OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.

 


Help: OASIS Mailing Lists Help | MarkMail Help

ekmi message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]

Subject: Re: [ekmi] Re: [P1619-3] OASIS EKMI Article in InformationWeek

Now we're confusing the technical ability to solve a problem with
the risk-management strategy and will of individual decision-makers
in a corporation.

To the extent that share-holders reward executives for cutting
corners (even if through ignorance), company managers will continue
to take chances with our data and money.  However, with each new
breach that gets disclosed, the regulatory pressure increases for
the entire IT industry.

The IT industry is a very immature one compared to finance.  Even
after nearly a 100 years in existence, (see the "Creation of the SEC"
- http://sec.gov/about/whatwedo.shtml#create) we still see the need to
regulate the financial industry because of people like Ebbers, Fastow,
and auditors like Arthur Anderson.  The regulation around IT has just
begun.  As newer Ebbers', Fastow's and the Arthur Andersens of the IT
world take risks with data, the regulation will continue to ratchet
upward.  EKMI is just one long-term solution for heading off that
regulation and doing the right thing by customers.  What IT managers
do with it entirely upto them.

Arshad Noor
StrongAuth, Inc.

Allen wrote:
> 
> Arshad Noor wrote:
>>
>> Currently, there is a recommendation from NIST that all software/data
>> that use SHA-1 should migrate away from this digest by the end of 2010.
>> How do you think most people will accomplish this?  They will likely
>> modify their applications/data to use one of the newer Suite-B message
>> digests rather than preserve the old SHA-1 data and perennially have
>> doubts about the integrity and veracity of that data because of the
>> de-listed hash.
> 
> Actually I don't think this will be done at all as the amount of work to 
> roll the digests over millions of files without any commensurate ROI 
> will cause the enterprises to cheap out. That is the behavior I have 
> seen, and is exactly what happened with the CitiBank ATM breach as well 
> as Wells Fargo for older (in the sense of having been customers a while, 
> not actual age of the client) customers.
> 
> They will likely say that the tapes (or whatever) are stored in a 
> protected vault and so need no additional protection. That is what WF 
> has done about encrypted their databases.

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]