Secursmart lets you encrypt cell phone calls and hide the contents from prying ears.

Last month the FBI and their UK counterparts at the Metropolitan Police had a phone conference to discuss strategies for dealing with the hacker group Anonymous. Trouble was Anonymous tapped into the conversation, recorded it and published it on the Internet. Talk about embarrassing.

Talk about preventable.

How could they have prevented this situation, you might be asking? By encrypting their communication to prevent this kind of eavesdropping, that’s how.

While I was visiting CeBIT recently, the enormous technology trade fair that takes place each March in Hanover, Germany, I learned about a company that encrypts cell phones and other types of phone communication.

The German company is called Secusmart, and it has developed technology to add voice encryption to land lines and cell communications — and according to a spokesperson, it works with SMS messages too. So far, their customers include German government authorities, Nato and EU government entities.

The company says it can secure a phone system onsite or it can encrypt calls coming from a mobile phone using a MicroSD card, which works on all phones that have MicroSD card slots including Blackberry and Android phones (but not iPhones, which don’t have such a slot).

The solution offers end-to-end encryption, assuming both parties are using the solution. If they are not, they still get partial protection on the device where the card is installed. According to Secusmart, the encryption happens in real time and if your call is encrypted, there is a message on the phone indicating this, so there is no room for mistakes.

The company claims the encryption has no impact on call quality, but they admit that it’s not cheap (although they didn’t give a price during a meeting with the press). The spokesperson also said there is no backdoor into the system because as he said, “An insecure-secure product is worthless.” True enough.

When someone taps into the phone call, all they will hear is white noise. What’s more, Secusmart solutions also validate who you are talking to avoid “man in the middle” attacks where someone intercepts the call and claims to be the person you are calling.

It’s a technology that the US and British law enforcement officials might have thought to have in place to prevent the kind of embarrassment they faced when Anonymous was able to listen to their conference call.

If they had Secusmart technology (or something similar) in place, Anonymous would presumably have only heard white noise, not the text of the entire conversation.

But this technology is not just for law enforcement. Companies who have sensitive discussions about business matters over phone lines also should be worrying about this. With hacking and espionage seemingly everywhere, you have to at least consider equipping your high-level executives with this technology, and depending on your business, perhaps the entire company communications system.

It could protect your company from prying ears — and chances are they are out there listening, whether you know it or not.

When the federal government demands stringent security requirements from cloud vendors, you get them too.

The US government is looking to go the Cloud in a big way as a way to save money and consolidate data centers, but as part of that initiative, FedRAMP is a way to streamline federal security approval. If the cloud vendor can pass the US government’s security muster, chances are it can pass yours too.

FedRAMP is a set of federal guidelines, which define the minimum level of security required for a cloud vendor to do business with the federal government. As Dave Perera writes on FierceGovernmentIT, FedRAMP outlines 116 total controls for low-impact systems and 297 controls for moderate-impact systems under FedRAMP.

And when the cloud vendors are done doing that, your business is going to benefit too.

And that’s a big advantage of cloud computing for any down-stream businesses. Years ago I interviewed somebody from Salesforce.com who pointed out to me that when the company’s largest customers ask for certain features, everyone benefits, even a small business with just a few people.

That’s because there is usually only one system, not a tiered one, so when the biggest enterprise or government customers make feature requests you can get that same level of service no matter how big you are. This is a departure from the way traditional proprietary enterprise software usually works. If a small business wants the same level of security as an enterprise, it’s probably going to have to pay through the nose for it. The cloud offers these services at a much more reasonable entry point and you typically only pay for what you use.

Just this week, in fact, FierceGovernmentIT reports that there was a major update to FedRAMP guidelines that takes the security controls even further, providing a soup-to-nuts approach for privacy and security, mobile-specific controls and inside threat mitigation.

That’s an important package of controls for any government agency, but even better, if the cloud vendor is building out this kind of control for the government, it’s building it for you too.

Security and privacy concerns aren’t just the domain of the federal government. These are primary concerns for enterprise customers too and these controls should go a long way toward addressing some of the primal fears of letting go of control of information in the cloud.

As stringent as your security may be, I’m guessing in many cases, it probably hasn’t met the criteria outlined in these guidelines. In a post on dZone’s CloudZone, consultant JP Morgenthal called the cloud the great equalizer, giving big businesses a way to be more agile and flexible while giving small businesses the access to the same services as their larger counterparts.

As the cloud grows in popularity and moves from small to big business and into all aspects of the federal government, these advantages will only grow more apparent, as even the smallest business gets the same service as the federal government.

Computerworld reported that last week, the FBI has reaffirmed that cloud computing vendors must comply with its strict criminal database access and sharing rules to do business with them or any US law enforcement entity. These rules are known as Criminal Justice Information Systems (CJIS) security requirements.

When it comes to sharing data online, the FBI most definitely did not just fall off the turnup truck. In fact, according to its web site, The FBI established the CJIS division all the way back in 1992 and the security requirements are a precise set of rules developed over the years to help law enforcement agencies share criminal database information in a secure fashion.

The FBI is now insisting that any company that wants to sell the FBI (or any US law enforcement entity) cloud services has to comply with these regulations, which involves ensuring that *anyone* who has access to the criminal justice information has been fully vetted including a finger print background check.

The situation has become even more confusing because other federal agencies have been content to hold cloud vendors to the the FISMA Guidelines up to now. David Perera, who is editor at FierceGovernmentIT says trying to sort out the different Federal Government security guidelines can be confusing.

“FISMA requires that all IT systems undergo a security risk assessment, have adequate controls and be expressly authorized to operate on the network. The controls, correlated to risk (roughly, low- moderate- and high-), are kept in NIST Special Publication 800-53,” Perera explained.

He adds that the cloud only adds to this overall puzzle. “So cloud systems are just like any other system operating on a federal network, in that sense – except that the Obama administration wants individual agencies to start accepting cloud authorizations to operate on a government-wide basis, rather than having each agency go through the FISMA process each time a cloud provider sells them a service,” he said.

And of course, Perera added, if you’re involved in national security, that’s something entirely different and these departments can depart from FISMA guidelines to layer on their requirements, as the FBI has done in this case.

But is the FBI being completely fair here? While it’s clearly their right to protect the databases and the information in it, should these same strict guidelines apply to any cloud service the FBI uses?

The FBI and Justice Department may have very sound reasons for this because some of this data may end up in a Google Docs document, for example, and perhaps it’s too hard to have more than one set of rules for different situations. Instead, they decide to apply the most stringent policies to everyone to ensure nothing slips through the cracks.

Regardless of why or whether it’s fair or not fair, the FBI has made it clear its cloud vendors need to comply, and if they can’t, they won’t be able to do business with US law enforcement.

In a move that had to disappoint Google officials, the Los Angeles Police Department rejected GMail as an email option, saying that the system failed to meet federal security guidelines for cloud applications.

According to an LA Times article, city official couldn’t see any way for security and cloud computing to live in harmony:

Google’s system “does not have the technical ability to comply with the city’s security requirements” and that those requirements are “not currently compatible with cloud computing,” the story quotes LA officials.

That had to hurt, especially when Google cites an LA official on its Google Docs for Government web page, and LA has repeatedly been the poster child for Google in terms of the huge cost savings Google Docs and GMail brings to the cash-strapped city — but when it comes to the higher security requirements of the police, it’s apparently not quite enough.

The question becomes if the city’s security requirements are that stringent, is any system really secure enough? As we’ve seen in the last year hacker groups like LulzSec and Anonymous have shown how easy it is to get into law enforcement computer systems.

LulzSec attacked the CIA computers in the middle of June and one week later went after the UK’s Serious Organized Crime Agency. Would these sites have passed the City of Los Angeles guidelines? I would like to think so (although I can’t say for sure), but one thing I can say is that being behind a firewall didn’t seem to help these agencies.

I can understand why LA might want to tread carefully here and make certain that the version of GMail they are getting is secure and passes any guidelines set by the federal government. FierceGovernmentIT reported last year that the General Services Administration adopted GMail at great cost savings to the tax payers, but that the US Army chose to use a cloud email solution developed by the Defense Information Systems Agency. Obviously the two agencies serve very different purposes and had different requirements.

It may be that the general city government goes with the Google solutions and the police decide like the army to find a separate, more secure solution (at least one that seems more secure), but I think officials need to be realistic in terms of what’s possible regarding security at this juncture.

Perhaps no systems exists that will ever be secure enough, and LA officials have to balance budget considerations with security requirements — no easy task, I’m sure.

For now, it leaves Google, and cloud vendors in general, left to once again answer the cloud security question and nobody, least of all Google, can be happy about that outcome. ]]> http://itknowledgeexchange.techtarget.com/mobile-cloud-view/gmail-fails-la-pd-strict-security-requirements/feed/ 0