KuppingerCole Webinar recording
KuppingerCole's Advisory stands out due to our regular communication with vendors and key clients, providing us with in-depth insight into the issues and knowledge required to address real-world challenges.
Unlock the power of industry-leading insights and expertise. Gain access to our extensive knowledge base, vibrant community, and tailored analyst sessions—all designed to keep you at the forefront of identity security.
Get instant access to our complete research library.
Access essential knowledge at your fingertips with KuppingerCole's extensive resources. From in-depth reports to concise one-pagers, leverage our complete security library to inform strategy and drive innovation.
Get instant access to our complete research library.
Gain access to comprehensive resources, personalized analyst consultations, and exclusive events – all designed to enhance your decision-making capabilities and industry connections.
Get instant access to our complete research library.
Gain a true partner to drive transformative initiatives. Access comprehensive resources, tailored expert guidance, and networking opportunities.
Get instant access to our complete research library.
Optimize your decision-making process with the most comprehensive and up-to-date market data available.
Compare solution offerings and follow predefined best practices or adapt them to the individual requirements of your company.
Configure your individual requirements to discover the ideal solution for your business.
Meet our team of analysts and advisors who are highly skilled and experienced professionals dedicated to helping you make informed decisions and achieve your goals.
Meet our business team committed to helping you achieve success. We understand that running a business can be challenging, but with the right team in your corner, anything is possible.
KuppingerCole Webinar recording
KuppingerCole Webinar recording
Okay, good afternoon, everyone. And welcome to this co webinar on cloud assurance, cloud risk cloud risk awareness in the light of prism.
Well, when we created this title, apparently we only knew about prism and since then even more has emerged. So this webinar will not be limited to simply the revelations about prison, but will also include some of the other revelations.
So in terms of what we're going to do, let's look, first of all, for those of you that don't know KuppingerCole is a boutique Analyst firm in, in Europe based in Germany, but with, with offices in the us and the UK and expanding into Canada and Asia Pacific, our company was founded originally by Martin Kuppinger and Tim Cole, and focused on identity and access management. But in fact, this has now widened out to many other things. And my specialist area is cloud computing and information security.
And there are lots of research papers that you can find on our website and our main event every year is the European identity in cloud conference, which is held in Munich in may and next year that will take place, but there will also be a conference in Asia, Pacific and a conference in, in Canada. So I'm just going to cough, excuse me.
So this, this, this webinar qualifies for continuing education credits and you can see what the learning objectives are on this slide. If you want to claim these continuing education credits, then you will need to take and pass a test at the end of the webinar. And the details of this test will be sent to you in by email. So there's going to be three parts to the, to the webinar. The first part, I'm going to really talk about government intelligence and what the revelations have recently been.
Then I'm going to do a section on protecting data in the cloud, and hopefully we will have some time left for some questions and answers says, so at that point, we'll have a Q and a session. So let's start off with government intelligence and the cloud. So what is the role of intelligence?
What is the information that is collected and are the activities that come from this government work all benign or are they in fact a threat because they have certainly been presented as a threat by the media, but many of the people that work in the intelligence services will consider that what they are doing is in fact intended to keep people safe and secure from terrorism and extra national threats. So intelligence is not an old thing.
And certainly one of the things that characterizes it is in in fact, looking at who has been saying what to whom and I had the privilege to stay in a hotel in what was one of the USSR countries in the last few years. And in the basement of this hotel, there was the bugging equipment which had been used during the old Soviet controlled era that could bug up to 32 conversations simultaneously.
Now, certainly bugging was something that comes out of the cold war and John Leary novels. And indeed it's still an area of considerable interest to people. Some people would view that as being a gross invasion of privacy. And I think most people would, would do that, but there, there may have been good reasons for them to do it. I'm sure that I would not like to have been booked.
The, the, the collection of information is as old as the, as, as the nation state. And I'm not sure how many people are aware of the SimMan telegram. Now during the first world war, that is the 19 14, 19 18 war. The high tech super highway of the time was the undersea Telegraph cables, which carried information in Morris code. And the British Navy at that time realized that the, that the German enemy was using these cables to send signals around the world. And so it was systematically working its way through the cables that bypassed the UK.
And in the end, they forced all of the traffic that was going from Germany to go through the one cable remained, which went through London and was run by cable and wireless. And this enabled them to intercept the messages. Now the German high command view quite well, that this was going on. And so they took the trouble to encrypt the telegrams.
In fact, what, what, what actually happened was that a drunken station had a Christmas sent out in Christmas, 1916, sent out the same Christmas greeting message using six different codes. And based on that as a, what is called a crib, the, the UK, the British government was able to work out how to decrypt these messages. And so when in January, 1917, the French, the German foreign minister author Zim Ziman sent a telegram to Mexico, basically offering Mexico parts of what were the United States in return for joining the German.
Cause this message was intercepted decoded and it turned out was in fight. The, the, the, the main reason, the main impetus for the us joining in with that particular conflict. So this shows you that interception and decoding of messages is not a new thing. So people think that what has been discovered by what was put in the press over the last few weeks has been something that was really new. But in fact, the UK government communications headquarters, which is in Chatham in fact, put out most unusual, press release.
In fact, they hardly put out any press releases, but in 19, in 2009, they put out a press release, which you can see on the slide. And that talked about a program which became known as mastering the internet and was subsequently described as being tempura. And indeed, if you are concerned with what information is being passed between people, then you have to find some way of gathering and being able to control and at least read what, what is going on over the internet and over the film system.
So to look a little bit at the, the sort of timeline about prism, that what seemed to have happened is that this, this, this chap came out and Edward Snowden came out and gave some information to the UK guardian newspaper, which reported that the national security agents in the us was collecting telephone message messages of millions of Americans that were not suspected of crimes.
And this was of interest in the UK because part of the story that was being told was that in fact, that the U UK was in fact using the fact that there was this extraterritorial collection of information to in fact, spy on UK citizens. Now, I think there's been a great deal described about this, but Mr. Snowden is now hiding somewhere in a transit lounge in, in Moscow airport and the us and the UK have both quite categorically stated that all of this stuff that's being collected is being collected in a perfectly legal way. So why is it legal?
Well from the us point of view, the us had a 1978 law, which was called the foreign intelligence surveillance act, which was a description of the proper procedures for surveillance and collection of information between foreign powers and agents of foreign powers. Now, some of you will remember that in 2009 11, that you couldn't quite attribute what happened in nine 11 to particular foreign power. So the USA Pite specifically changed that to include terrorism that was not specifically biked by a foreign government.
And so this sets out the rules of engagement, if you will, for how you can collect that kind of information. And you can look at the website that I described and it describes how it does this. And so there are different ways for getting works, but basically there is a legal process that the government or the agents of the government can go to to say, this is what we are going to study. And at the lowest level, this simply studies what is called metadata, which is the data about calls.
And then you can go one stage further and get an authorization for a specific wiretap to look at the content of those calls. So what about tempura?
Well, just remember what we said about what happened with the Ziman telegram. Well, London and the UK is a hub for large scale fiber and other kinds of telecommunication systems, which all go through this focus, these co these carry not only the internet, but they quite carry financial transactions as well as other kinds of traffic. And so it appears that this mastering, the internet project that I described in fact has become renamed tempura and is capable of sucking up information from all of these fiber optic cables and keeping enough of it for 30 days so that it can be sifted and analyzed.
And so how is this legal well, again, post nine 11, the UK government passed this thing called the regulation of investigator powers act, which was a law, which, which specified what governments have to do to do this. And in fact, this was put forward as being a key move for anti-terrorism.
In fact, it fell into considerable dis disrepute within the UK, because the powers that this gave were very similar to what we've been describing, which was that you, these various parts of the public service, in fact, quite a lot of people now had the right to legally request information on connections that is who had called, who, who had done what, and, and who had spoken to whom prior to getting a proper authorization to do a warrant, to, to put in a full wiretap.
Now, it turned out that this was being used by local governments for such amazing things as what people were putting in their recycling bins and to prosecute them for improperly using it. And also there was a famous case where a family was investigated by private investigators using these powers, because it was believed that they were claiming that they lived in the catchment area for particular school when in they didn't. So when there was an attempt to expand these powers earlier this year, in fact that didn't manage to get sufficient support from the UK coalition government.
And so it's been quietly shelve. So that has then moved on to the, the, the, the different kinds of data that are being collected are in fact, what is called metadata and metadata is the simplest thing to collect. It's the metadata to do with who you called, who called you, which websites you visited, who you sent emails to, and what emails you received from people. And this was the, the bill that was going to go through parliament was going to require that ISPs, for example, retained this information for something like a year and would be required to divulge it on, on authorization.
So it's important to understand that this isn't the content of messages, it's simply the connections and those connections can be very telling. They can tell you who you are doing business with and so forth. So it is more difficult to get hold of the data, to get hold of the data. The government has to go through a process that gets warrant, and that would then allow them to wire tap your call, or look at what it was that you were specifically looking at, or in particular looking at emails. So those are two different levels of data and information now.
So, you know, what, what does all this mean? And the, the thing is that that clearly governments have, have, have, have the right to do this. And they're doing this in order to, they believe to protect the protect the, the citizens. So how does this actually, how does this activity actually impact on not on private citizens in particular, but on businesses.
And so if you look at what the cloud is made up of, then pretty much anything that you let out of your premises goes through a network, and pretty much anything you send the post, or pretty much any kind of telephone call you make goes through these public networks, which means that there is the possibility of a legal intercept. And so the governments maintain these, these things in order to do protection, and they, they have honed and developed the powers to be able to understand this.
And so if you are using any kind of system which involves telecommunications, then you can be pretty much sure that they are able to intercept your, your calls, and they are able to do it legally within this country. There are, there is also the possibility that some of the more hostile states have also developed this capability, and they are in fact already using that to, to, to look at your data in a less benign way.
Now, let's look at the, the benign view of things. So here's some kind of a measure, which you can get from Google, and Google's actually been very open about this. So there is, as you can see on this, this website, that there is a website, what you can find from Google, the number of requests that they have been able to say, have been made from different countries and which proportion of those requests they actually produced data for.
And it's interesting that the UK, there were less requests, but more made than there were say in Germany, where there were more requests, but less were satisfied. Now, it's also interesting to, because a lot of people think that must imply that the government is asking something dreadful about individual citizens.
But in fact, it is also the case that many of these legally made requests come from the representatives to legal representatives, the attorneys, their lawyers of defendants, and often a defendant will in fact, want an alibi to prove that he couldn't possibly have committed the crime of which he has been accused. And that alibi may be in the form of where you can see that I was making a phone call at the time from somewhere else or that I was using the internet at the time that I'm accused of committing that crime.
But that gives you a measure of the frequency of the kinds of requests that are being made about individuals from different geographies. Now that's all being legal stuff, but then what about information theft? And so these capabilities that governments have built up, and indeed cybercriminals can also be used to steal information and C sorry, Ian love director of C GCHQ, who was interviewed on the BBC quite recently said that every month GCHQ detects something in the order of 70 sophisticated cyber attacks on UK businesses.
And most of the businesses didn't even know they had been attacked until they are told they'd been attacked by GCHQ. And so there is a serious risk of, or of data theft.
And again, according to the same source, there is a, a high degree of suspicion that many of those attacks are coming from nation states. Much of the data theft is being done by nation states using the technology that they have created for the, for mentioned purposes. And indeed this kind of information about loss of, of data is in fact supported by the UK data breaches report. And I mean, there are many of these reports around, but they all basically tell you the same thing that there's a lot of information being lost.
And that information is in fact, cost companies, a great deal of money indeed, on the same BBC program, sorry, Melbourne who was interviewed, it was an interview with art Coviello who said that the breach that they had suffered, he estimated it cost them 66 million. So these are serious potential things, serious, immediate loss and serious in terms of what you don't know is the, the loss that, that came from people losing trust. And a lot of the information that people, these, these cyber criminals or these nation states are looking for is not simply what is your taste in toothpaste?
This is about finding out what merges and acquisitions are going on. What is the intellectual property? What are the plans that you have to, to do to do things? How did you make what you are making? And the idea is to gain commercial advantage. So what we've seen from this is you can be pretty sure that if you are sending any information through the telecommunications network, it is possible that it can be intercepted and that whatever you do, it's possible that that could, could indeed lead to some kind of a loss. So how do you set about protecting your data if you are using the cloud?
Well, you might say having listened to what I just was telling you, why would anybody ever use the cloud? And so if you look, there are a lot of organizations that are used in the cloud. This is in fact more the norm than not the norm today. And here are some of the examples it's being able to do more on agile. It's getting access to development resources more quickly than you could. If you were doing them yourself, many organizations are good at doing their own job, but not very good at running it. So use media now use it a great deal.
And they were finding that they could use the cloud to get greater scalability and lower glitch rates. And other organizations find that they can save a lot of capital and hosting costs if they use the cloud. So there are a lot of benefits and people are trying to find a way of getting those benefits with a reasonable risk. And let's look at some of the information risks that are associated with this, and effectively the biggest problem with the cloud is that not only do you send your information over the, over the internet, but you also lose control.
And in some ways the loss of control is in fact more serious because cloud providers are not very happy to, to give you a flexible contract. They want you to lock you into their own particular set of terms and conditions that you, you may lock yourself into a particular API stack, particular technical stack that you may find it difficult to get your data back in other kinds of things like this. So at the end of the day, the, the only thing you can do is decide whether you are going to accept risk and whether or not that risk can be reduced and risk.
I'm defining it in ISO 31,000 terms, which is risk is defined as being the effect of uncertainty on objectives and risk management is about reducing that uncertainty. So just to look at some of the things that can happen, that could have an impact on your business, never mind actually losing your data to the government. If the organization that is providing your cloud service goes bust, then you can find yourself in a rather difficult position.
And so this is an example here of a hosting service provider that went bust and the administrators sent out letters with the content that you can see on the slide, which basically said, if you want this service to continue, you're going to have to pay quite a considerable sum of money immediately. Now, there was a happy ending to the story in that the, the particular hosting company was, was passed on by the administrator to another organization. And so everybody's systems carried on. So it was good that there was a happy ending, but it could have been an unhappy ending.
So if you look at all of the risks to do with cloud computing, you can see that there are three different CA categories there's risks to do with the processing of the data there's risks to do with business continuity. And there are legal risks. And on this slide, I've kind of highlighted in red, some of those risks, which are most prominently to do with government interception of data. So it's important that you put this story about prism into context and understand that if you're using the cloud, you need to manage the other risks, as well as doing that.
And so if you look at information risk, as opposed to all of the general risks, then one of the big things that we are putting forward in co is the need for better information stewardship. And we are using that term because it seems like there's been an awful lot of work and technology being created around information security, and yet stuff is still being lost.
So looking after what is not your own is called stewardship and stewardship is in fact, something that needs to be applied to information, because most of the information that you handle as a business or you handle as an employee or an associate is in fact not your own.
And there are these four pillars that we talk about, which are really under needing to understand the business and implement best practice, to understand what it is that you have so that you can control what happens to it and, and need to change the perception of security is being something that's really, they're just brought, you know, nice robes that are, that are doing this. And the security department is in fact, just something that's taking all of the fun out of the world, making it clear that everybody needs to be responsible for information secure. Okay.
So starting with the business need. And one of the important things is that there is a perception, an incorrect perception that somehow rather, that everything needs to be a hundred percent secure and that this is one big technology problem, but it isn't information needs to be just as secure as dictated by the business. Need. Some information is very, very valuable and needs to be treated more carefully than other information. And so there are, there, there, it's important to understand and to get the correct balance between these two things.
So his, a way of dealing with that, which is that as an organization, you really need to understand why you want to use the cloud. What is it you think you're going to get as a set of rewards and how you're going to balance the risk against those rewards. And so having a clear objective for why you are using the cloud, whether it's for saving money or getting more agility, or even as one of the presenters at the recent EIC conference said was to improve information security and then set out what the constraints that you have to follow in order to manage those risks.
And here are some examples that you could say, well, I'm not going to put any business critical information. I'm not going to allow anybody to do anything with the cloud that could possibly impact on compliance. And one thing that is forgotten is actually educating your end users about their private use of the cloud. Because often the issue is the end user uses the cloud to get the job done. They post something to their friends using Facebook.
1, 1, 1 organization found that employees were using YouTube to share videos because the actual internal network prevented video sharing. Other, other, other organizations that find that in order to continue working their employees, will associates maybe using private email in order to transmit business information.
Well, it might be okay. It might not be, you have to make sure that employees understand what is acceptable and what is not acceptable in their private use of the cloud to do with the business that you are in.
Now, it, it would seem to be something that goes without stating that you should use best practice, because best practice has grown up over a lot of periods of time by people who've made mistakes. And, you know, having made the mistakes, they then say, well, if you did this in a different way, you wouldn't make those mistakes again. So a very interesting study that was run by the Anissa, which was a survey of public sector run in December, 2011. And they asked what go governance, frameworks, and security are you using internally?
And they found that most organizations were using, I L as the standard for the computer management and they were using ISO 27,000 set of standards for security. Then they said, do you actually require it service providers to comply with those standards? And only 22% said, yes, which is interesting that somehow organizations feel that they can trust their it service provider more than they can trust their internal production systems.
And I would say that anyone who is using the cloud should be making sure that that cloud service provider is complying with the same standards that you would expect your internal provider to comply with. And dosing include things like ISO 27,000 and other ones like that. And so ISO 27,001 certification is something that's an essential, I believe for a cloud service provider. Then we need to understand the different kinds of data. And the assurance needs actually depend upon what the data is that's being moved and all data is not the same.
And so there's a lot of, a lot written and a lot of concern about personally identifiable information. And certainly it is true that that is something that is highly regulated, but it isn't, all information is not necessarily regulated information. And some regulated information is regulated more strongly than the other. So for example, financial records are highly regulated, but intellectual property isn't, and yet intellectual property may well be more important to you or your company than, than in fact all the other risks that, that you are running. So it's really important.
You understand the sensitivity of information and that everybody understands the value of that information because one of the problems is that it sometimes seems to me when I look at organizations and the things that happen to them, that it's the only people who understand the value of information is the people who are trying to steam it because there are all these people who deal with this information on a day by day basis who have lost sensitivity as to what it's worth it's as though if you work in a gold bar factory that gold bars no longer or valuable and creating a culture of security is about getting people to understand the value of the information that they are handling.
And that involves a change of the perception of security that at the moment, as I said earlier on that in many cases, the security hacker is seen as some kind of antihero that, that really a, a really good guy. That's just trying to, to do the good thing that, that, that the, the people who release this information into the public in fact, are, are doing a good thing for everybody.
Well, and somehow other that people who want to impose security restrictions are just Killjoys that are stopping people from having thought and well, there may well be an element of that, you know, all of these things, but, you know, if you had a hundred pounds in your pocket, would you just put it down on the bus seat next to you? Well, that's what happens to, to people's USB sticks. It's what happens to people's mobile phones. And when those things go, then there is, there is upset.
So understanding that it isn't necessarily the value of the piece of equipment, but the value of the information that's held on it, that's important. And that there was a book written by Steve J Ross, which gives you if you will, these four key things, which as well as changing the perception you can help to in inculcate this, these ideas, by getting people who are respected in the organization to visibly observe the values of the, of, of information security within the, within the organization.
So they set up role models that you need to make sure that people understand what the risks that they are running are. And indeed, there's been a number of, of, of examples of how that works. Usually it's, it's best done by teaching people how to keep their own data secure, because that helps them to get a better understanding of it.
But nevertheless, many of these data breaches that we have seen, and many of the techniques that are being used by the people that are trying to steal data, involve a social engineering attack, which involves understanding the, the likes dislikes and interests of employees, and then prey upon those interests to send them poisoned emails, poisoned links, and so forth. And people need to understand the importance of being careful and finally having both rewards and sanctions. It's often the case about information security is yeah, you're fired, but, but you need rewards as well.
You need to be able to say that was good. What, what these guys are doing is good and improve information both with the current, as well as the stack. So part of this is also understanding who is responsible for what and responsibility when you are using a cloud provider is in fact, split between you and the provider, often organizations and people aren't terribly clear as to who is responsible for what, and here's an illustration of why that matters that an a hospital in the UK gave a set of disc drives to a third party contractor to be destroyed.
That contractor used a subcontractor who thought, oh, this is a moneymaker and sold the drives on the internet, complete with their content. Now that was who, who buys drives on the, the internet?
Well, it turns out it was a data recovery company. And so they quickly discovered that there were medical records. And so who was fined, what it wasn't the subcontractor, it wasn't the contractor. It was in fact, the hospital because the hospital was the data controller and on the EU law is the data controller that is liable, not the data processor.
And so understanding this split in responsibility that you most likely will be the data controller and you are responsible for your data, the data processor who may be the cloud provider needs to process it in, in compliance with, with their contract. They may not well be, may not be responsible or even reliable for what happens to that data. So you need to take great care, not only with your employees, but also with the organizations that you work with to make sure that it is absolutely clear who is responsible for what, in terms of the processing of that data.
And also, and I mentioned this question of liability, that when you look at most cloud service provider contracts, the liability that they will accept for anything happening to their service or to their, the data that they hold on your behalf is usually very limited, limited, mostly to whatever it is that you've already paid them as a maximum. And so you may find yourself in a situation where the data is lost, but there is no one that you Sue to cover your costs.
So when you look at risk, there was kind of a perception in, in, at one time that managing risks was all about avoiding the risks that you've already had, or you've already met. And this tends to lead to a defensive culture, which is not one or move forward, or you can actually recognize that those risks are never going to go away and you embrace them, but in a controlled way, you don't just take the risks really newly you say, I'm going to understand clearly what the risks are.
And I'm going to decide how to approach those risks based on their impact upon their probability and upon your risk appetite. So, one of the key things is understanding risk, both in terms of how likely it is and what the impact of that risk would be. So a risk needs to be seen in both of those dimensions, that you can have things that are very likely, but have very small consequence, or they have very high likelihood and very big consequence. And what risk management is about is about reducing either the impact or the probability of that risk.
And so if we think that it's a hundred percent certain that the government can intercept or will intercept our information, then all we can do is say that's very high probability. So either we have to reduce the impact of them intersected, for example, by doing something like encrypting the data, or we have to avoid the, the, the, the risk, depending upon what our tolerance for that risk is.
So the process that you go through and there is a process you can go through, which says you identify the informational risks in terms of what are the assets I E what is the information you hold and what are the threats that, that those are open to, depending upon how you, you, you process that data and maybe a different threat by processing it in the cloud to processing it on site, then you evaluate the risk in terms of what is its likelihood, what is impact, and what tolerance do you have to that? And finally, you decide how you move, respond to that in terms of, do I accept it?
Do I reduce it or mitigate, or do I avoid it in some way? So when we go back to these set of risk points that I mentioned earlier on in this, you can look, and here on this slide, you can see a set of things that you can do, which can mitigate or reduce the impact of those, those risks.
So, for example, if you have data and you put it in the cloud, I would've thought that it was absolutely imperative that it ISOD, and that you manage the keys properly. So encrypting data is one of the key techniques that you can use to reduce the impact of that data being lost flow control is about making sure not only is that information that goes into the cloud or goes through networks encrypted, but it's also the only information that you accept should go through those networks, go through them.
So, you know, you don't send emails that, that it would be costly if they were intercepted. You have to look at how privilege is managed by the people that have access both internally and in the, and in the organizations that are in fact processing this data. And you saw the different people that can be possibly get hold of it and the network provider, the broker, and the cloud service provider. So those are some of the things you can do with that. If you can't get hold of your data, that could also be a big problem.
And so things like backing data up, understanding what the rules are for backup, how the, the data is backed by the cloud service provider and what the recovery time is, and whether or not you need to have some further plan to overcome that. And we talked about the issues of getting your data back, and then in terms of compliant, it's things like where is the data going, and what would you be required from your cloud service provider in terms of breach, notification and liability? So in a summary to this government intersection is just one of the many risks that you take.
If you are processing information and sending information across public networks, and in order to manage that, you need to understand what it is that the assets are, that are at risk. Are you what data you are, you are doing, and then set some kind of a policy based on the value and sensitivity of that data and applications, and then support all of this with a proper program of information stewardship within the, within the, within the organization. So that is effectively my presentation. So now we're moving on to a point where we can have questions and answers.
So I'm looking for questions and answers. So if there are any questions, people can ask them by, by, by asking a question on the, on the, on, on the question screen on the, on the web otherwise. So there doesn't seem to be very many questions coming up at the moment. Andrew Marshall seems to have a question Changing the information, security culture, any examples, is it easy?
No, it's not easy it's and yes, yes. There have been a set of examples that really in effect that that was the remarkable example of the UK public services. And many of you can go back that I think that the UK government must have taken the record for losing as much information as they possibly could at one point, which was when the tax authorities have managed his revenue and customers managed to lose the person information just about everyone who was claiming the social security benefit.
And by sending a set of discs, which were unencrypted through, through the normal mail and following that there was a serious relook within the UK and just how people treated information in public services. And that led to a series of, of reports and a lot of work that was done to try and change the perception within the organizations about information security.
Because the reason why this, this was this data was sent in that particular way in the first place was that there was a balance was struck where the, the audit office said, who wanted the data said, send us some samples for audit, but the organization that was holding the data said, if we have to do a special search, it will cost us money to do that search from our information service provider. So we'd rather just give you everything.
And so if you can see there was a culture which was a balance that said it's more important to save a bit of money than it is to treat people's information correctly. And the result of that was not good. Now that balance has a lot of work has been done to change that balance. That's been done by education it's been done by other other things. So there's another question I can see here.
Just says, please, will I speak closer? I apologize if in fact I was not speaking close enough And a question which says, you said, it's the information sensitivity, not the asset that should be in focus so well, in a sense, let me just sort of highlight a little bit, expand a little bit on, on that particular area that the asset is.
In fact, the data, the data is the closest thing you've got to something physical. The information is what that data conveys and the sensitivity of that information is what its value is. So you come crypt the data, and that's a way that you can reduce the impact of losing that data, because it becomes much more difficult for the person. Who's got it to turn it back into that information. But ultimately it is the information because the information is not just the bits and bites, it's the meaningful, the meaning of, of those bits and bites.
It's the, the plan for your new product. It's your list of customers. It's how much info, how much profit you are making on a particular product line. It's what it costs you to manufacture a particular thing. It's that kind of, of, of, of way of looking at the data that makes the difference. So I think I've worked my way through the, the, the questions that have been have been asked.
So if there's no more questions, I think I'm going to move on and say to, to people that, that if you are interested in this area, then you will be able to find a lot more information on the carpenter call website, that we have blogs, that my colleagues have written blogs about the prism revelations. In particular, we have a number of advisory reports about the cloud, and there are also a number of executive views, which I've been writing around the security and assurance areas of various cloud service providers.
And last but not least, don't forget that next may will be the next European information identity in cloud conference in Munich. So find that on our website and make a date in your diary. So with that, I'll say, thank you very much, everyone for listening.
And if, if anybody is, is interested in following things up, then you'll be able to find my email through the carpentry call website. Thank you very much, everyone.