Yesterday I had the opportunity to speak at a joint ISSA and ISACA event on cloud computing security down in Austin (for the record, when I travel I never expect it to be hotter AND more humid than Phoenix).
I’ll avoid my snarky comments on the development and use of the term “cloud”, since I think we are finally hitting a coherent consensus on what it means (thanks in large part to Chris Hoff). I’ve always thought the fundamental technologies now being lumped into the generic term are extremely important advances, but the marketing just kills me some days.
Since I flew in and out the same day, I missed a big chunk of the event before I hopped on stage to host a panel of cloud providers – all of whom are also cloud consumers (mostly on the infrastructure side). One of the most fascinating conclusions of the panel was that if the data or application is critical, don’t send it to a public cloud (private may be okay). Keep in mind, every one of these panelists sells external and/or public cloud services, and not a single one recommended sending something critical to the cloud (hopefully they’re all still employed on Monday). By the end of a good Q&A session, we seemed to come to the following consensus, which aligns with a lot of the other work published on cloud computing security:
- In general, the cloud is immature. Internal virtualization and SaaS are higher on the maturity end, with PaaS and IaaS (especially public/external) on the bottom. This is consistent with what other groups, like the Cloud Security Alliance, have published.
- Treat external clouds like any other kind of outsourcing – your SLAs and contracts are your first line of defense.
- Start with less-critical applications/uses to dip your toes in the water and learn the technologies.
- Everyone wants standards, especially for interoperability, but you’ll be in the cloud long before the standards are standard. The market forces don’t support independent development of standards, and you should expect standards-by-default to emerge from the larger vendors. If you can easily move from cloud to cloud it forces the providers to compete almost completely on price, so they’ll be dragged in kicking and screaming. What you can expect is that once someone like Amazon becomes the de facto leader in a certain area, competitors will emulate their APIs to steal business, thus creating a standard of sorts.
- As much as we talk SLAs, a lot of users want some starting templates. Might be some opportunities for some open projects here.
I followed the panel with a presentation – “Everything You Need to Know About Cloud Security in 30 Minutes or Less”. Nothing Earth-shattering in it, but the attendees told me it was a good, practical summary for the day. It’s no Hoff’s Frogs, and is more at the tadpole level. I’ll try and get it posted on Monday.
And one more time, in case you wanted to take the Project Quant survey and just have not had time: Stop what you are doing and hit the SurveyMonkey. We are over 70 responses, and will release the raw data when we hit 100.
And now for the week in review:
Webcasts, Podcasts, Outside Writing, and Conferences
- Rich provides a quote on his use of AV for CSO magazine
- Rich & Martin on the Network Security Podcast #155.
- Rich hosted a panel and gave a talk at the Austin ISSA/ISACA meeting.
- Rich was quoted on database security over at Network Computing.
Favorite Securosis Posts
- Rich: Cyberskeptic: Cynicism vs. Skepticism. I’ve been addicted to The Skeptics’ Guide to the Universe podcast for a while now, and am looking for more ways to apply scientific principles to the practice of security.
- Adrian: Rich’s post on How I Use Social Media. I wish I could say I understood my own stance towards these media as well as Rich does. Appropriate use was the very subject Martin McKeay and I discussed one evening during RSA, and neither of us were totally comfortable for various reasons of privacy and paranoia. Good post!
Other Securosis Posts
- You Don’t Own Yourself
- Database Patches, Ad Nauseum
- Mike Andrews Releases Free Web and Application Security Series
- SIEM, Today and Tomorrow
- Kindle and DRM Content
- Database Encryption: Fact vs. Fiction
Project Quant Posts
- Project Quant: Deploy Phase
- Project Quant: Create and Test Deployment Package
- Project Quant: Test and Approve Phase
Favorite Outside Posts
- Adrian: Adam’s comment in The emergent chaos of fingerprinting at airports post: ‘… additional layers of “no” will expose conditions unimagined by their designers’. This statement describes most software and a great number of the processes I encounter. Brilliantly captured!
- Rich: Jack Daniel nails one of the biggest problems with security metrics. Remember, the answer is always 42-ish.
Top News and Posts
- TJX down another $9.75M in breach costs. Too bad they grew, like, a few billion dollars after the breach. I think they can pull $9.75M from the “need a penny/leave a penny” trays at the stores.
- Boaz talks about how Nevada mandates PCI – even for non-credit-card data. I suppose it’s a start, but we’ll have to see the enforcement mechanism. Does this mean companies that collect private data, but not credit card data, have to use PCI assessors?
- The return of the all-powerful L0pht Heavy Industries.
- Microsoft releases a Beta of Morro– their free AV. I talked about this once before.
- Lori MacVittie on clickjacking protection using x-frame-options in Firefox. Once we put up something worth protecting, we’ll have to enable that.
- German police totally freak out and clear off a street after finding a “nuke” made by two 6-year-olds.
- Critical Security Patch for Shockwave.
- Spam ‘King’ pleads guilty.
- Microsoft AntiVirus Beta Software was announced, and informally reviewed over at Digital Soapbox.
- Clear out of business, and they’re selling all that biometric data.
Blog Comment of the Week
This week’s best comment comes from Andrew in response to Science, Skepticism, and Security:
I’d love to see skepticism applied to the wide range of security controls that are proposed. Not that I believe they are wrong; but I suspect many don’t really matter very much. If we can establish from evidence what controls have a significant impact, we can make much better use of our security budgets.