I’ve been sitting on this for a while and I’m glad I can now finally say it…

I’m delighted to announce that I have been invited to present at the World Summit of Cloud Computing, to be held in Israel on 1-2 December 2008.

The event is organised by Avner Algom from the IGT (Israeli Association of Grid Technologies). Putting my invitation to one side, I have to say its a stunning lineup of speakers. Its a who’s who of Cloud players. Avner has clearly done his homework!

Obviously I’ll be talking about the security aspects of Cloud Computing, delving into some of the areas I’ve written about here and some new material that I’m currently working on.

If you work for a company that is consdering future plans and Cloud Computing, you might want to take a look over the agenda. Compared to some other conferences, the ticket prices seem very reasonable to me.

Registration is now open.

If you have any questions, feel free to leave a comment below. I’ll do my best to get them answered. Also, if you know anyone that might benefit from 2 days in a beautiful part of Israel getting up to speed on Cloud Computing, feel free to send them this link.

We've worked with Kevin in our past lives at a previous training company, and we're glad to say that he's joined us as a Pluralsight instructor. Located in the United Kingdom, Kevin will be helping out in Europe as well as helping to round out our course curriculum, but more on that later!

The incident appeared to be connected to a construction crew working in the area where the blaze started, Darron Pisciotta, captain of operations for the Santa Clara County Fire Department, told InformationWeek. The work crew was the first to report the fire. More than 60 firefighters responded to the alarms.

I have a friend who’s been contracting down there, so glad to hear that no one was hurt!
I hope this doesn’t set development on the iTablet back;)

Hey, if you have construction workers in your area, tell them to be careful, okay?

Buying a lemon is always a bad thing – but when you pay $1 billion for it?! Back in 2005, Google bought a 5% stake in AOL for $1 billion and now is calling that investment “impaired”. That’s one way of putting it, so it’s a good thing Google has money to burn.

At LinuxWorld this week, Bob Sutor, VP of open source and standards at IBM, said that the next 10 years is “do or die” for open source software designed for specific industries. 10 years? That’s like 70 years in open source development time.

And finally…8/8/08…the Olympics are here! Network administrators around the world, except for Terry Childs, will be eyeing office network bandwidth closely as people go online to watch streaming video of the games. NBC and Microsoft will offer 2,200 hours of live video coverage with up to 20 simultaneous live streams of different events. Plus NBCOlympics.com will offer 3,000 hours of on-demand video content. The time difference means that much of the primetime events will be broadcast while the Western hemisphere is supposed to be hard at work. Me – I’m just glad it’s the weekend, and I can get the Olympics fix I’ve been waiting years for.

First, let me disclose something - my frantic efforts with the Paint allow me to proudly proclaim: I am a certified, trusted "Good Guy":

Good guys, let me tell you, do not need any controls placed on them; they are "trusted." Don't you have to trust somebody? Why not trust a sysadmin, for example?

So, what about controls? Ah, glad that you asked! "Controls" are for the bad guys; they are in place to prevent the bad guys from doing "an unspeakable evil" (tm) :-) on you. On the other hand, good guys are doing "the right thing" every time - why monitor them? It goes without saying that nobody ever moves between these groups, especially, not from "good guys" to "bad guys."

As I am rambling about this, many of my security-minded readers are wondering "what is Anton up to? Isn't it kind of OBVIOUS that controls are for everybody?" Controls know no good/bad! For example, a network control, say a NIPS, will block malicious web access due to a typo in a URL (by - gasp! - a good guy) or due to determined malicious hacking.

I think a few of my readers have watched one too many "Batman" movies and have acquired the dark side of the "IT hero" mentality." How about getting an "IT employee" mentality? If your boss is an idiot (and Terry's managers definitely seem pretty far gone in that direction...), than your "heroic duty" is to let them impale themselves on a sword of their idiocy, not to commit crimes (even if cybercrimes) to prevent that idiocy. Really, go find another job if you do not like the environment; good admins are needed in many places. For example, if your boss insists on posting all VPN passwords for all users publicly out of his sheer and unfathomable stupidity, it is your duty to tell him that it is "a very bad idea" - and not to change all passwords and not let him see it. "Doing you job" despite your boss and despite the law just doesn't work...

In other words, I want a banker making policy decisions at a bank, not a sysadmin. If a banker makes a wrong decision, his will suffer. If he is an idiot, he will most likely make the wrong decision. However, it is NOT the admin's decision to make - he does not "own" the business.  BTW, the fact that it is a city, not a bank, and it is taxpayer funded, does not change it.

Am I "anti-admin" for saying that admins should not run the business?  Am I "anti-admin" for saying controls (at least logging/auditing) on administrator activities are needed?  You call it "anti-admin", I call it common sense!!  Pray tell me, what makes admins float above accountability, control and  IT governance?

Please also read what Randy Smith said about this issue; a lot of good thoughts that I agree with.

Now I would like to respond to specific comments from my readers:

"What rankles your readers is how blithely you imply this problem has a simple or effective solution. It doesn't, all the processes or tools you advocate can do is speed up the time it takes to detect the lock-out, but not actually prevent it - i.e. they are ineffective at tackling the primary problem."

That is correct; the rogue admin problem has NO simple solution. You might prevent some (few, really) things, you might log some of them and then figure what happened, but there is no simple solution (it goes without saying that "just trust them" is NOT a solution...)

"We all know companies run without sane risk management all the time and are rarely held accountable in America. What makes you think anyone is "screwed"?"

Well, this is a good point; maybe I let my idealistic side take over. But, come on, just the fact that bad IT governance is somewhat common, doesn't make it right!

"Now ask yourself who is "screwed" by one person at a small company having all access and no accountability on a network. That's how I run my home network. Big deal."

Nobody is. I addressed it here. The risk is acceptable for smaller environments, usually. I don't have an overseeing body set up to control my home passwords :-)

"You seem to forget that sometimes the management just has to trust somebody. "

Addressed above.

"Chuvakin, you're a tool. Given the recent idiocy of the releasing of the VPN names and codes, it obviously shows that any sort of detest that Childs had against his superiors at the city were justified."

The fact that his bosses are idiots (which seems fairly well established!) does not make him right!

Bad boss + admin out of control =/= right :-)

"This is not a private organization. His superiors don't own the company and are NOT entitled to the data. We are, the taxpayers. And as a California taxpayer I fully support someone with the paranoia and technical skill of Terry Childs over a group of bureaucrats who release secure information to the public."

Properly evaluating this statement requires a law degree. Thus, no comment. Bureaucrats suck, but rogue admins are not a solution to that. Really!

"The guy was doing his job and doing it incredibly well, and keeping it out of the hands of those who, given their most recent choices, would bring potential disaster to the city."

He was NOT, unless crime is part of his job :-) Also, see comments on "IT heroes" above. If your boss is an idiot AND you don't like it, quit.

"Anton Chuvakin seems to think that all admins should be kept underneath management's boot at all times. [...]  Managers can't and don't understand what we do, and thus eventually come to the conclusion that we can't be trusted with our own knowledge. [...] Perhaps it's human nature to fear what you don't know or understand -- and that's why management can develop a fear of their own employees."

You say 'fear of employees', I say "insider risk management." You say "trust employees", I say "trust but [be able to] verify (=log)"

"his blog leads the casual reader to infer that their businesses are in danger of being hijacked by disgruntled Sys Admins and that isn’t the case." (from here)

Eh, not all businesses, but some businesses - definitely (hmm, see Terry Childs story or other published insider attack cases, all the way back to Omega Engineering case and maybe all the way back to ancient history)

"I despise people like Terry Childs, but despise Chicken Little’s like Anton Chuvakin even more." (from here)

You say  I am 'chicken little', I say "if your boss ignores insider risk management, he is stupid and deserves his business to fail."  I also add "if you think admins are 'above the law', you have a good chance of 'turning rogue' yourself AND then ending in jail."

Finally, this and my other posts about the case are inspired by on the media reporting; I possess no "insider knowledge" on this case  whatsoever.

Possibly related posts:

• "On Doomsaying (Terry Childs case)"
• "So ... Am I? Maybe I Am!"

Like most of the service providers we talk to, they look to virtualization to provide immediate benefits to the business – e.g, cost savings from server consolidation and support for Green IT through cutting power/cooling requirements. And one more dimension to virtualization – Opus launched a new service, vClustr, which is a virtual dedicated server that provides the benefits of a fully managed dedicated server at a fraction of the cost…managed by EM7, of course.

We were happy to help Opus by working with them to implement our EM7 solution. Their growth plan was severely limited by inefficient processes and tools. As Opus grew rapidly in 2006, the tools they had in place were not easy to integrate as they were managed independently. There was a manual billing and ticketing infrastructure in place, and valuable engineer time was spent on maintaining what they had instead of enabling business growth. The company faced a choice, either grow by adding overhead and bodies or grow through automation.

Opus chose automation. They needed an automated solution to cover their immediate needs, and also enable them to scale processes for emerging technologies and future service offerings. Throughout their growth, Opus wanted to maintain their “customer first” philosophy and expand their green efforts.

By choosing EM7, Opus was able to replace their multiple, disparate tools with a single, integrated management system for networks, servers, applications, service desk assets and virtualization infrastructure. EM7 provided automated billing, ticketing, alerts and escalation options as well as a branded customer portal for transparency and self-service ticketing.

The results were tremendous. Opus Interactive recouped $130k per year of engineering resources. They automated critical operations to increase efficiency, enabled proactive monitoring and prepared for growth, while giving the business the processes and tools to grow the business without additional human capital resources.

We’re glad that we could help such a great company achieve their goals of providing an efficient “best-in-class” solution that combined superior customer service with a green philosophy.

Get the entire case study here.

ShareThis

In a blast from the past, Sybase is aiming to be your mobile phone security provider. According to this article in Information Week, Sybase iAnywhere division's, Afaria security line already provides device authentication and encryption and now will add anti-virus and firewall capabilities.

I was glad to see the Sybase name in the article.  I have fond memories of Sybase on Sun servers from my early web hosting days.  It is also good to see a new competitor in the mobile phone business. Lets see if Sybase gives the McAfee's, Symatecs, etc a run for their money. Or who knows maybe another not yet heard from name will come out to dominate the mobile phone market.

What I also was unaware of was that there were over 500 viruses that target mobile phones.  With Sybase covering Windows Mobile, Symbian (they just went open source), Blackberry and more, even the Apple iPhone appears to be covered.  Though overall I still think this is an immature market, it will be interesting to see who steps up.

In a blast from the past, Sybase is aiming to be your mobile phone security provider. According to this article in Information Week, Sybase iAnywhere division's, Afaria security line already provides device authentication and encryption and now will add anti-virus and firewall capabilities.

I was glad to see the Sybase name in the article.  I have fond memories of Sybase on Sun servers from my early web hosting days.  It is also good to see a new competitor in the mobile phone business. Lets see if Sybase gives the McAfee's, Symatecs, etc a run for their money. Or who knows maybe another not yet heard from name will come out to dominate the mobile phone market.

What I also was unaware of was that there were over 500 viruses that target mobile phones.  With Sybase covering Windows Mobile, Symbian (they just went open source), Blackberry and more, even the Apple iPhone appears to be covered.  Though overall I still think this is an immature market, it will be interesting to see who steps up.