Security Education

When Information Shouldn’t Be Free

I had an interesting conversation the other day. It forced me to re-evaluate some assumptions I didn't even know I had.

Don't you just love those kinds of conversations?

I had mentioned to a friend that I worked for OCLC. The company is well-known in central Ohio and in the library community, so folks have an idea of the products we offer. My friend asked what I did there.

"I'm the Manager of Global Security," I said. I've worked for companies with a national (US) scope before, but I'm still a little uneasy with the "Global" part of my title. I'm constantly asking myself if there's something we're missing in terms of protecting Confidentiality, Integrity, and Availability (CIA) -- and what forms danger might take in locales I'm not familiar with.

So I was completely unprepared for his response.

"Security? For libraries? Don't they give information away?"

I see library support systems from the inside out. My friend saw it from the outside in -- starting with the kiosk to look for materials. So from his perspective, libraries were all about data flowing to him, and the less friction, the better!

Two thing occurred to me.

First, we must be doing a decent job with our security if it's so transparent! My friend didn't think twice about using his library card to check out a book -- or give any thought to what that card represented. It just works.

Second, yes, information should be free -- except when it shouldn't be. Bibliographic data? Let's get that out there. Let's make searches intuitive and easy and fast. More relevant data is better. 

But what about my friend's name and address? Phone number? E-mail? Other personal information that he might have given his local library branch?

That information should absolutely not be free. 

Privacy is important. The posts on this site that talk about writing secure applications? The work of institutions like the National Institute of Standards and Technology? It's all about letting pubic information be public and keeping private information private. And while I acknowledge that it's hard keeping high volume public data systems running (what with designing for scalable high availability and all), I think it's a bit harder to maintain that high volume for private transactions. Making sure it's my friend using his library card, and not some scammer, takes work, from architecture to design to development to testing and all the way through routine operations.

Security is only as good as the weakest link.

Back to my conversation: I agreed with my friend that bibliographic data should be free. And then I asked him how important it was to him to keep his private information out of the public eye -- like the information the library had about him. Like the information that made it possible for his library card to work.

Would he want that displayed on a kiosk?

Put that way, he got it immediately. Looks like I wasn't the only one who had a changed perspective by the end of the conversation! 

terrance
Terrance A. Crow is the Manager of Global Security at a global library services company. He holds a CISSP and has been writing applications since the days of dBASE III and Lotus 1-2-3 2.01.
https://www.interstell.com

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.