Kim Chandler McDonald, Co-Founders of FlatWorld™ Integration

Unencrypted integration platforms, operating system patches; application upgrades; accessing your network through your printer - they’re all potential points of vulnerability for your business. Simply put, any technology that is part of your company or technology belonging to your employee or a visitor to your site (either online or in person) - can, if it has access your network (either via wifi or any other means) leave you and your data exposed and susceptible to data breaches and your organisation liable for serious fines for noncompliance with data breach laws.

You may think that you are already acutely aware of your data security problems. However, what you may not realise is that your favourite, trusted integration platform could be contributing to your vulnerability. 

How? By transporting data between your multiple applications and processes as free text. Because of this, it only takes a single breach, in only one of those node, to expose all of your data and/or or your customer’s data. The more applications you integrate, the greater your exposure. Unfortunately, attempting to keep your data secure using outmoded methods such as firewalls simply won’t cut it. 

Who cares if you have a strong firewall if someone has accessed your network through connecting to a node, such as your printer, via wifi. That’s like relying on security cameras in your office while you’ve left the back door unlocked. That is, in a word, useless. 

Perhaps, in fact, less than useless because you’ve lulled yourself into a false sense of security and let your guard down. The concept of mitigating risk by installing firewalls and hiding behind them simple doesn’t work; you are, more often than not, at risk via your weakest link.

The recent ‘HP Australia IT Security Study’ found that:

Almost half of all Australian SMBs with an annual turnover of $3M+ do not consider themselves to be prepared for the mandatory data breach disclosure laws that will come into operation from February 2018

only 18% currently have a compliance policy in place; while 33% are currently developing a policy

57% of SMBs have not done any sort of IT security risk assessment in the last 12 months, putting their devices, data and documents at risk 

Of the 43% of SMBs that have undertaken a risk assessment, just 29% included printers in their analysis, a device that is increasingly an entry point for data breaches

63% of respondents state their employees work remotely on a regular basis, and as a result are becoming increasingly concerned about associated security risks – e.g. visual hacking

63% of respondents allow employees to access company data from personal devices;

less than half (44%) of respondents have a security policy in place for employees that bring a personal device to work 

only 37% restrict the data that can be accessed from the device

Fl@World is designed to give you agility and improve your data security levels out-of-the-box by encrypting your data onto disk and ‘in flight’. With one click you can grant auditable, access permissions to your colleagues, vendors and partners. They are only given access to what you decide to give them permission to access - via their own unique, auditable IDs. At any time, via this auditability, you are able to see who has accessed what and what they have access to. Adjusting this accessibility is, again, just one click away. 

Now, even if your printer has not been updated and a ‘worst case scenario’ occurs - such as someone, or something (IoT, etc.) unauthorised accesses your network - all they have is encrypted data that is, essentially, useless to them.  Compare that to an unencrypted Excel spreadsheet containing Personally Identifiable Information (PII) - which leaves your company legally accountable for fines, etc., if it falls into the wrong hands. 

Unencrypted integration platforms, data security and data regulatory compliance are serious issues for businesses of any and every size, from the largest Enterprise to the smallest SMB. However, the problems around these issues are eminently and simply solvable. Fl@World stops your reliance on vulnerable platforms and ineffectual firewalls and instead, enables you to connect, collaborate and thrive using secure data.

Automatic, Universal, Data Format Conversion: What It Means To Your Business and Why You Should Care

Automatic, Universal, Data Format Conversion- What It Means To Your Business and Why You Should Care.jpg

by Michael McDonald and Kim Chandler McDonald, Co-Founders of FlatWorld™ Integration

There is little argument that accurate real-time data is required for efficacy at every point in the value chain. However, because data lives in different systems and formats, extracting it is highly problematic using existing technologies. Fl@World™ provides a unique architecture that overcomes traditional data unification limitations, enabling enterprises to fully leverage their data assets.

If you want to analyse your customer’s interactions, for example, there are multiple places their data resides: Excel spreadsheets, emails, Twitter posts, chat conversations, CRM records, the accounting system, shipping records, point-of-sale records and so forth. This highly fragmented customer data is bound within specific, separate applications and processes. Each of the systems will ‘understand’ the data and display the information its own way.  What you end up with is multiple vendor-specific data/file formats — data silos — even if the data is about the same customer.

This situation is bad enough if the reader of the information is human. The problem is magnified exponentially if technology tries to deal with these different formats via automation robots or machine learning algorithms;  or if your data scientists want to combine these different data sets in some way.

You’d hoped using data would enable you to service your customer better; instead, this data fragmentation problem is costing you time and money. 

Your company’s IT department (and/or your data scientists) have to write bespoke code for each of the data sources. Often this generates another off-line database or bespoke file, further proliferating data fragmentation.

Even for fairly straightforward scenarios,  the data unification process is time consuming, expensive and prone to error (i.e. if the code has a bug or if the information is old) and does not cover data security issues such as:

  • if it is encrypted on disk,
  • who can access this information, and worse
  • who can change this information.

Existing technology solutions do not address these problems. In fact they force your IT team to write ever increasing lines of code.  

Enter Fl@World™ Integration:

  • Fl@World™ is a unique data integration technology which solves the data unification problem “out-of-the-box.” 
  • Fl@World™ automatically creates a vendor-neutral data view, regardless of the application the data resides in. 
  • Fl@World™ enables non-specialised IT staff or Business Analysts to combine and use data very easily to drive business value.
  • At the same time Fl@World™ applies bank-level data encryption, regulatory compliance and data access/logging controls without you or your IT team having to write a line of code. 

The Fl@World™ benefit is quick, secure data unification —  freeing up IT resources, enabling value creation, innovation and agility, while covering off data-security and compliance.

What is Your Data Quality Score

quality-not-quantity-words-on-board_GJjTpNvd.jpg

by Michael McDonald and Kim Chandler McDonald, Co-Founders of FlatWorld™ Integration

Quality is more important that quantity.” - Steve Jobs

If Samuel Taylor Coleridge were alive today perhaps, rather than bemoaning, “Water, water everywhere, Nor any drop to drink.”, he’d be delving into the data drama. We’re drowning in data, yet so little of it is ‘drinkable’ - too much of it is of little to no use, providing little to no actionable acumen. Knowing the quality of your data will go a long way to ensuring you don’t sink under the deluge. Keep reading to find out why its important, and how easy it is to do.

The fact of the matter is, regardless of the quality of your insight-generating algorithms, the old IT proverb, ‘garbage in, garbage out’ holds true.  If you don’t know the quality of your data then you not only run the risk of offering poor service but, worse than that, of offering the wrong service to your clients, customers and colleagues.

Data is replicated all over your company. The same person (be they client, customer or colleague) can have the same type of data (the product data, name and address data) stored in scores of systems over a multitude of spreadsheets and it will, undoubtably, go into a wide number of reports. 

Unfortunately for most companies, this data can be inconsistent, incomplete, out-of-date, or worse, plain wrong.  Moreover, this same data is likely being rolled into processes that are feeding your decision making or, increasingly, into your machine-learning algorithms. Which leads us back to the basic problem: ‘garbage in, garbage out’. Simply put, you need to measurably separate your data into data that works for you and data that works against you. 

Measurement of your data is surprisingly easy to implement. It can be as simple as adding in a confidence or quality level ranking to your data from 1 to 5 (1 being unknown and/or unverified and 5 being completely accurate and/or verified).

This simple assignment of quality can be easily added into your machine-learning/analytics/reports. In doing so, you can confidently ask for “the data we really know about our customers,” and, from there, determine real, actionable and, most importantly, relevant outcomes that can drive happier more valuable customers.

The alternative is being immersed in ‘good decisions based on bad data’ - the worst outcome possible for any investment in data-analytics/machine-learning.

In five easy steps you can create a quick benchmarking/scoring of your company’s data, which will inform everyone from operational to strategic management how much they can trust the data they are building their decisions from.

The steps are:

  1. Identify your core information. For most companies this would encompass their customer profiles and associated product portfolios. Most companies will view customer service as being essential, so product use and any customer service related data can be defined as your core data elements.
  2. Identify your SoR (Source of Record). In most companies you will have more than one system storing your core information. You need to select one system for each core data element – its recommended that you choose the system that has to the most up-to-date and accurate information.
  3. Scoring. You then need to score each data element (e.g. customer address) in your core data on a simple scale between one and five. The range should reflect one equating to, “we don’t know” and 5 equalling, “we know that the information is correct because we had the customers validate the address, we have cross checked it with 3rd party data and the addresses are “real” i.e. they work in Google Maps”. A score of 3 would be the norm for most SoR systems; this is because generally customers update this data, therefore it is only as accurate and as up-to-date as they have entered it and ‘agreed’ to share with you.
  4. Measuring. You now have a simple measurement/score reflecting how much you can trust your SoR data. Now all you need to do is make sure you use this scoring data to generate your reports so you will generate consistent reporting, from different departments, with a known quality of data. 
  5. Validation. Machine-learning/deep learning (also known as AI) can require large amounts of data to ‘work their magic’ but they can generate poor results with poor data. Big data in no way guarantees Smart Data so systemic data quality/validation processes need to be put in place for SoR that score a 3 or less. This means creating a method of checking your data for accuracy, timeliness (is is up-to-date) and completeness (are we missing anything). The result will be that your data will a) be of better quality and b) won’t go out-of-date as it would be the case if it was a ‘one-off’ fix.

Data is cheap, information is invaluable.  With your uplifted SoR data driving your analytics, reporting and any machine-learning/AI your company will be set to begin the journey to offer the sought after omni-channel, hyper-personalised service you need to differentiate in today’s global and hyper-competitive market landscape.  

Rethinking Compliance Complexity

blog.png
by Michael McDonald and Kim Chandler McDonald, Co-Founders of FlatWorld™ Integration

It is rare to find a company anywhere, of any size, that is not acutely aware of compliance issues. We’ll bet yours is.  Additionally, if that weren't enough, in all likelihood you’re in the midst of struggling with the implications of what, logically, should be a relatively simple task. But we’ll bet it isn’t.

Compliance normally takes the form of:

1.  Regulatory (e.g. government legislation on Anti Money Laundering (AML), Privacy of data (GPDR), Regulatory Reporting (BCBS239) etc.);

2.  Contractual (e.g. Reuters may license their data to your company under conditions); and/or

3.  Voluntary (e.g. protecting user’s data etc.).

Generally, most boards and ‘the C-Suite’ (CEOs, CTOs, CIOs, etc) are more focused on number 1) - Regulatory; however, all three have the capacity to capsize a company if they are not dealt with correctly.

To give credit where it's due, most companies treat compliance requirements seriously and put aside (sometimes considerable) funds to address the issue. But, therein lies the root of most company’s challenges: understanding exactly what issues they are attempting to solve. Perhaps that’s your challenge too.

Simply put, to be compliant, you must prove to a third party (be that the government, an external auditor, a company that licenses their data to you) that:

a)      You are capturing and securely storing all the data that you are required to.

b)      That the data that you have captured and stored can only be altered and enriched by authorized systems/devices and/or people.

c)       That extra data has not been added to and/or removed from the relevant data sources.

All this is expected of you in the vastly changed, and rapidly transforming, digital economy wherein the end-user experience (be they client, customer, colleague, partner or supplier) is everything.

To accommodate this seemingly endless list of end-user expectations, many companies are buying in and/or licensing external data sources. Are you? Perhaps you're merging data and then applying data science (machine learning or otherwise) to improve the relevance to your end-users in hopes that this will satisfy them.

Unfortunately most IT departments have:

a)      A lot of different systems;

b)      A lot of ‘’spaghetti' code trying to link those systems together; and

c)       A lot of different views of data (e.g. hundreds if not thousands of Excel spreadsheets).

Combine these issues with your need to interact with ever more demanding end-users and external vendors (data providers or otherwise) and you find yourself in an extremely unenviable position of not knowing what your exposure is to compliance breaches. These breaches, be they regulatory, contractual or voluntary, will, at the very least result in bad PR; however, they can also lead to fines and, in some instances, the loss of your licence to trade.

Within your compliance struggle, there is a strategic opportunity in reimagining how to crack this conundrum simply, swiftly and securely while dealing with the high costs, complexities and slow moving realities of current approaches. That opportunity is at the heart of our Fl@World technology, which has data compliance and security built in and useable out-of-the-box.  Fl@World is secure, compliant, fast, frictionless and easy for users across different divisions and/or organisations to use. To find out more about how Fl@World can help you, complete the form and one of our team will be in touch to organise a demonstration.