Parisa Tabriz, says her bio, is an information security engineer on the Google Security Team, where she hacks on new products and features, helps develop tools to find security bugs, and educates other developers on security vulnerabilities and defences. She'll be covering Google's approaches and solutions to security in her talk at the Security Summit. The security problem, in the online era, is only escalating as the bad guys get more sophisticated, and the stakes get higher. Brainstorm posed a few questions to Tabriz in advance of her local appearance.
B: What do information security experts need to consider now to prepare for a future where everything is online?
PT: Many of us are already living in a world where everything is online. Today, the internet is my primary source for information consumption. I read current news and events, do factual reference (e.g. Wikipedia) and product research, and seek out video entertainment and reviews. I can do a lot of life management online as well, like booking travel, making restaurant reservations, and managing my personal finances.
Identity theft continues to be a big concern. The same motives for crime in the physical (real) world exist in the online one, but the complexity and potential for anonymity on the internet make it more challenging to establish identity and credibility online.
More recently, a huge trend I see is the increasing amount of information people share online and the complex and varied ways this information can be accessed by others.
For example, people today publish rich profiles on social networks with very personal and specific information about their life, including preferences, religious beliefs, and political views. It's also common for people to upload and share pictures and videos, publish blogs, and tweet or update their status or location. All of this has improved the online experience. It means I can easily share my thoughts and trip photos with family, reconnect with friends around the world, and enjoy services that are more personalised and efficient for me to use. This is great!
But with more information out there and more convenient ways to get to it, we need to solve some pretty complicated privacy, access, and data protection problems to prevent unintended and unauthorised access to personal information.
B: The security community works together to a large extent already. Will that be enough? Do we need more formalised structures?
PT: The information security (infosec) community is relatively small and tight-knit, but there is definitely room for more technical collaboration and information-sharing, both in and across the private and public sectors.
Having close relationships with security teams in other tech companies and academic institutions, as well as individual researchers, has been hugely beneficial at Google, particularly when working on vulnerability response. Many of these relationships have been created informally, through previous collaboration on projects or work, meeting at conferences, or informal gatherings. We've also established a number of relationships with external researchers who have reported vulnerabilities in Google products over the years, and it makes a big difference when you know the right person(s) to contact in that critical moment.
Increased sharing of technologies and best practices is important, too. This is something that is broadly encouraged in Google's engineering culture. Within security, we've open-sourced a number of security testing tools, documents, and codelabs that we hope are useful to other security professionals and engineers.
With more information out there and more convenient ways to get to it, we need to solve some pretty complicated privacy, access, and data protection problems.
Parisa Tabriz, Google
We've also pushed the industry toward broader use of secure connections (HTTPS) and advanced authentication, which we call two-step verification.
I personally think there are limits to what can be gained from more formalised structures. It's important to concentrate expertise, focus, and internal processes within organisations, as well as share contact information broadly so everyone knows how to reach each other. These are tough issues that deserve a great deal of thought, and exhaustive checklists and governing bodies have to be very carefully structured to avoid introducing added complexity or standing in the way of effective collaboration.
B: The security-versus-bad-guys war is a long and ongoing one. With what do IT departments need to arm themselves to win in the long run?
PT: Like most real good-versus-evil stories, there isn't any simple solution. Cultivating security expertise within the company is critical. If you don't have the people with experience in your organisation, evaluate third-party offerings carefully and remember to think broadly to cover all of your business needs. Building security awareness and providing security training to all employees is also important, and business leadership needs to prioritise and incentivise all of this work. Unfortunately, there isn't any magic security spray that wards off attackers, but acting as a good internet citizen helps. At least you'll have a better time finding help when you need it.
ITALS: Parisa Tabriz will be speaking at the 2011 ITWeb Security Summit, to be held at the Sandton Convention Centre, Johannesburg from 10 to 12 May. Visit www.itweb.co.za for more information.
ITWeb's Security Summit 2011
More information about the ITWeb's Security Summit 2011, which takes place from 10-12 May 2011, at the Sandton Convention Centre, is available online here.
Share