It’s still predominantly made up of an army of skilled hackers focused on better ways to break systems apart and find new ways to exploit vulnerabilities than “security architects” who are designing secure components, protocols and ultimately secure systems. If you don’t believe me go have a conversation with a  so called application security  consultant about SAML or security issues in Enterprise Message Buses and you’ll almost definitely draw blank stares. Ask application security consultants if they know about the latest HTTP or HTML spec and they’ll likely say yes (and want to demonstrate the latest issues) but if you ask them about the latest WS-x spec you’ll likely draw more blank stares.  When was the last time you saw an attack drawn out as a UML sequence diagram? This is worrying and somewhat sad. I don’t think we are culturing, encouraging and nurturing people with the right skills to make a positive difference. 

First, Karl Edwards of Excelsio, a firm that consults on municipal broadband, lays out a pretty straight case as to why EarthLink, Kite, and MetroFi's networks, among other one-offs, were designed to fail. I've written about aspects of this over the last four years, but Edwards is succinct. In part, EarthLink offering to build Philadelphia's network at no cost to the city set the mold wrong for all networks to follow. We're resetting now, and Wi-Fi's moment may have passed.

Edwards offers as one the constraints set by cities, "Expectation that the network would cover 90-95% of the City with wireless coverage as opposed to just in the areas where there was a solid business case." This has been a problem I've had for a couple of years when it started to become clear that 90-plus percent coverage wasn't in the interest of the ISP--nor in the city's interest because these networks couldn't be completed.

Edwards also notes that when consulting for Grand Rapids, Mich., which chose Clearwire as its wireless partner, EarthLink told the city that they expected a conservative 22-percent uptake for their Wi-Fi service by end of the fourth year. Given that in mature markets, a high-single-digit uptake is considered very good, that's shows how the Excel spreadsheets were skewed. USI Wireless's estimates for break-even require less than 10 percent of the population in their covered areas to subscribe, and their numbers of subscribers to date are tracking that number closely.

He closes with a set of eight principles for wireless network builders to come to the table with and cities to adopt, all of which I agree with.

Next, Esme Vos suggests a very modest proposal: San Francisco should have required all its cafes to offer free Wi-Fi, and then Fon or others could have aggregated and bundled access to these locations. There's a long set of comments accusing Esme of communism, socialism, utopianism, and other isms. The post and the comments make for lively reading.

Finally, Craig Plunkett, who operates hotspot networks around New York City and Long Island, chimes in with a summary of these opinions and the notion that muni-Fi jumped the shark when Ocean City, N.J., decided to put Wi-Fi in garbage cans. He points out that "an infill strategy" of providing service where needed and then extending from there is effective.

Although several other quick-service restaurants like McDonald's lack any comprehensive Wi-Fi plan--Burger King, Wendy's, and Subway to name three of the largest--Wayport is locked out of working with direct competitors. This opens the potential for another firm to handle a several-thousand-location network. Wayport has worked with both McDonald's corporate-owned stores (about 2/3rds of stores in the U.S.), as well as reaching out to franchisees, who Lowden noted pay a predetermined flat rate for the service via McDonald's. "It's made them incredibly efficient to be able to offer this to their franchisees at one price, instead of variable pricing," he noted. Wayport acts as the layer between various telecom providers, applications and services, and the stores.

Wayport provides several kinds of back-office services, although credit-card processing was the first thing htey rolled out. They've extended to remote video feeds for security, Redbox DVD rental systems that are found in some McDonald's, and kiosks used for job applications. Lowden said Wayport offers things as straightforward but critical as a dial-up fail-safe when a broadband connection drops.

Wayport also manages AT&T's hotspot network, which puts them in the unwiring seat for the 7,000-odd Starbucks stores that will converted from T-Mobile to AT&T service during 2008. Wayport was once the clear leader in the hotspot builder market, with T-Mobile in the second position. Now, Wayport will be operating through a direct contract or management agreement over 18,000 hotspots in the U.S.; T-Mobile will likely be the second biggest with a couple thousand locations (Borders and FedEx/Kinko's tops among them). The No. 3 player is hard to figure. Panera?

I've been predicting for some time that media on the edge--music, videos, movies, and games stored on servers on the local Wi-Fi network--will be the next big development in venue-oriented Wi-Fi, with Starbucks likely far in the lead. Lowden wouldn't comment on any specific plans in the works, of course, but said generally, "Storing and caching all that content on the edge...hasn't been leveraged in the past, but it will be in the future to create a very unique experience." At Barnes & Noble, Wayport caches some multimedia data that's available to customers in the stores.

The advantage for in-store media storage is that you can leverage the speed of the local network, and add additional access points to distribute network load. The choke point is no longer the Internet connection, but local network speed. I expect--though Wayport, AT&T, and Starbucks haven't said it--that Starbucks infrastructure will be all 802.11n for this reason, likely with both 2.4 GHz and 5 GHz support for the best throughput in the higher-frequency band for media transactions. (In fact, I wouldn't be surprised if you could only buy movies via 5 GHz.)

Lowden also noted that the proliferation of mobile devices with Wi-Fi built in have led to them reaching out to venues that wouldn't have made sense for them to work with previously, and for unlikely candidates to reach out to them, too. Wayport is now working with a number of healthcare facilities that, while they have their own network infrastructure, wanted to outsource public access Wi-Fi (whether they choose to charge or underwrite it), and certain applications that they're not as experienced with running themselves.

A little history: In 2001 and again in 2004, the heat seemed to be on the public side of Wi-Fi: lots of money to be made, ostensibly, lots of partnerships and venues to be built, and an overcrowded supply of infrastructure builders. The year before, Wayport looked to be an also-ran in the hotspot provider business.

Despite being one of the earliest firms to put Ethernet and then Wi-Fi into hotels, and build out hotspots in airports; and despite their survival of the first hotspot meltdown in 2001 during the dotcom crash and brief venture capital shortage; and despite their early entrance into allowing wholesale pricing for hotspot aggregators; the firm seemed about to be eclipsed by apparently deep-pocketed Cometa (with AT&T, IBM, and Intel in various capital and support roles), Toshiba's mom-and-pop focused turnkey system, and T-Mobile, which had the Starbucks contract. What a difference a year makes.

Cometa, Toshiba, and Wayport contended for the contract to build out back-office and public-access service at McDonald's in the U.S., and Wayport won. Within a few weeks, Toshiba passed its few hundred locations to Cometa, which shut its doors in May 2004. Wayport, meanwhile, had cooked up a strategy for McDonald's that it announced later that month.

Their approach involved a fixed-rate charged for unlimited access by retail network partners for all the locations in their pool. This meant that partners had a fixed cost, instead of a per-session cost, and Wayport could obtain specific revenue even before usage by a partner ramped up. Wayport hasn't discussed the details of this arrangement in depth since, but has partnered with Sony with its Mylo, Nintendo with its DS game player, and ZipIt with its wireless messaging appliance.

The McDonald's deal also apparently gave Wayport a way to extend its work with SBC-later-AT&T; Wayport had earlier in 2004 became the managed-services contractor for SBC to build out The UPS Store/Mailboxes Etc. nationwide. (UPS dropped AT&T as its partner in mid-2007, although that didn't appear to have anything to do with Wayport's role.)

AT&T through Wayport developed its large resold/managed footprint that incorporated resale of Wayport's McDonald's locations with the UPS Store and a few hundred other managed locations, including a handful of airports. The Cingular acquisition of AT&T Wireless put more airports in SBC's hands, too. (SBC was once the 60 percent majority owner of Cingular; when SBC and BellSouth, the other owner, merged that put the newly rebranded AT&T in charge of Cingular which it relabeled as AT&T. Confusing, huh?)

What are the telltale signs that your company is already Computing in the Cloud?

Is it when the CIO makes a big announcement at the monthly IT meeting?

Is it when the IT newsletter drops a reference to pilot testing of some ‘web based’ software?

Or, is it when the secretary whips out the boss’s Corporate Credit Card and signs up to a Cloud Service?

Here are 12 indicators that your company is *already* part of the Cloud:

1. Your internal helpdesk reports fewer password resets.
2. Finance contacts you to confirm all the DVD readers are disabled - they are puzzled by the number of recurring credit card charges for Amazon (are the secretaries spreading out their orders for “Lost” DVDs again?).
3. You are asked to authorise a network change ticket to send all outbound network traffic via the perimeter firewall, before being routed back to the internal server room (for performance reasons). 
4. You walk into the Data Center and it feels cooler than usual.
5. When the builders next door accidentally saw through the company Internet connection, people complain there must be a DoS attack going on as they can’t get to their files.
6. During physical inspections, you notice unexplained gaps in server cabinets.
7. Login failures go down, in fact login “attempts” in general go down but the company car park is full.
8. As you walk through the office, you notice all the “Security Awareness” posters have been replaced with pictures of Jeff Bezos (!)
9. You are asked to authorise a visit from the local environment group.  Fearing protesters, you are surprised to learn that your company has won a prize for reducing its Carbon Footprint
10. Your Intrusion Prevention System is preventing the call center from uploading contracts stored as GIF files.
11. You detect the presence of ‘malware’ in the form of unexplained ‘Machine Images’ on IT’s desktops.
12. You stop finding Windows passwords under keyboards, instead you find random hex digits next to the words ‘Access Key’ and ‘Secret Key’.  You sigh, but at least they are setting difficult to guess passwords now!

If you are charged with IT security in your company, you may want to start checking your web proxy logs for telltale signs that people are talking to the Cloud…or just talk to finance.

I’m back from the RSA 2008 Security Show in San Francisco and it was another great year of business development activity for security vendors. It felt like there was a decent amount of end user customers at the show but a lot more vendors touting their wares and looking to do work with each other. I sat and listened to many vendors complain about this however and listened to them complain about how they spend money year after year for these shows and rarely get to talk to customers. It felt to them that they hear more from other vendors that come up to their booth asking about partnering or OEM’ing there technology. Well, this does get old pretty fast when you are looking to sell product to justify your existence but for me it was refreshing to talk with other companies about partnering. I had the opportunity to talk to customers also but it was really exciting for me to have partnership discussions.

Why? Well over at Montego Networks where we are focusing on securing a new type of network (one that’s virtual) we believe in security through partnerships. Securing virtual environments is like exploring new frontier or a planned venture to Mars. Research scientists, chemists, doctors, collective minds and in this case a unity of security vendors we feel is the best approach to getting ready for this venture to the new Virtual World.

Virtual Environments need to be studied jointly in order to understand the new security risks, performance impacts and how to effectively secure it.  Montego Networks plans to do that and has announced its HyperVSecurity Alliance at RSA and has joined forces with Cyberoam, Lancope StillSecure and Plixer International in an effort to provide Anti-Malware, Network Access Control, Intrusion Prevention, Behavioral Analysis and Network Monitoring for the virtual environment.

See: 

http://www.montegonetworks.com/node/54

http://www.eweek.com/c/a/Security/Partnerships-are-Key-in-Virtualization-Security/ 

By establishing this type of alliance research engineers and vendors will be able to journey to the new Virtual Datacenter with all of the needed components and insight on securing networks. At the epicenter of this alliance is a security frame work designed by Montego Networks that allows various technologies to plug in to the center of the virtual environment which is the switching infrastructure.

Through Montego Networks HyperSwitch, which has the ability see virtual network communication between systems (virtual desktops & servers), a frame work is created that allows for user defined policy that can send traffic off to various places. An example of this is via the HyperSwitches Policy Based Switching engine which allows a user to create a policy that dictates that all email traffic will be directed to an Anti-Virus Gateway or its NetFlow capability which exports flow information to a Behavioral Analysis Engine. 

After these various systems do what they do with the data, they are also able to respond back to the frame work via an API called NSCP (Network Security Control Protocol) to instruct it to tack appropriate action. This could be an IDS system invoking a firewall policy or a Behavioral Analysis system telling the frame work to throttle back (slow down) a users traffic flow. The possibilities are limitless!

So, much like the frontier to the USA from England where we needed Doctors, Lawyers, Law Enforcement, Builders and Farmers, virtualization needs a coalition of security forces that can provide Anti-Virus, IPS, Firewall, Network Monitoring, Behavioral Analysis, etc. etc.   

The goal is to all co-exist in the virtual environment vs. fight for the same piece of land. I think this makes sense because all is needed in the virtual world!

Stay tuned, as the alliance will get bigger and stronger and give customers choice and independence as they look to secure the virtual datacenter. Learn your ABC’s! Anything But Cisco, Let Freedom Ring!