Follow me on Twitter @AntonioMaio2

Sunday, April 17, 2016

The Dawn of Transparency

Last week we saw Uber publicly release its first Transparency Report ( and they've committed to release one every 6 months.  This has actually been happening for a few years.  Google began this trend for major tech companies in 2010, followed by Twitter in 2012 and now we have a number of other companies doing the same:

A transparency report is a public statement issued by a company, on some sort of regular basis, that discloses aggregated data (not individual instance data) about requests for user information or content. These requests are made by governmental or regulatory bodies, as well as law enforcement agencies. Transparency reports are focused on a specific period of time and typically include how frequently these agencies request data and the types of responses provided. They also include under which authority the requests were made such as subpoena, search warrants, court order or emergencies.  Disclosing a transparency report helps the general public understand the scope and authority by which regulatory bodies are permitted to access personal information that we would typically consider private.

In the last 6 months of 2015, Uber reports that it handled 415 requests for private data from various law enforcement agencies.  It provided at least a portion of the data requested in approximately 85% of cases.  Out of those requests 368 came from state run agencies, while 47 were from federal agencies.  As a result of these requests, 408 riders and 205 drivers were impacted.  As part of its report, Uber states that it makes it a policy to protect passenger privacy and requires valid and sufficient legal process from official government agencies before disclosing any information about its customers. It typically attempts to narrow the scope of data requests, which it is successful doing in some cases.

I find the release of transparency reports significant!  It means we now have major tech companies, who request and use our personal information every day, releasing information to the public that clearly describe how they handle requests for that private data.  This helps to put pressure on those technology companies retrieving our data to securely store and protect that data, and it shows that they are making attempts to do just that.  This also allows us as consumers of online services to understand the scope of government requests and to watch the trends - to see if these requests are increasing.  Finally, it sheds a light on a practice that would otherwise be kept secret, and it encourages us to put pressure on our governments and law enforcement agencies to handle our personal data with the sensitivity and care it deserves.

Consider a very simple scenario where a law enforcement agency requests data from an online service about an illegal activity related to a person named 'John Smith'.  What if your name is also 'John Smith' and you happen to use the same service?  Your personal data may get lumped in with the data provided.  You want law enforcement to be able to do its job of course.  However, you would also like to think that the data provided is under some sort of legal retention policy so after a specific amount of time, once the legal case is closed, your data is permanently deleted and you're no longer inadvertently associated with the case.  Unfortunately, many organizations take the stance of keeping data around forever, just in case.  You would like to think that the agency is taking appropriate steps to control access to that data, and storing it securely so it cannot be inappropriately exposed while in their hands.  However, agencies may not necessarily have (or follow) policies that define how personal data should be handled and secured.  You would also like to think a law enforcement agency will not disclose your data to other government agencies, but we have no guarantee of that. 

Last week we also had Microsoft announce that they are suing the US Justice Department for its frequent use of gag orders preventing it from telling people when the government obtains a warrant to read their emails.  Microsoft states that the gag order statute in the Electronic Communications Privacy Act of 1986, as employed today by the courts, is unconstitutional.  According to Microsoft, the practice violates the Fourth Amendment right of its customers to know if the government searches or seizes their property, and it breaches the company’s First Amendment right to speak to its customers.  Although the case could be in the courts for months or years, Microsoft is trying to start a public debate about the frequent use of secrecy orders in government investigations.  Microsoft reminds us that they do not own the data within their service - that the customers own their data and Microsoft is simply the custodian of that data.  Their position here very much is in line with that statement.

My personal information in many ways is my identity and I want to make sure my government does everything it can to protect it.  I for one, as a security-minded person, applaud Uber, Google, Yahoo, Facebook, Twitter, Apple, Microsoft and others for these efforts towards transparency!  The transparency report is an excellent practice which allows us to get an initial view into how personal data is accessed by our governments, regulatory bodies and law enforcement agencies.  We can begin to debate how much personal information governments should be allowed to access and what they must do with it.  Finally we can start to work with these organizations to ensure that they put in place appropriate security policies and privacy controls to better protect our personal information and identities.

Monday, April 4, 2016

Securing Office 365: Activity Monitoring

Thanks to everyone that attended my session this weekend at SharePoint Saturday San Antonio.  Thank you also to the organizers of this great event!  I really enjoyed giving the session on Office 365 Activity Monitoring and was very happy that the audience was so engaged!  Great Questions!
My slides can be found here on SlideShare: 

If you'd like to download the presentation please click the link just below the embedded presentation.  Those who have seen my previous posts on this blog will see that I previously posted a presentation on this topic.  Microsoft has updated the Activity Monitoring feature in the Office 365 service in the last 2 months and this presentation is updated to take those updates into account.

As mentioned, Activity Monitoring is just 1 important part of securing our enterprise content management environments, but its not a "set it and forget it" activity.  Making real use of activity monitoring to help improve the security of our systems requires the right policies and procedures in place, and it requires active management and regular review of the logs.  It also requires getting the logs into some form that is not too labor intensive to retrieve, format and review.  I typically recommend the following policies:
  • Review privileged user (administrator) access quarterly
  • Review user access annually
Depending on the number of users in your environment, the annual access review may or may not be very practical so you may have to find some ways to make it practical, like:
  • Taking a sample of users
  • Developing some automated scripts or code which extract specific anomalies in the logs, like if you've identified where sensitive content exists and looking specifically for access to those areas
There are lots of other ways to make this practical, but it will likely require some serious work to put these practices into place in your specific business environment.

There were some really good questions about how you might use PowerShell to extract specific details out of the activity logs.  I'm working on a simple script to do just that now, which I'll try to post later this week.