OpenStack - What the future holds

So Krishnan Subramanian, in the Google+ hangout that he kindly arranged, asked "What next would you like to see or expect to happen in OpenStack project this year?"

My more structured response is:

- It is important that everyone in the project understands and appreciates the 'Open' in the Open cloud projects, one of which is OpenStack

- If it is dubbed as the 'Kernel of the Cloud',  take a look back at how the linux kernel is maintained.

- Because of the obvious benefits of the project, there is considerable industry interest. This hasn't been seen before in similar open projects. This is particularly different and may determine the project's future. It is a wait and watch game.

- Open projects tend to have their 'baking phase'. I'm not sure if the industry is allowing this crucial phase. It is critical especially for OpenStack, as PaaS and SaaS will potentially built on it.

- Security must not be overlooked, and it is may be the byproduct of this 'baking phase'. An undisclosed zero-day in OpenStack may be detrimental to the trust in the project.

OpenStack project is a coding/development project driven by the community. The risks to this project are comparable to any other coding project and more, as it is an IaaS-layer software.

Stability, security, release cycles and developer and industry acceptance will collectively decide the success of this project during this and the coming years IMO.

CloudStack ASFisation

Well, with all the news and views being published in the past 24 hours on the Citrix CloudStack announcement, I think the note below from Simon Wardley (@swardley) sums it up very nicely for me.

As rightly pointed in a number of the articles, it is an interesting development, that will influence and impact the key open source cloud projects (Eucalyptus, OpenStack and CloudStack) depending on the adoption by developers and requirement satisfaction of the service providers and users.

It is a waiting game where, for now, there is no single winner in this open source race.

 

Breach Anatomy

I came across this graphic from First Data on this blog post by Brian Krebs and couldn't help reposting it. Hope you find it useful.

Another day, another victim - Global Payments

PCI-DSS is an interesting standard. With multiple stakeholders supporting the transaction process, as explained very well in Martin Mckeay's post, it is a tough balancing act that the card brands have to play with the service providers like Global Payments and the merchants and most importantly the consumers. After all, the consumers are the ones that keep the systems and services of payment card transactions alive by putting their trust in the whole system. This has led to removing Global Payments from the list of compliant service providers.

There are PCI-DSS lovers and haters, so a breach like Global Payments is a good opportunity to raise questions and discuss views, especially in the security community. From a merchant and service provider's perspective, Alan Shimel raises a good point on the trust in the PCI system and what does it hold for the merchants and service providers.

Other interesting coverage on this is at WSJ and SCMagazine.

The card brand moved much faster removing Global Payments from the list than it did when another processor, Heartland Payment Systems, announced a breach of some 100 million card numbers in January 2009. In that case, Visa expelled Heartland from the list about two months later, but Heartland re-validated compliance within roughly six weeks.

In the case of Heartland, Visa told merchants that, despite the processor being temporarily removed from the list, they faced no fines for continuing to do business with it.

The above extract from the SC Magazine link is thought provoking. Will Global Payments follow this route and be back on the list in a few months?

With the number of data breaches happening everyday, is today's consumer even bothered? The emphasis on service always comes before the security, both in business and for the consumer. It is only when such incidents occur that the lessons are learnt. For businesses, compliance with a standard is definitely not the panacea, but if done with intent, I believe it will help remove the low hanging fruit. Security is about defence, in depth.

 

OpenStack Foundation Challenges

OpenStack is an open source platform, developed under Apache license, that enables businesses and service providers alike to create their own infrastructure clouds (IaaS). More details can be found here.

It is a project with great interest and support from the developer community and industry alike. The instant growth in the popularity, is for me, the greatest challenge. Currently 156 companies are listed as supporting the project.

Concerns were raised today by CEO and Founder of Piston Cloud, Joshua McKenty, on the foundation mailing list here, with some further views expressed here, here and here.

Success of an open source project depends upon constant collaboration and valuable input. In this case, it also depends on how long the OpenStack Foundation takes on reaching an agreement on the governance and ensuring that the project aligns to the expectations of all stakeholders, supporters, contributors and most importantly, requirements from the adopters.

Competition from the providers offering similar services is stiff and constantly improving. Agility is required for the project to succeed - it seems OpenStack Foundation needs some of the Cloud characteristics to compete in the everchanging market!

 

The Science of Status Updates and Emotions

 

Today, I attended a keynote address by Richard Beecroft Allan, Baron Allan of Hallam, the Director of Policy in Europe of Facebook. One of the interesting things that Lord Allan mentioned, at least for me, was that businesses can target the right demographic on Facebook with their advertisements, however Facebook, as stated in their Policy, does not share any user details with the businesses. All Facebook guarantees is that the ad is displayed to that particular demographic.

I like the concept of 'Social Networks', however I still think it is not being done right. It currently feels as it may have felt when users had to deal with one of those earlier models of mobile phones. Bulky, Unintuitive and Cumbersome. There are lots of little issues to iron out and opportunities to improve. The 'iPhone' of the Social Networks has yet to arrive.

Conversations do not happen in the real world through 'Status Updates'. Conversations in real life are much smoother, subtle and enjoyable. I guess Status Updates are the outcome of the complexities and limitations of the keyboard technology. Expression through touching the screens or pressing keys on the keyboard is an outcome of the limitations of the digital world.

Social interactions are full of emotions, tones of voices, expressions of the face and movement of the eyes and bodies partly. The concept of 'Circles' and 'Lists' are all so digital and sound like products of technical brains too.

Oh well, we at least have a place to share our photos and limit the emotions to 'Like' or '+1' for the benefit of Facebook or Google.

Private Clouds - Are you sold yet?

Cloud computing in relation to infrastructure, in simple terms, is an evolution in the way compute and storage has been managed by the industry historically. Compute being the data processing technology and storage being the data storage technology.

According to the final version of NIST definition of Cloud Computing, any service provider claiming to provider cloud services under the Infrastructure as a Service (IaaS), Platform as a Service (PaaS) or Software as a Service (SaaS) service models should provide On-demand Self Service, Broad Network Access, Resource Pooling, Rapid Elasticity and a Measured Service.

For public clouds, I clearly understand and believe in the value and benefit that the Cloud brings to the business from IaaS, PaaS and SaaS models.

However, I have repeatedly struggled to convince myself on the value that private clouds bring to the vast majority of the businesses where the demand for compute and storage rise at a pretty consistent rate. Provided the businesses are on board the concept of virtualisation and understand the value that it brings, should they be considering private cloud? I would say not unless they are expecting a significant change in the way compute and storage is consumed. If there is an expected change in the infrastructure demand, the businesses should still be careful in selecting the private cloud strategy, as the primary benefit on comparision of the Capex and Opex for cloud vs non-cloud approach will be on the On-demand Self Service advantage that the private cloud will bring. The other four aforementioned characteristics may not be a strong sell for the CFO/FD as they will not drive strong cost reductions in terms of technology, people and processes.

To prove me wrong, please feel free to provide case studies or examples where businesses have implemented and benefited from a private cloud approach. I can point you to a special case here where private clouds have worked.

Managing unknown risks - what's your approach?

I was driving last Friday evening on the M1, a major motorway in the UK, when at around the same time in probably similar weather conditions one of the worst motorway accidents in the history on the island was unfolding on the M5, another busy motorway. Seven people were reportedly killed and 51 injured in a 34 vehicle pile-up.

Having known about the incident the next day, I probably was travelling in what I call an 'unknown risk' condition where I wasn't aware of the heightened likelihood of an incident in poor weather conditions (heavy rain and fog) and spectacular fireworks that were there to distract the fatigued drivers looking forward to their weekends. Although the controls were all functional, e.g. brakes, airbags, MOT'd car, good tyres etc., they were not designed to operate in a specific event condition like the one on M5.

I believe for businesses unable to identify such risks, they would fall to their Business Continuity and Disastor Recovery Plans as the common controls will be inadequate to sustain the impact from the incident. It is surprising to see the number of businesses, both in the public and private sector, that carry on their operations without such BC/DR plans.

Have you come across organisations that effectively manage unknown risks outside of their BC/DR strategies? If so, please comment. I will be keen to understand this and discuss.

 

Commoditisation - exciting times for the industry

The biggest shift we are observing and we will observe in these few years is how IT is being commoditised.

This puts businesses of today and of the future in a great position. The ability to select the technology solution when they want it, how they want it and at a price they are willing to pay for the technologies of interest. It is like lunch time frenzy where businesses are the customers looking for commoditised food. Too many eateries trying to tailor their menu in the expectation to attract the right clients. Quality of service will play a key role here along with the commodity. Whether you want to have a simple coffee in your local cafe or you'd like to tailor the flavours of your Frappuccino in Starbucks or may be just make your own. It is the same for your afternoon lunch or your business's technology requirements. The choices will be there, the key will be deciding what works and fits best for the business.

Some interesting Rackspace Cloud Private Edition posts:

http://gigaom.com/cloud/rackspace-makes-good-on-private-openstack-cloud-vow/?utm_source=social&utm_medium=twitter&utm_campaign=gigaom

http://www.infoworld.com/d/open-source-software/why-openstack-will-falter-178038

http://www.readwriteweb.com/cloud/2011/11/infographic-the-state-of-opens.php

http://blog.theloosecouple.com/2011/11/08/cloud-spring/

 

Thought Leaders in Information Security - Do they exist?

First things first - it's been a while since I last blogged so my sincere apologies.

I come across the word 'Thought Leader(s)' and 'Thought Leadership' quite a lot in discussions and reading. It has got me thinking at times as to 'What is it?'. With regards to Information Security industry, I think there hasn't been any Thought Leadership at all. This encompasses innovation around security management including but not limited to policies, procedures, standards, vulnerability assessments, penetration testing, patching, risk management, data loss, compliance, monitoring, incident response, security awareness et al. Same old, same old.

Good old Wikipedia says this for 'Thought Leader':

"The term was coined in 1994, by Joel Kurtzman, editor-in-chief of the Booz, Allen & Hamilton magazine, Strategy & Business. "Thought leader" was used to designate interview subjects for that magazine who had business ideas that merited attention."

According to commentators such as Elise Bauer, a distinguishing characteristic of a thought leader is "the recognition from the outside world that the company deeply understands its business, the needs of its customers, and the broader marketplace in which it operates."

So, it is 'ideas that merit attention' and 'recognition from the outside world that one gets it'.

I cannot think of an individual or a company in the security industry that has come up with ideas that merit attention or are recognised from the members of the security community for a while. Can you? Please enlighten and discuss.

PS: I don't class reactive discoveries for e.g. APTs, Cybercrime, surveys and point solutions as TL. I also believe there is a lot of TL going on in security offence than in defence. If there is a better definition, again - do post your thoughts.