It's something akin to a service provider in SAML parlance, if we are to believe reporting. How can it be air-gapped?
And if we are to believe the hacked company, it is a development environment with test data in it. That remains to be seen, but is a risky thing to lie about. If there is production data in the leak, we will surely know about it.
If you can't implement it securely then perhaps such an undertaking wasn't a good idea? In the vast majority of cases I don't see why PII ever needs to be available over the network for remote queries. For the purpose of verification isn't it sufficient to verify hashes or better yet to attest via smartcard?
That's not an excuse though, any system handling data like that should be continuously reviewed and pentested by professionals. Hopefully they can show that this has been done otherwise it's just negligence.
It's something akin to a service provider in SAML parlance, if we are to believe reporting. How can it be air-gapped?
And if we are to believe the hacked company, it is a development environment with test data in it. That remains to be seen, but is a risky thing to lie about. If there is production data in the leak, we will surely know about it.
At the high end you can use data diodes to isolate critical data.
The point of a system like this is specifically that it’s accessible and not air gapped.
Being able to validate that a citizen is a citizen and their ID is valid inherently requires the system be accessible
If you can't implement it securely then perhaps such an undertaking wasn't a good idea? In the vast majority of cases I don't see why PII ever needs to be available over the network for remote queries. For the purpose of verification isn't it sufficient to verify hashes or better yet to attest via smartcard?
You can, they didn't; big difference.
1 reply →
If you need the data, you cannot have it air gapped. And if it is air gapped, it is still easy to make misstakes.
"misstakes", love it, almost peotic
> it is still easy to make misstakes.
That's not an excuse though, any system handling data like that should be continuously reviewed and pentested by professionals. Hopefully they can show that this has been done otherwise it's just negligence.
It was mainly an explanation, that "airgapping" does not magically provides better security, or is required (or possible) to use at all here.
1 reply →
Imagine if the bank took such a cavalier attitude with the contents of my account.