Monday, November 29, 2010

On Securely Making Cloudy Claims About Cloud Security

PC World reported on the speech by a former hacker known as MafiaBoy, who was arrested for lots of insidious activities. Now, he was a guest speaker, in Toronto, Canada, at a forum organized by a well-known Japanese storage vendor.

His contention was that Cloud Computing has serious security vulnerabilities and that Security is an afterthought among vendors.

I am certain the reformed hacker is a very, very, smart man. I am positive, no amount of security can be enough to ever guarantee perfection. However, the whole approach and message was a bit yawn-inducing for me. He was restating the obvious, wrapped in a bit of irresponsible FUD (fear, uncertainty, doubt), with a ribbon of future "I told you so" claims tying it up nicely.

That is like someone being arrested for throwing medical trash into a town's water tank, and then going on CNN or Fox News Channel to make a generalized claim, like, "There are serious vulnerabilities in our whole nation's public drinking water supply." That person can then sit back while people wonder if they should all be drinking bottled water only.

Some of the other contentions of people who like hearing that kind of message, commenting at the PC World site, were that Cloud Computing is nothing but Client Server with a new label. OK, if someone said Cloud Computing is sort of like On-Demand Computing — but with both the ON and the DEMAND parts kicked into high gear in the marketplace — I would have agreed a bit.

Yes, of course, many of the concepts of Cloud Computing are derived from the evolution of previous computer system architectures and paradigms. But, if Cloud Computing is exactly the same as Client-Server, then it is even more "same" as mainframes and dumb terminals of yester-century.

For the first time in modern history, the true power of the Internet can be harnessed by every one, and every business, at every level, for almost every function, with the same type of access previously only giant multinationals could afford.

Even with the Internet boom, the overall benefits to us, ordinary people, were limited in type and scope.

We could enjoy email accounts of our own. With a bit of web hosting, using $5 per month packages, we could put up web sites as slick as the biggest multinationals (whether someone ever visited our web sites or not).

But, we could not venture into scaling beyond those basic limits.

A company with 20 employees could not afford true ERP or CRM solutions. An art movie studio with 5 creators could not expect to take on a movie requiring 10,000 hours of rendering time, without their idea being passe' while their 5 PCs or Apple Macs chugged along for 5 years.

Now they can rent software as a service (SaaS), platform as a service (PaaS), or a ton of infrastructure as a service (IaaS) as and when they need, without needing a million Dollars budget.

These, and countless other, aspects of cloud computing are leveling the playing field for individuals and the smallest businesses, which no Client Server solution did.

The benefits big business are gaining from Cloud Computing are even more obvious. From hardware and software license cost savings, to energy savings, to better utilizing available resources with available headcount, reducing total cost of ownership for once without having to resort to the typical head count reductions of past years, are just a few. Quick provisioning of application development and test environments, in hours, affordably, and then spooling it down, are additional examples.

So, going back to our esteemed and honorable ex-hacker's contentions about Security, let's ask: Is Security important? No. It is not important, it is ESSENTIAL.

But, for anyone to say that Cloud vendors are thinking of security as an afterthought is absolutely ridiculous. It is even more silly posturing than politicians of all parties typically indulge in, with meaningless statements that raise their audiences' fear levels. Just recently I wrote a popular item, which discussed the Cloud Security Alliance's good work, especially in the area of enabling greater levels of governance, risk management and compliance in Cloud.

An important thing to keep in mind is that Next Generation Data Centers, with highly converged and virtualized infrastructures, are not being created out of thin air, with paper, glue and paint. They are being created by integrating, and hardening, existing parts of the solution stack - virtualization, network, compute, and storage.

None of these elements consists of some untested new gadget created in a lab by two geeks and their dog. Each element has industry leaders, and strong competitors. Each has its own security postures, needs and mechanisms. And, vendors who are putting together the entire vertical stack, either from in-house, or partner technologies, are all working to build additional wrappers of Security. Trusted Multi-Tenancy, authentication and access control, encryption of data at rest and in flight, are just some examples of additional wrappers being built around the "core-stack" and what is in the "box".

Is this all perfect? Of course not? But, even the most secure, non-cloud, current data centers of big corporations have shown how Security can be breached.

From millions of credit card numbers being stolen, to WikiLeaks, even when Security is the most talked about topic, e.g. in financial services, government, military, healthcare, etc., some "misguided" (read malicious) person can find a way into any system, or may already be inside the system (as an employee).

What is required is for people like the former hacker to specify examples of where they see major vulnerabilities, how they would fix them, or how they suggested the fix and some vendor(s) or clients did not listen. I will be happy to take him to industry leaders at industry leading companies even better known than the large firm he was a guest of.

But, then, he better have some specific risks and vulnerabilities identified, with specific recommendations and proposed solutions. Otherwise, there are plenty of people who can sit outside complaining about a "problem" without being part of a "solution." Who has got time for those.

What do you think vendors need to pay more attention to, immediately, to make Cloud Computing more secure?

===


Imran Anwar is founder of Internet email in Pakistan, co-founder and co-owner of the .PK ccTLD of Pakistan, and founder of the credit card industry there. As a New York based technology, cloud computing, strategy, marketing, media and business professional he is often seen and heard on global media like CNN, Fox News, Express TV, WWRL and many others. These are Imran's personal opinions and do not necessarily reflect those of any employer, parent company, client, family member or other persons or organizations. Phew!


Technorati Tags: , , , , , , , , ,



Tuesday, November 23, 2010

Orion's Belt And Ocean's Beach

Orion's Belt And Ocean's Beach
by Imran Anwar

Standing, in time, vast Ocean's Beach,
Towering over tiny grains of sand,
Some dark, wet, others pale and dry.
Gazing up, hours, at blue moonlit sky,
Sparkling stardust, ours, waiting at hand.
Orion's Belt, my spirit pants to reach.
One day, I'll be among those stars,
Smiling at beautiful life from afar!

© 2010 Imran Anwar

Wednesday, November 17, 2010

Governing Governance, Risking Risky Analysis Paralysis & Complying With Compliance In Successful Cloud Computing Initiatives

The Cloud Security Alliance, just announced a new stack to address issues of governance, risk management and compliance for the nascent but exploding cloud computing industry. InformationWeek has a good short news report on the subject.

I consider this welcome news, from two perspectives - as an individual professional opinion; and as the opinion of someone leading vertical solutions and service provider offers planning & management, at an industry-leader cloud technology company.

Cloud Computing has been fortunate that its hype only slightly exceeded the real world benefits it provides, and its ad-hoc, vendors and clients deciding what's best for them, implementation of governance, risk and compliance management were "just good enough" to keep the ball rolling. For early adopters, and for those seeking immediate TCO (Total Cost of Ownership) and ROI (Return On Investment) value of next generation data center models, with highly converged virtualized infrastructure, this was not a show stopper.

But, for the Cloud industry to evolve to the next stage, where it literally can explode to the stage, which would make the latest set of analyst predictions, such as those quoted in the article above, actually likely to come true, governance, risk and compliance issues had to be addressed sooner rather than later.

The challenge in every new paradigm (or even what some consider a repackaged old paradigm enabled by technology capabilities that enable the concept to take off this time) is to balance between extremes along those three lines of concerns.

I have called attention to these topics in the past in print and online. My concern has been that overly excited buyers, and sell-at-all-costs vendors could lead to risky behavior on one side of the spectrum, while analysis paralysis would keep a huge majority from losing out on the benefits of cloud computing.

What is needed, as I have said before, is a pragmatic and practical approach; rather than utopian and impossible drives for perfection, that cannot be achieved in one, much less, three areas of importance like GRC. Add to that the complexity and impossibility of agreement, a situation in which every stakeholder brings their own colored and colorful viewpoint.

The need is for comprehensive, but not onerous, approaches to governance; risk management without seeking absolute, "perfect", impossible to achieve, levels of "zero risk"; and compliance standards that enable enterprise and service provider moves to cloud models, rather than being roadblocks. These are are all essential steps without tripping up clients or vendors.

The CSA's latest contribution to successfully achieving these is a free GRC stack, a set of toolkits, for enterprise customers, vendors of cloud & security solutions, as well as those tasked with auditing IT. The toolkits are, Cloud Audit, Cloud Controls Matrix and the Consensus Assessments Initiative Questionnaire (Apparently they did not spend much time on coming up with a better name for this last one!). You can download the GRC stack free.

This is not, by any stretch of the imagination, GRC nirvana. There will be many significant areas, from Department of Defense related federal requirements, to the extremely granular levels of security an increasingly networked global financial system requires, and many others.

But, I hope, and remain confident, that this will be the first in an ongoing series of steps towards ever-improving quality of governance, risk management and compliance standards, which will help cloud vendors and users alike.


Imran Anwar is founder of Internet email in Pakistan, co-founder and co-owner of the .PK ccTLD of Pakistan, and founder of the credit card industry there. As a New York based technology, media and business professional he is often seen and heard on global media like CNN, Fox News, Express TV, WWRL and many others. These are Imran's personal opinions and do not necessarily reflect those of any employer, employer's parent companies, clients, family members or other persons or organizations. Phew!



Technorati Tags: , , , , , , ,


Monday, November 15, 2010

Non-HDR Unnaturally Natural High Dynamic Range High Neon Hydrangea At High Noon

This is one of the most unnatural looking yet completely natural colors I can recall capturing. This non-HDR shot shows stunningly high dynamic range of my neighbor's highly Neon bright Hydrangea to the side of my house at high noon.

It was nearing mid-day when I stepped out of the house to take some pictures on an especially vivid, blindingly bright, Summer day in June.

Usually the weather at my home at that time can be somewhat hazy from humidity and heat on Long Island, New York.

This day it was definitely glowing warm and the sun was almost vertically above. These plants are at the corner of my neighbor's house, and partly shaded - but the grassy grounds that stretch behind the house were awash in the bright hot light of the sun.

I cannot take credit for the spectacular colors the Nikon D300 captured at ISO280. I was simply shooting in Program mode - while bending over backwards (literally) to frame the three depths of flowers aligned but visible for a bokeh effect and playing with the 100-300 (450mm eq) lens.

I hope you too can feel the heat and afterglow from this image.

© 2010 IMRAN
DSC_4990_PSF



Technorati Tags: , , , ,


Thursday, November 11, 2010

Mast(er)s Of The Sea

As a late Fall sun started to set on the golden hills along the Golden Gate Bridge, still relatively late compared to New York's earlier forays into winter darkness, at 7:45 PM, I braved the breeze and decided to walk across the length of the bridge.

Along the way, I managed to shoot some pretty spectacular sunsets you have seen here earlier, made special by my managing to catch scenes without the ongoing rush of traffic spoiling the shot.

With the Pacific Ocean beckoning the sun into it's calming lap to the right of me, I looked down to my left and saw the idyllic scene of sailboats, masters of the sea, sitting in silence, as cosmic winds of photons swept by them to crash glowingly into the amber green earth behind them. A golden moment to remember, from whereever I see, to shining sea.

© 2008-2010 IMRAN
DSC_1308_PSF