The InformationAge Enterprise Security & Continuity event takes place tomorrow in London as part of their Autumn Forum 2009. I’m giving the opening keynote on “Securing the enterprise in the cloud”. The rest of the day has a great lineup, with some real-world experiences as well as looking at future technologies.
One of the toughest parts of ‘the cloud’ is understanding what people mean by ‘the cloud’. Without that understanding, it is very difficult to figure out what sort of security measures you need. For example if you are looking at an application as a cloud service (aka SaaS) then understanding what security is available is very different from looking at infrastructure services in the cloud. My talk starts with a look at where the Jericho Forum cloud layer / cloud cube models can help clarify exactly what people are talking about before looking at the security issues which need to be addressed.
See you there.
RSA Europe starts today in London and looks like it will be a great programme. My session is on cloud computing and security and has had a lot of interest. There is even a preview podcast to be found here.
RSA attracts an interesting mix of contributors, with sessions that are just for propellor-heads to those which are more accessible to business people. Security remains a hot topic no matter which industry you are in and whereabouts you are in an organisation so getting the opportunity to listen to, and talk with, people with experience is an opportunity not to be missed.
See you there.
… Or something more disturbing? So, Wikipedia is finally closing its doors to unrestricted editing, why? Well because it was being abused – and the reputation of the site was falling. When the Internet first came on the scene, the data was ‘good’, because the people who used it, wanted to share their knowledge and so when you searched for something (hey, this was pre-Google!) then the results tended to be useful. Subsequently, the data on the web has been diluted by less good information – some of which is completely wrong (although may be an individual’s opinion), this has made it harder to use it as a research tool. Wikipedia started up with the best intentions but it has now been subverted like the rest of the web. Unfortunately, this looks to be the way of most ‘open’ collaboration in the Web 2.0 world. I have written before on the problems associated with splog (blog spam) which means that comments, the ones that make it through the initial filter, have to be checked before they are posted – just in case they are inappropriate. As we depend more and more on the web, we need to ensure the data is correct – and this isn’t just the ‘static’ data, but also the calculated data as well.
I am preparing for a podcast recording for RSA Europe this afternoon, my session is on mitigating the security risks in the cloud – and one section is on computational integrity. If the service provider’s application makes a mistake… would you know? Now the mistake may be a genuine ‘bug’ or it might be malicious – how would you know? The answer is… well, most people haven’t thought about it yet, but for those who have there are a few ways to approach the problem. Perhaps the easiest of which is to have dummy transactions for which you know the outcome. That way, periodically you can test the application is still returning what you expect. Of course, it’s not really that simple – as you potentiall need to account for the dummy transactions in other business applications, but you get the idea.
As the cloud becomes more popular, its attractiveness to cyber-criminals will increase – and while a daft middle name for the prime minister on Wikipedia isn’t going to hurt your business, there are other things that might.
Just a quick reminder that it’s the Cloud Computing Conference next week in Prague and my session is on The Darker Sides of Cloud Computing: Security and Availability. Cloud computing is definitely the buzzword for 2009 and so it will be great to hear other peoples’ opinions along with some practical advice. See you there.
InfoSec started today and that can mean only one thing… our Marketing Director, Sara, gets to dress up and provide a little glamour for the Symantec stand.
As for the show… well there are a lot of companies there, lots of old friends and customers. The content of the sessions seems to have been both entertaining as well as informative… let’s see what tomorrow brings… (apart from my session in the Business Theatre – which is not to be missed!)
Next week is InfoSec in London and this year it’s move to Earls Court. It’s always a good event with lots of new ideas and the usual meeting up with old friends and colleagues. My main talk this year is on Cloud Security, on the 29th April, and I will be previewing my presentation on the Symantec Stand along with a talk on compliance on both the 28th and the 29th.
See you there.
I was reading the article on how a national newspaper is now using cloud technology to great effect and increase the amount of time the IT can spend on helping build revenue streams. It’s always good to hear positive user stories on how new technology really helped.
I have been using an analogy to explain cloud computing which uses journalists as a key part of the analogy and it goes something like this…
A lot of papers and magazines have the need for external writers, either because in-house they don’t have time or the necessary skills. So, they contract out – they find a writer who has a good reputation, capacity and at the right price to do the work for them. When it’s done, they get paid and the writer moves on to the next job. If they decide that they need that writer (or particular skill) in-house then they might enter into some longer term arrangement, or hire the person permanently. It makes for an efficient process of getting what needs to be done, done – and in a timely and cost effective manner.
So… onto the cloud. The premise is very similar, you have the need for something to be done because you don’t have the time or the skills in-house. Unlike an outsourcing arrangement, this is something that needs to happen ‘today’ so lengthy contract negotiations are not an option – and it’s probably relatively short term, so a ten year outsource deal looks a little unwieldy! So you go to ‘the cloud’… find a service provider, someone who has the service required and the capacity you need. Currently there aren’t too many providers, so ‘reputation’ is derived based on their name – and that’s OK. You upload the data or the application along with credit card details… and the problem is solved. At the end of the time the results come back in and the agreement terminates. It’s a win-win situation. Of course, if the service is one that you decide you need more often, then you might bring a copy in-house or create a longer term contract.
So, the similarities between the cloud and the contract writer are, from 30,000 feet, reasonably analogous. Of course, the quantity of data and its sensitivity are very different in the cloud – security is an issue. The journalist may get sick which will affect their availability – in the same way that the cloud being ‘off the net’ will affect it’s availability.
Where does that leave those wanting to use the cloud? Well, the trick here is to know what it is you are trying to do, what the data is you want to push into the cloud and how sensitive it is and then to know what questions to ask the service provider.
Security and the cloud is the topic of my upcoming InfoSec talk later this month at Earls Court in London. See you there.
So the economy is tough, budgets are being cut – what to do? Well, now is the time to revisit budgets and look at whether you can squeeze more out of the money you have. Cost Containment has become the buzz word of the moment and I am speaking at a couple of seminars we are sponsoring on ‘Rapid Cost Containment‘. When times are tough, it is the time to look at all you can do to prepare for the uptick – after all when it does come you won’t have the time to look at infrastructures and architectures you will be running to make sure IT keeps up with the need to support the business and bring in as much money as possible. There is nothing like a shoestring budget to focus the mind and help you think differently how you do stuff… so now is the time for innovation.
I will be at RSA Europe next week and taking part in a round-table entitled “Threat Horizon 2010+ – To Infinity and Beyond” . This should be a lively debate. It’s on Tuesday 28th October at 11:45am. See you there.
Well the Vision conference was a great success with lots of customers and partners to talk techie with, and of course we made the great announcement to acquire MessageLabs, which is really going to accelerate our software as a service offerings.
Anyway… next week I am out and about in public again(!), I’ll be at the Intellect meeting on Monday 13th October. We will be discussing “Securing Intellectual Property in the Networked Economy” which should prove to be fun.
On Thursday 16th October, I will be presenting at StorageExpo in London, with the session title of “Storage = Data = Risk: Technologies for Data Loss Prevention”. The interesting thing about StorageExpo is how it has morphed over the last couple of years such that it is now all about the information and its security and manageability rather than just being about the latest and greatest hardware.
If you’re there, then come and say hello.