The keys to your data

It has been a while since I tapped out a post on security and privacy but today I read several posts that got me inspired again.

Bruce Schneier (thanks for Kim Cameron for the pointer) picked up on the two sets of stolen keys for the Sydney train system that allowed the thieves access to all trainings on the City Rail network. Now the inspiring portion. I read the story and thought how funny, Bruce saw a completely different take global secrets. Now after reading Bruce’s item on global secrets I can now see correlation back in the HR/Payroll space (personally I find this cool how ideas build on each other but that could just be me).

A global secret for all of the non technical readers is a secret that once known either allows you access to everything and you either have or you don’t. Kind of security talk for you are either “in” or “out”. For obvious reasons they are bad, but you would be surprised how often they are used. For example how many people use the same password everywhere, this is your own personal global secret, once the password is compromised then everything is compromised.

Now within an HR/Payroll space this gets interesting. Now I don’t want to scare anyone but you need to beware of the security landscape for your core HR/Payroll system. Is there a global secret for your core system? Do you use your own personal global secret for the access to the core system? Now taking this further what about your IT department. Do they operate with a global secret for the database or your application? Maybe you should ask.

Another item that got me pumped was Kim Cameron’s experience with being tracked by his bluetooth phone! During a recent conference a series of scanning devices installed in the presentation rooms as an experiment to track conference participants. While Kim seemed a little miffed he understood where they were coming from and was in fact used as an example during one of the last sessions where on a presentation slide mapped his movements during the conference, including when he ducked out to take a phone call.

Now that is scary! But apparently easy to do, the average IT geek could probably hack together such a system in your office without you knowing. Where does that leave the company and you from a privacy point of view, what sort of industrial issues could it create if not properly managed.