Lots being written about the Cloud, most of it quite dark and gloomy.  In fact I’m surprised, that Hoff hasn’t got a preso spooled up called “The Toxic Cloud” or something similarly ominous for his next speaking tour.
That said, the Economist does a great job distilling the issue into a simple statement -

Cloud computing is a trade-off between sovereignty and efficiency.

Let me ask you -  if you had to put your money on one of those horses, considering your average profit-preoccupied business, which would it be?  I’d put my bottom dollar on the thoroughbred named “Cost Center Reduction”, to place.

WHO ARE WE TO STAND IN THE WAY OF “PROGRESS”?

I’m always fond of Jack’s rule that the role of information risk management boils down to three deceptively simple premises:

• Reduce Risk.
• Reduce Loss.
• Create Operational Efficiencies.

So it would seem antithetical to the charter of the Chief Security Officer to stand in the way of progress as embodied by “cloud computing” (not to mention dangerous to long-term job security).  And I think that this presents opportunities to discuss strategies for managing risk, strategies that aren’t too theoretical and have practical application (though actual “cloud” use by enterprises may be rare at this point).

ON RISK REDUCTION IN THE CLOUD (or, How To Learn From the Shortcomings of PCI DSS)

The good news is, there’s already a well-established model for managing the risk around outsourcing the processing of “confidential” information.  The bad news is, that model kinda sucks it.

The Payment Card Industry, known as the “PCI” or “meal ticket” to many in the industry, faced a similar problem with the introduction of GLBA.  As I see it (and I’m not at all close to the PCI, at all, so this is all just abstract soliloquy) the PCI had one of two choices when faced with the prospect of other people managing their sensitive information:

1. Accept the *massive* amount of GLBA risk their business creates and spend a TON of money to build out the infrastructure (both process and IT) to manage the consumer data themselves (in conjunction with the banks, of course) and never have it grace the computing systems of the retailer.  Or,
2. Transfer the GLBA risk down to the retailer and have them bear the majority of the risk (and cost of reducing risk to a level that might be tolerable to the US Government).

(Martin, you may recall our Twittering about PCI a while back.  This is the crux of my view on the subj.)

Now fortunately, the CSO’s of the world are going to be a little more “invested” in protecting the information they are stewards over, and unlike the PCI, will remain primarily responsible for the C, I, & A of the data in the Cloud.  The cool thing is, this actually presents a great opportunity to start building a meaningful model for co-management of risk!  In fact, we can take the PCI model of contractual risk transference but modify where it goes all wrong, and start working to create something better.  And we can start by euthanizing some faulty assumptions.

JUST HOW INFORMATIVE IS PCI DSS?

What might be the.greatest.mistake of the standards compliance mentality is the assumption of value for the past-state measurement.  That is, I believe that the CSO needs more than some “past-state” assurance in order to understand their risk.    If you look at the concept of “PCI compliance” it really is an examination of a past state of nature that is assumed to be relevant to current and future states.   Many people (myself included) are not at all convinced that this past-state is nearly as informative as those who mandate it’s measurement believe it to be.

That’s not to condemn past-state measurements as completely non-informative,  they most certainly are useful.  It’s just that no self-respecting CSO sleeps well because they were deemed “PCI compliant” 10 months ago.  They sleep well because they have good visibility into current-state information and confidence in their strategy concerning future-state (based on that visibility and the outcomes of sound IRM models).

MOVING PAST THE VULNERABILITY SCANNER INTO INTELLIGENCE AND WISDOM

So realizing this new importance (to me, at least) concerning visibility and IRM models, I’m lead to the conclusion that if we are to manage risk in the Cloud, we’ll have to move beyond “PCI Compliance” or the concept that some regular “audit” of controls in place at the host is all we need to understand our ability to manage risk.  No, the CSO must have good information concerning current and probable future states.   This is that “visibility” I spoke of above.  In fact, we’ll need significant amounts of piercing, transparent visibility.  And in order to gain that visibility, our insight into Cloud Risk Management must include significant provisions for understanding a joint ability to Prevent/Detect/Respond as well as provisions for managing the risk that one of the participants won’t provide that visibility or ability via SLA’s and penalties . These SLA’s must be expressed in measurable terms (more visibility), and those metrics must have their roots in the things that help understand how we manage risk (those aforementioned IRM models).

THE CLOUD COMPUTING SECURITY SILVER LINING (sorry couldn’t resist)

As I mentioned earlier, I do see an opportunity to create insight.  The need for visibility and IRM models would allow us to create a “guidance” if you’ll allow me to use the term.  Not a standard or a “best practice” to audit by, but simply a reference document that says “if you’re going to put information on somebody else’s systems and still hold some significant responsibility for that information, here’s the considerations, why they are considerations, and how you might go about collaborating on the management of risk”.

And I think that if we undertake this journey, there is going to be a lot of growth and risk management innovation along the way.  But keen insights into what it means to manage risk will be necessary, and secure and forthright collaboration will be of absolute importance.

I say that last bit because, if these pundits are right about the utility of a hosted computing model - the Cloud will happen regardless of the CSO’s ability or desire to manage it.

There are some days where nothing strikes me as interesting enough to blog.  Than there are days like today where there are just too many things that I find compelling enough to comment on.  So rather than do 4 or 5 posts today, let me condense all of this goodness (I hope) into one post:

1. Sophos releases "financial results ahead of analysts expectations". While I applaud the Sophos folks for making public their revenue numbers (at least gross, net and deferred totals it seems), I am not sure what analysts they are talking about.  As a private company, it is not like people are trading their stock and the financial analyst crowd is putting their numbers on the street.  200+m is a lot of revenue, even for an AV company and 40+m to the bottom line is impressive, but until you are public, no one is holding your feet to the fire and analyst coverage is just not the same.

Authors note: Dr. Jan Hruska, co-founder of Sophos wrote me off line and gave me permission to publish this comment: 2. Apple is ready to enter the platform war - Larry Dignan over at ZDNet has some good comments and stats on Apple vying with Microsoft and Linux/open source to be "the platform" of the future. I agree that the iPhone and iPod are Trojan Horses into the enterprise and along with the Mac represent a viable platform that could compete with Microsoft and the Linux/open source crowd.  However, I don't think you can judge how many developers are developing Mac/iPhone apps based on the crowd at the upcoming WWDC (worldwide developer conference).  Steve Jobs is a master showman and I think these conferences have become media events.  Many people are there to to twitter and report and to "be there".

In October last year we prepared for a float on the London Stock Exchange. As a part of the exercise we had analysts from the three sponsor banks produce their projections for revenue etc for the next three years. We did better that their projections for 2007/08.

Larry is right though that Apple has to balance being too iPhone and iPod crazy at the risk of ignoring the "real" platform here the Mac.  His example about PGP developing a Mac version is a great point.  I have heard many other security companies likewise bringing Mac versions to market. This graphic I think shows the point well:

  But my ultimate point on this one is that the ultimate platform will be the web.  What the underlying OS is for future web apps should be somewhat meaningless.  The webtop platform would seem to me to be the platform going forward!

In any event the WWDC should be a lot of fun and I will be watching to see if any new reports come out.

3. Belden buys Trapeze - Another independent WLAN provider gets bought. Doesn't seem like a great multiple, 133m on 2007 revenue of 56m.  There are not many independent WLAN providers out there now.  Meru Networks is probably the biggest of the bunch. You don't hear too many people saying that wireless is not here yet anymore.

4. McAfee still chasing the dragon on security ROI - McAfee announced that using the Forrester Economic Impact Calculator you can now easily find out your ROI from buying a McAfee product. They have a very nice diagram that I have pasted in here. They ask you to plug in a few numbers about type of security you want, desktops, laptops and servers and presto - they give you an ROI.  I didn't call them to get the scoop, but it really underwhelmed me.  Looks like smoke and mirrors to me, just like many of these security ROIs do.

There are some days where nothing strikes me as interesting enough to blog.  Than there are days like today where there are just too many things that I find compelling enough to comment on.  So rather than do 4 or 5 posts today, let me condense all of this goodness (I hope) into one post:

1. Sophos releases "financial results ahead of analysts expectations". While I applaud the Sophos folks for making public their revenue numbers (at least gross, net and deferred totals it seems), I am not sure what analysts they are talking about.  As a private company, it is not like people are trading their stock and the financial analyst crowd is putting their numbers on the street.  200+m is a lot of revenue, even for an AV company and 40+m to the bottom line is impressive, but until you are public, no one is holding your feet to the fire and analyst coverage is just not the same.

2. Apple is ready to enter the platform war - Larry Dignan over at ZDNet has some good comments and stats on Apple vying with Microsoft and Linux/open source to be "the platform" of the future. I agree that the iPhone and iPod are Trojan Horses into the enterprise and along with the Mac represent a viable platform that could compete with Microsoft and the Linux/open source crowd.  However, I don't think you can judge how many developers are developing Mac/iPhone apps based on the crowd at the upcoming WWDC (worldwide developer conference).  Steve Jobs is a master showman and I think these conferences have become media events.  Many people are there to to twitter and report and to "be there".

Larry is right though that Apple has to balance being too iPhone and iPod crazy at the risk of ignoring the "real" platform here the Mac.  His example about PGP developing a Mac version is a great point.  I have heard many other security companies likewise bringing Mac versions to market. This graphic I think shows the point well:

  But my ultimate point on this one is that the ultimate platform will be the web.  What the underlying OS is for future web apps should be somewhat meaningless.  The webtop platform would seem to me to be the platform going forward!

In any event the WWDC should be a lot of fun and I will be watching to see if any new reports come out.

3. Belden buys Trapeze - Another independent WLAN provider gets bought. Doesn't seem like a great multiple, 133m on 2007 revenue of 56m.  There are not many independent WLAN providers out there now.  Meru Networks is probably the biggest of the bunch. You don't hear too many people saying that wireless is not here yet anymore.

4. McAfee still chasing the dragon on security ROI - McAfee announced that using the Forrester Economic Impact Calculator you can now easily find out your ROI from buying a McAfee product. They have a very nice diagram that I have pasted in here. They ask you to plug in a few numbers about type of security you want, desktops, laptops and servers and presto - they give you an ROI.  I didn't call them to get the scoop, but it really underwhelmed me.  Looks like smoke and mirrors to me, just like many of these security ROIs do.

I am not what you would consider a huge fan of horse racing.  The last time I bet on a race was when I was 18 and on of my uncles horses was running and I bet all I had on him, only to see him pull up and stop at the top of the stretch.  I guess I was somewhat spoiled growing up though, because during the 70's when I was first introduced to horse racing, we saw 3 triple crown winners.

The first triple crown winner I saw was the incomparable Secretariat. Anyone who saw him will not forget Big Red coming down himself on the stretch of the Belmont Stakes, putting the crowning touch on his triple crown campaign. Five years later, Seattle Slew beat all comers to win the triple crown himself. He was a big impressive horse and a favorite of the crowd. Just the next year, Affirmed won all three triple crown races, each one in a neck and neck battle with Alydar.  What series that was, with Steve Cauthen pushing Affirmed to the win each time, but Alydar was the favorite of the crowd.  What hearts the both of those horses had!

if you would have told me after Affirmed won in 1978, that I would not see another one for at least 30 years I would not have believed you.  But almost every year it seems some horse wins the Derby, is able to hold on and win the Preakness, but then the Belmont, the test of champions looms and they come up short.  Either bad breaks, bad breeding or something else conspires to deprive the sport of what it needs to give it a badly needed shot of publicity.

This year it was Big Brown.  The horse looked unbeatable in the first two legs of the triple crown.  He didn't look too bad early in the race. But at the top of the stretch when he was asked to turn it on, he just had no gas in the tank. He joins a long list of horses who stood on the cusp of immortality, but came up a little short.

I guess we will have to wait to next year or maybe the year after to see if anyone has what it takes.  I sure hope I get to see at least one more triple crown winner in my life!