The Science of Status Updates and Emotions

 

Today, I attended a keynote address by Richard Beecroft Allan, Baron Allan of Hallam, the Director of Policy in Europe of Facebook. One of the interesting things that Lord Allan mentioned, at least for me, was that businesses can target the right demographic on Facebook with their advertisements, however Facebook, as stated in their Policy, does not share any user details with the businesses. All Facebook guarantees is that the ad is displayed to that particular demographic.

I like the concept of 'Social Networks', however I still think it is not being done right. It currently feels as it may have felt when users had to deal with one of those earlier models of mobile phones. Bulky, Unintuitive and Cumbersome. There are lots of little issues to iron out and opportunities to improve. The 'iPhone' of the Social Networks has yet to arrive.

Conversations do not happen in the real world through 'Status Updates'. Conversations in real life are much smoother, subtle and enjoyable. I guess Status Updates are the outcome of the complexities and limitations of the keyboard technology. Expression through touching the screens or pressing keys on the keyboard is an outcome of the limitations of the digital world.

Social interactions are full of emotions, tones of voices, expressions of the face and movement of the eyes and bodies partly. The concept of 'Circles' and 'Lists' are all so digital and sound like products of technical brains too.

Oh well, we at least have a place to share our photos and limit the emotions to 'Like' or '+1' for the benefit of Facebook or Google.

Private Clouds - Are you sold yet?

Cloud computing in relation to infrastructure, in simple terms, is an evolution in the way compute and storage has been managed by the industry historically. Compute being the data processing technology and storage being the data storage technology.

According to the final version of NIST definition of Cloud Computing, any service provider claiming to provider cloud services under the Infrastructure as a Service (IaaS), Platform as a Service (PaaS) or Software as a Service (SaaS) service models should provide On-demand Self Service, Broad Network Access, Resource Pooling, Rapid Elasticity and a Measured Service.

For public clouds, I clearly understand and believe in the value and benefit that the Cloud brings to the business from IaaS, PaaS and SaaS models.

However, I have repeatedly struggled to convince myself on the value that private clouds bring to the vast majority of the businesses where the demand for compute and storage rise at a pretty consistent rate. Provided the businesses are on board the concept of virtualisation and understand the value that it brings, should they be considering private cloud? I would say not unless they are expecting a significant change in the way compute and storage is consumed. If there is an expected change in the infrastructure demand, the businesses should still be careful in selecting the private cloud strategy, as the primary benefit on comparision of the Capex and Opex for cloud vs non-cloud approach will be on the On-demand Self Service advantage that the private cloud will bring. The other four aforementioned characteristics may not be a strong sell for the CFO/FD as they will not drive strong cost reductions in terms of technology, people and processes.

To prove me wrong, please feel free to provide case studies or examples where businesses have implemented and benefited from a private cloud approach. I can point you to a special case here where private clouds have worked.

Managing unknown risks - what's your approach?

I was driving last Friday evening on the M1, a major motorway in the UK, when at around the same time in probably similar weather conditions one of the worst motorway accidents in the history on the island was unfolding on the M5, another busy motorway. Seven people were reportedly killed and 51 injured in a 34 vehicle pile-up.

Having known about the incident the next day, I probably was travelling in what I call an 'unknown risk' condition where I wasn't aware of the heightened likelihood of an incident in poor weather conditions (heavy rain and fog) and spectacular fireworks that were there to distract the fatigued drivers looking forward to their weekends. Although the controls were all functional, e.g. brakes, airbags, MOT'd car, good tyres etc., they were not designed to operate in a specific event condition like the one on M5.

I believe for businesses unable to identify such risks, they would fall to their Business Continuity and Disastor Recovery Plans as the common controls will be inadequate to sustain the impact from the incident. It is surprising to see the number of businesses, both in the public and private sector, that carry on their operations without such BC/DR plans.

Have you come across organisations that effectively manage unknown risks outside of their BC/DR strategies? If so, please comment. I will be keen to understand this and discuss.

 

Commoditisation - exciting times for the industry

The biggest shift we are observing and we will observe in these few years is how IT is being commoditised.

This puts businesses of today and of the future in a great position. The ability to select the technology solution when they want it, how they want it and at a price they are willing to pay for the technologies of interest. It is like lunch time frenzy where businesses are the customers looking for commoditised food. Too many eateries trying to tailor their menu in the expectation to attract the right clients. Quality of service will play a key role here along with the commodity. Whether you want to have a simple coffee in your local cafe or you'd like to tailor the flavours of your Frappuccino in Starbucks or may be just make your own. It is the same for your afternoon lunch or your business's technology requirements. The choices will be there, the key will be deciding what works and fits best for the business.

Some interesting Rackspace Cloud Private Edition posts:

http://gigaom.com/cloud/rackspace-makes-good-on-private-openstack-cloud-vow/?utm_source=social&utm_medium=twitter&utm_campaign=gigaom

http://www.infoworld.com/d/open-source-software/why-openstack-will-falter-178038

http://www.readwriteweb.com/cloud/2011/11/infographic-the-state-of-opens.php

http://blog.theloosecouple.com/2011/11/08/cloud-spring/

 

Thought Leaders in Information Security - Do they exist?

First things first - it's been a while since I last blogged so my sincere apologies.

I come across the word 'Thought Leader(s)' and 'Thought Leadership' quite a lot in discussions and reading. It has got me thinking at times as to 'What is it?'. With regards to Information Security industry, I think there hasn't been any Thought Leadership at all. This encompasses innovation around security management including but not limited to policies, procedures, standards, vulnerability assessments, penetration testing, patching, risk management, data loss, compliance, monitoring, incident response, security awareness et al. Same old, same old.

Good old Wikipedia says this for 'Thought Leader':

"The term was coined in 1994, by Joel Kurtzman, editor-in-chief of the Booz, Allen & Hamilton magazine, Strategy & Business. "Thought leader" was used to designate interview subjects for that magazine who had business ideas that merited attention."

According to commentators such as Elise Bauer, a distinguishing characteristic of a thought leader is "the recognition from the outside world that the company deeply understands its business, the needs of its customers, and the broader marketplace in which it operates."

So, it is 'ideas that merit attention' and 'recognition from the outside world that one gets it'.

I cannot think of an individual or a company in the security industry that has come up with ideas that merit attention or are recognised from the members of the security community for a while. Can you? Please enlighten and discuss.

PS: I don't class reactive discoveries for e.g. APTs, Cybercrime, surveys and point solutions as TL. I also believe there is a lot of TL going on in security offence than in defence. If there is a better definition, again - do post your thoughts.

 

Third Parties and Data Security

I have covered the business risks around third parties and data security from a PCI DSS compliance perspective in my previous post. The recent incidents of email and data losses by third parties (Play.com’s breach and Epsilon’s breach) have some key lessons for businesses using third parties to deliver their business.

Some of the key questions to be asked by the leadership of the businesses engaging with third parties are:

1.     Does an updated list of third parties exist?

2.     What data is transferred across or handled by these third parties? 

3.     Are there any preventive/detective/corrective controls in place at the third parties to avoid/identify/remediate data loss? 

4.     What level of preventive/detective/corrective controls are in place and how often are they reviewed? (SLAs/KPIs/Metrics)

5.     In the event of an incident, what process (Incident Response Plan) is in place between the business and the third parties?

6.     Are there appropriate contract clauses to protect the business from financial penalties and data losses?

Silverpop and Epsilon may have received their share of negative media coverage due to weak security controls in relation to the breaches, however it is the businesses engaging with such third party service providers that have to rigorously review the third party security and ensure that their reputation, operations and business are not impacted.

A day at CloudExpoEurope '11

 

I attended CloudExpoEurope '11 today in London and had high expectations for this event considering all the hype around the cloud. As expected, it was mainly a vendor led event. There were some new names (at least for me) that were exhibiting their services like OnApp, Onyx Group, Ping Identity, Cloudreach and Nlyte.

 

The mix of SaaS, PaaS and IaaS appeared to be slightly imbalanced on the floor. Interestingly, there were significantly more IaaS related vendors than SaaS and PaaS. The IaaS vendors exhibiting were Carrenza, Claranet, Savvis, Rackspace, Peer 1 and Redhat amongst others.

 

I discussed the impact of Open Source solutions like OpenStack with OnApp MD Carlos Rego and also understood the service model behind Ping Identity (Cloud SSO Solution Provider) from Travis Spencer of Ping Identity. Rik Ferguson's (Trend Micro) talk on securing cloud instances was interesting as well. SaaS solution on system monitoring by CA's recently acquired Nimsoft seemed robust.

There were exciting Open Source projects (OW2 Consortium, Open Nebula) that I would have liked to review but couldn't because of time constraints. The Open Source developments in cloud are of particular interest to me as the development in OpenStack project are steadily improving and shows promise at the moment to deliver the much required integration in this novell and rapidly changing ecosystem.

 

 

And, I also witnessed some IaaS 'cloud' providers selling virtualisation as a 'Cloud' service!

 

To summarise, the experience at CloudExpo could have been better with more variety of players from SaaS, PaaS and IaaS arena in Europe or Worldwide for the visitor to have a comprehensive view of the ‘Cloud’ ecosystem. It seems that the hype around Cloud is very real but so are the clear business benefits from utilising the various services in the Cloud ecosystem. 

Ideally, businesses going to such Cloud events should have a clear understanding of their requirements in terms of what their processes are, what systems they use and what software, platform and/or infrastructure of the business would they like to transfer to the cloud. As a bad analogy, the current cloud arena is like a phone app market with no recommendation/feedback system. There are too many apps but the user needs to know what suits their requirements. But with Cloud it may not be as easy as deleting the app!

Challenges related to cloud computing data security

I recently started using Quora and find it quite useful. The idea of your thoughts to a particular question been voted up and down and the ability for community to challenge and contribute is inviting. I answered a question on Quora that I've cross posted on this blog that you may find useful. Feel free to comment.

 What are the challenges related to cloud computing data security? 

Of the five essential characteristics (On-demand self-service, broad network access, resource pooling, rapid elasticity, measured service), three service models (SaaS, PaaS, IaaS), and four deployment models (Private, Community, Public, Hybrid Clouds) of Cloud computing (as defined by NIST), organisational data security faces a variety of risks. The level of risk can be determined by what models organizations subscribe to or adopt and more importantly, what data they decide to move to the cloud. For example, a Private Cloud deployment model will reduce the risk compared to a Public Cloud or a Community Cloud generally, however will need to compromise on certain essential characteristics. 

Data, based on its classification, requires appropriate controls applied for its security. Whether it be a system configuration, IP (Intellectual Property) in the form of software, a database with PII/sensitive data or publicly available data, the hard part is identifying where this data is in the Organisation and what people, processes and technologies access and support it. Cloud computing, depending on the model and characteristics used, tends to abstract this even further.

For example, with the ‘resource pooling’ characteristic of the cloud, if sensitive data is stored in a Public cloud, as per the NIST definition ‘…customer generally has no control or knowledge over the exact location of the provided resources but may be able to specify location at a higher level of abstraction (e.g., country, state, or datacenter). Examples of resources include storage, processing, memory, network bandwidth, and virtual machines.’ This means that in case of a security breach or a follow-up investigation in a public cloud model, it will be hard or near impossible to find out exactly what the data loss impact is and where the data resides. This is an example for data at rest (storage). There are similar challenges for data in transit and in process.

The challenge is identifying what Cloud computing model and characteristics for what data will maximise efficiency and minimise the risks.