Israeli Software

I did a Google search on "data retention" compliance today and I got 225,000 hits. I noticed that there was a peak of interest in tying data retention policy to compliance and regulatory requirements in mid 2004, 2005 by vendors like Sun and Microsoft. Since then the activity has petered out.

Back in 2004-5 industry consultants were recommending projects to analyze data retention in light of legal and regulatory compliance requirements at a level of individual data elements.

Since data classification projects are so complex and expensive, most organizations have apparently decided to pass on the challenge.

Data retention and regulation is a challenge because of contradictory regulatory requirements and the quantity of data elements in in hundreds of databases that a typical organization owns. On one hand, industry regulation such as PCI DSS 1.1 and the UK Data Protection Act mandates not storing payment cards, and limiting retention of customer data. On the other hand, anti-money laundering legislation mandates storing the money trail.

However - on a deeper level, it turns out that data retention is not the key issue for compliance.

If you're a merchant or processor of VISA / Mastercard credit cards simply don't store credit card and magnetic strip data - that's a pretty simply data retention policy.

If you're a banking institution and need to comply with Anti-terror and anti-money laundering you will have 4 strategic objectives:
a. Know your customer, including the source of their wealth;
b. Cooperate with law enforcement and supervisory agencies;
c. Communicate anti-money laundering policies and procedures with employee training
d. Perform continuous money laundering risk-assessment across the enterprise using Practical Threat Analysis

NONE of these strategic objectives, include data retention.

Since data retention is not a key issue - you'll be better off working on your strategic AML objectives.

The past 2 weeks I got way off my blogging schedule in between a home improvement project, a JP Big Band gig, babysitting grandchildren and .... work.

How to Get the Truth From Interviewees?

The Challenge:How to ask employees effective questions during a risk assessment.

You have the job to collect data for a risk assessment in client's business unit. You sit down with the security and compliance manager and schedule meetings with people in the unit. You figure you’re going to be less than thrilled with the quality of information you receive and the employee may not be excited by your standard checklist questions. However, you know that whistleblowing is innate in all of us and it's worth trying to get to first base.

Drop the compliance checklist and use an attack modeling approach instead.

Explain the notion of valuable company assets, vulnerabilities, threats that exploit vulnerabilities and security countermeasures. It will take a few minutes and every employee I've ever met will grok the concept immediately. For starters - just ask 4 questions:

1. What is the most important asset in your job?
2. What do you think is the single biggest threat to that asset?
3. How do attackers cause damage to the asset?
4. If you could give the security and compliance manager a single suggestion, what would it be?

As an Open Source person, it's been years since I've installed proprietary closed source software. I use Ubuntu and I reckon that the type of license, GPL, MPL, LPL is probably more important than the software itself - assuming of course that it meets your requirements for functionality and reliability.

I started thinking about licensing again after reading the 2007 "FIFTH ANNUAL BSA AND IDC GLOBAL SOFTWARE PIRACY STUDY" - you can download it from the BSA Web site.

I would not take the numbers IDC and BSA bring at face value. The IDC/BSA estimates are guesses multiplied several times. They start off by assuming that each unit of copied software represents a direct loss of sale for software vendor - patently a false assertion.

If it were true, then the demand for software would be independent of price and perfectly inelastic.

A drop in price usually results in an increase in the quantity demanded by consumers. That's called price elasticity of demand. The demand for a product becomes inelastic when the demand doesn't change with price. A product with no competing alternative is generally inelastic. Demand for a unique antibiotic, for example is highly inelastic. A patient will pay any price to buy the only drug that will kill their infection.

If software demand was perfectly inelastic, then everyone would pay in order to avoid the BSA enforcement tax. The rate of software piracy would be 0. Since piracy rate is non-zero, that proves that the original assertion is false. (Argument courtesy of the Wikipedia )

Back when I ran Bynet Software Systems - we were the first Microsoft Back Office/Windows NT distributor in Israel. I had just left Intel - where we had negotiated a deal with Microsoft that allowed every employee to make a copy of MS Office for home usage. Back in 1997 - after the Windows NT launch, the demand for NT was almost totally inelastic - Not There, Nice Try, WNT is VMS + 1 etc. We could not give the stuff away in the first year. Customers were telling us that they would never leave Novell Netware. Never. But, NT got better from release to release and the big Microsoft marketing machine got behind the product. After two years of struggle and selling retail boxes and MLP for NT, demand picked up. Realizing that there IS price elasticity of demand for software - Microsoft dropped retail packaging and moved to OEM licensing, initially distributing OEM licenses via their two tier distribution channel and later totally cutting out the channel and dealing directly with the computer vendors like HP, Dell and IBM for OEM licenses of NT, XP and 2000, 2003 etc. Vista continues with this marketing strategy and most Vista sales are not retail boxes but pre-installed hardware.

Microsoft (who are a major stakeholder in BSA) probably don't have a major piracy problem with Vista. Let's run some numbers. Microsoft Windows Vista sales are at about a 9 million unit/quarter run rate. Microsoft June 2008 quarterly revenue is $15.8 BN. Single unit OEM pricing for Vista is about $80 and in a volume deal - maybe $20. Let's assume an average of $50/OEM license. This means that Vista accounts for about 50*3*9/15800 = 8.5%.

The BSA 2007 Global Piracy Study states that the "median piracy rate in 2007 is down one percentage point from last year" - 1 percent of 8.5 percent is meaningless for Microsoft - in dollar terms - BSA work to reduce piracy is less meaningful than a 7 percent drop in the US Dollar this year.

Microsoft probably have a problem with their cash cow - Microsoft Office. Microsoft Office 2003 retails for $450 but is available in an academic license for less than $100. Open Office 2.4 runs just fine on Vista and retails for $0. At those prices, sizable numbers of users are just sliding down the elasticity curve - calling into serious question the IDC/BSA statistics on software piracy.

But there is more to software piracy than providing software at a reasonable price. In poor areas of the world - assuming that the BSA efforts at combating software piracy are successful - only the very rich would have access to applications like Microsoft Office. The middle and lower class people won't have the opportunity to become MS Office-literate because the prices would be too high. For that I only have three words - download Open Office - the free and open productivity suite.