What Do You Want to See in the First Cloud Security Alliance Training Course?

It leaked a bit over Twitter, but we are pretty excited that we hooked up with the Cloud Security Alliance to develop their first training courses. Better yet, we’re allowed to talk about it and solicit your input. We are currently building two courses for the CSA to support their Cloud Computing Security Knowledge (CCSK) certification (both of which will be licensed out to training organizations). The first is a one day CCSK Enhanced class which we will be be delivering the Sunday before RSA. This includes the basics of cloud computing security, aligned with the CSA Guidance and ENISA Rick documents, plus some hands-on practice and material beyond the basics. The second class is the CCSK Review, which will be a 3-hour course optimized for online delivery and to prep you for the CCSK exam. We don’t want to merely teach to the book, so we are structuring the course to cover all the material in a way that makes more sense for training. Here is our current module outline with the person responsible and their Twitter handle in case you want to send them ideas: Introduction and Cloud Architectures. (Domain 1; Mike Rothman; @securityincite) Creating and securing a public cloud instance. (Domains 7 & 8; David Mortman; @mortman) Securing public cloud data. (Domains 5 & 11; Adrian Lane; @adrianlane) Securing cloud users and applications (Domains 10 & 12; Gunnar Peterson; @oneraindrop) Managing cloud computing security and risk (Domains 6 & 9 and parts of 2, 3, & 4; James Arlen; @myrcurial) Creating and securing a private cloud (Domain 13; Dave Lewis; @gattaca) The entire class is being built around a fictional case study to provide context and structure, especially for the hands-on portions. We are looking at: Set up instances on AWS and/or RackSpace with a basic CMS stack (probably on EC2 free, with Joomla). Set basic instance security. Encrypt cloud data (possibly the free demo of the Trend EBS encryption service). Something with federation/OAuth. Risk/threat modeling exercise. Set up a private cloud (vCloud or Eucalyptus) Keep in mind this is a one-day class so these will be very scripted and quick – there’s only so much we can cover. I will start pushing out some of the module outlines in our Complete feed (our Highlights RSS feed still has everything due to a platform bug – you only need to know that if you visit the site). We can’t put everything out there since this is a commercial class, but here’s your chance to influence the training. Also remember that we are deep into the project already with a very tight deadline to deliver the pilot class at RSA. Thanks Share:

Read Post

Incite 1/12/2011: Trapped

I enjoy living in the South (of the US). I’m far enough North that we get seasons. But far enough South to not really be subjected to severe winter weather. It’s kind of like porridge in the story of the 3 bears. Living in ATL is just right for me. Usually. In a typical year, we’ll see snow maybe twice. And it will be a dusting, usually gone within an hour. Only once in the 6 years I’ve lived in Atlanta has there been enough snow to even make a snowman – and Frosty it wasn’t. Which is fine by me. But this weekend we got hammered. 6 inches in most places. I know, you rough and tumble Northerners laugh at 6 inches. That’s not enough to even start up your snow blower. I get that. But you are prepared and you have the right equipment to deal with the snow. We don’t. I’ve seen it written that Chicago has 200 snow plows. Atlanta has 8. Seriously. And I live about 30 miles north of Atlanta, so we have zero snow plows. Even if you get a few inches of snow, it’s usually above freezing, so it melts enough to clear the roads and get on with business. Not this time. When it got above freezing, we got frozen rain. And then it got colder, so anything that melted (or rained) then froze on the roads. I’m a good winter driver and I know enough to not mess with ice. I even had to shovel. Thankfully, I didn’t toss my good shovel from up North. It still worked like a charm – though my back, not so much. So basically I’m trapped. And so are the Boss and kids. They canceled school for the past two days, and it’s not clear (given the forecast for more freezing weather) that they will have school at all this week. Thankfully the snow is still novel for them, so they go out and sled down a hill in our back yard in a laundry basket. Yes, a laundry basket. That’s a southern kids’ sled, don’t you know? I’ll give the kids props for creativity. But a week at home with the kids without the ability to go do stuff is going to be hard. For the Boss. I’ll be sequestered in my cave looking busy. Very very busy. OK, I’m not totally trapped. I did escape for an hour this afternoon to brave the slush and other wacky drivers. I had to pick up a prescription and get some bread. The roads were passable, but bad. And to add insult to injury, Starbucks closed about 20 minutes after I got there, so I couldn’t even get much writing done. My routine is all screwed up this week. I know this too shall pass. The snow will melt, the kids will go back to school, and things will return to normal. But to be honest, it can’t pass soon enough. We love the kids. But we also love it when they get on the bus each morning and become their teachers’ problems for 6 hours. -Mike Photo credits: “Snowed in Snowdon” originally uploaded by zalgon Vote for Me. I’ll buy you a beer. OK, I’ll finally come clean. I’m an attention whore. Why else do you think I’d write this drivel every week? Yes, my therapist has plenty of theories. But it seems that some of you think this stuff is entertaining. Well, at least the judges of the Social Security Blogger Awards do. I’m both flattered and excited to once again be nominated in the Most Entertaining Security Blog Category. I actually won the award in 2008, but was crushed like a grape in 2009 by Hoff. And deservedly so. But this year Hoff is thankfully in another category, so my fellow nominees are Jack Daniel’s Uncommon Sense, the Naked Sophos folks, and some Symantec bunker dwellers from the UK. All very entertaining and worthy competition. I’ll reiterate an offer to buy a beer for anyone who votes for me, but there is a catch. You can only collect at the Security Bloggers meet-up at RSA. Seems Shimmy is on to my evil plans. So if you like beer. Or if you like me. Or if you feel sorry for me. Or if you want my Mom to be able to kibbitz with her group of Yentas in Florida about her entertaining blogger son. Help out a brother with a vote. Incite 4 U Brand this: George Hulme argues against the idea that security doesn’t matter to a company’s brand. George can (on rare occasions) be a disagreeable guy, but this one is a bit of a head scratcher. If the measuring stick for is stock price, then George is wrong. There has been no negative effect on stock price from a security breach. George states that companies suffering breaches have greater churn than those that don’t. But evidently not enough to impact their stocks. I did a podcast with Shimmy yesterday and toward the end we discussed this. My point is that clearly breaches cost money, both in terms of the direct costs and the opportunity cost of not doing something more strategic with those resources. Those are real costs. But do they outweigh the additional costs incurred by trying to be secure? That is the zillion dollar question. And there isn’t any data to prove it one way or the other. As Rich always preaches to us, we need to be very careful when we infer causation without specific data. Which I think has happened on both sides of this discussion. – MR Don’t blame the hinge manufacturer if you leave the door open: I get sort of annoyed when people blame someone else for their problems. Take the latest brouhaha over the brand new Mac App Store. It turns out – and you might want to sit down for this one – that if you don’t follow Apple’s guidelines on

Read Post

Totally Transparent Research is the embodiment of how we work at Securosis. It’s our core operating philosophy, our research policy, and a specific process. We initially developed it to help maintain objectivity while producing licensed research, but its benefits extend to all aspects of our business.

Going beyond Open Source Research, and a far cry from the traditional syndicated research model, we think it’s the best way to produce independent, objective, quality research.

Here’s how it works:

  • Content is developed ‘live’ on the blog. Primary research is generally released in pieces, as a series of posts, so we can digest and integrate feedback, making the end results much stronger than traditional “ivory tower” research.
  • Comments are enabled for posts. All comments are kept except for spam, personal insults of a clearly inflammatory nature, and completely off-topic content that distracts from the discussion. We welcome comments critical of the work, even if somewhat insulting to the authors. Really.
  • Anyone can comment, and no registration is required. Vendors or consultants with a relevant product or offering must properly identify themselves. While their comments won’t be deleted, the writer/moderator will “call out”, identify, and possibly ridicule vendors who fail to do so.
  • Vendors considering licensing the content are welcome to provide feedback, but it must be posted in the comments - just like everyone else. There is no back channel influence on the research findings or posts.
    Analysts must reply to comments and defend the research position, or agree to modify the content.
  • At the end of the post series, the analyst compiles the posts into a paper, presentation, or other delivery vehicle. Public comments/input factors into the research, where appropriate.
  • If the research is distributed as a paper, significant commenters/contributors are acknowledged in the opening of the report. If they did not post their real names, handles used for comments are listed. Commenters do not retain any rights to the report, but their contributions will be recognized.
  • All primary research will be released under a Creative Commons license. The current license is Non-Commercial, Attribution. The analyst, at their discretion, may add a Derivative Works or Share Alike condition.
  • Securosis primary research does not discuss specific vendors or specific products/offerings, unless used to provide context, contrast or to make a point (which is very very rare).
    Although quotes from published primary research (and published primary research only) may be used in press releases, said quotes may never mention a specific vendor, even if the vendor is mentioned in the source report. Securosis must approve any quote to appear in any vendor marketing collateral.
  • Final primary research will be posted on the blog with open comments.
  • Research will be updated periodically to reflect market realities, based on the discretion of the primary analyst. Updated research will be dated and given a version number.
    For research that cannot be developed using this model, such as complex principles or models that are unsuited for a series of blog posts, the content will be chunked up and posted at or before release of the paper to solicit public feedback, and provide an open venue for comments and criticisms.
  • In rare cases Securosis may write papers outside of the primary research agenda, but only if the end result can be non-biased and valuable to the user community to supplement industry-wide efforts or advances. A “Radically Transparent Research” process will be followed in developing these papers, where absolutely all materials are public at all stages of development, including communications (email, call notes).
    Only the free primary research released on our site can be licensed. We will not accept licensing fees on research we charge users to access.
  • All licensed research will be clearly labeled with the licensees. No licensed research will be released without indicating the sources of licensing fees. Again, there will be no back channel influence. We’re open and transparent about our revenue sources.

In essence, we develop all of our research out in the open, and not only seek public comments, but keep those comments indefinitely as a record of the research creation process. If you believe we are biased or not doing our homework, you can call us out on it and it will be there in the record. Our philosophy involves cracking open the research process, and using our readers to eliminate bias and enhance the quality of the work.

On the back end, here’s how we handle this approach with licensees:

  • Licensees may propose paper topics. The topic may be accepted if it is consistent with the Securosis research agenda and goals, but only if it can be covered without bias and will be valuable to the end user community.
  • Analysts produce research according to their own research agendas, and may offer licensing under the same objectivity requirements.
  • The potential licensee will be provided an outline of our research positions and the potential research product so they can determine if it is likely to meet their objectives.
  • Once the licensee agrees, development of the primary research content begins, following the Totally Transparent Research process as outlined above. At this point, there is no money exchanged.
  • Upon completion of the paper, the licensee will receive a release candidate to determine whether the final result still meets their needs.
  • If the content does not meet their needs, the licensee is not required to pay, and the research will be released without licensing or with alternate licensees.
  • Licensees may host and reuse the content for the length of the license (typically one year). This includes placing the content behind a registration process, posting on white paper networks, or translation into other languages. The research will always be hosted at Securosis for free without registration.

Here is the language we currently place in our research project agreements:

Content will be created independently of LICENSEE with no obligations for payment. Once content is complete, LICENSEE will have a 3 day review period to determine if the content meets corporate objectives. If the content is unsuitable, LICENSEE will not be obligated for any payment and Securosis is free to distribute the whitepaper without branding or with alternate licensees, and will not complete any associated webcasts for the declining LICENSEE. Content licensing, webcasts and payment are contingent on the content being acceptable to LICENSEE. This maintains objectivity while limiting the risk to LICENSEE. Securosis maintains all rights to the content and to include Securosis branding in addition to any licensee branding.

Even this process itself is open to criticism. If you have questions or comments, you can email us or comment on the blog.