Martin MC Brown at ComputerWorld has a great post on capacity planning and cloud computing. He discusses a new book “The Art of Capacity Planning”. The problem with the current model of data center management is that often a large number of machines may sit relatively idle while waiting for the traffic spike that causes them to be used. This is a problem because it’s simply a waste of time and resources on a whole number of levels. Enter the cloud – or at least the “hope of cloud computing”.

Numbers – what do they really mean? IDC released a statement with a whole bunch of them from their “Worldwide Quarterly Server Virtualization Tracker”. The most interesting stat: x86 Virtualization License Market Standings. VMware owns 44% of the market, but Microsoft, in its first quarter of general availability for Microsoft Hyper-V (plus Virtual Server 2005), has 23% of the market of new shipments.

When a data owner's (a business) sensitive data is breached it is difficult to quantify the monetary loss. According to respectable survey sources, the average cost of sensitive data breach for a large size company is about $50,000. I am attempting here to think about this in simple mathametical terms:

There is a data breach. From the data owner's perspective the loss is:

Loss = Cost to protect data + Loss of business due to data theft aka cost of competitive disadvantage

From the data thief's perspective

Net Gain= [Cost of producing the data  *  Data freshness factor] - Cost to steal the data + Profit of business due to data aka gain of competitive advantage

From the above two equations it is very clear that this is not a zero sum game. There is a clear cost asymmetry for a data owner and for a data thief. When there is an asymmetry there is an opportunity. Data owner would not even know that the data is lost because the original copy of the data may be still intact - data thief could have simply copied the data. Data theft does not look like a car theft, there is no vacuum left behind. 

This motivates a data thief to keep the cost to steal low, steal highly valuable data that has a long shelf life and in a way that data owner will never even be aware of theft.

From a data thief's perspective, the cost to steal data if kept high would disincentive him. Moreover, Data freshness factor, i.e. how valuable this data is over period of time plays an important role. A good example is content of today's newspaper is hardly valuable tomorrow, but the content of newspaper two days ahead (if can be procured)would be invaluable. Data relevance is a function of time and other marketplace variables -  Data freshness Factor accounts for that variable. A good way to discourage data thief is to increase his/her cost to steal the data. There are other inferences from the above equation. If there exists no competitive advantage with the stolen data, hardly any thief would even venture to steal the data in the first place. If the cost of producing data is very low, then probably thief can just produce the data himself and would not attempt to steal the data. If the cost of theft is kept high, it would definitely deter the data thief from stealing data using technical mechanisms, then the data thief would exploit weak links in data security such as use of social engineering to get access to the data.

From data owner perspective protecting data becomes very important. How much would the owner be willing to spend? Not definitely the cost equal to cost of producing the data. 1% to 10% of cost of producing data is considered prudent. For a data owner it is difficult to estimate cost of data protection of a specific data, because it is not easy to chunkify data protection costs. Moreover, as Dan Geer says in his book, a data owner has to protect himself from number of intruders not just one.

It pays for a data owner to: be aware of data breaches (or data leaks), employ appropriate mechanisms to protect the data; the cost of protection which is fractional cost of the valuable data and enhance information security awareness of personnel who handle the data.

Data loss is not a zero sum game. The advantage is in favor of a data thief (data thieves rather). Data owner does not give much thought on the value of data unless there is a data theft. But, a data thief has every reason to think about economics of data theft before he acts to steal the data else data thief won't survive in this game and he is very well aware of his advantageous position.

The convergence of voice and video traffic are quickly transforming the growing complexity of networks at a torrid pace. IDC estimates that the skills gap in VOIP should grow to 19% by 2011.

This changing profile in the role of the network plays a key role in the skills shortage. Network enabled collaboration tools such as social networking apps and the Webex conferencing/collaboration solutions we use in our business each and every day are demanding a new set of IT skills to deliver business value.

My perspective is two-fold on this issue; the first is what I have seen in the resources we have attempted to hire! We give a very straightforward quick written/oral test to all new technical hires. This requires basic networking knowledge and some Unix commands. On average, (after filters from reputable recruiting firms, some with 5-10 years experience) less than 10% pass muster for the first filter we use in our hiring process. This is a troubling fact, which has cost us considerable time and effort to secure the right resources with competent skills. So I can say from our market assessment in a very strong technological job skills market, core Unix and networking foundation skills are slipping.

The second is that we as an IT Operations Management (ITOM) industry need to keep pushing hard to build better proactive and intuitive solutions to aggregate instrumentation from all Data Center tools, including more work around VOIP, video streaming, and collaboration so that we can ease this transition. If ITOM solutions become more proactive across the typical Cisco infrastructure that is commonly installed in the Data Center, we can free up some additional time for advanced “emerging technologies” training where existing IT workers can enhance their core skills and re-invigorate their careers. We have to do a much better job of getting our existing IT professionals trained on emerging technologies!

While there’s less that ScienceLogic can do around training, we certainly strive to do our part to enhance a day in the life of the networking engineers who use our solutions to simplify monitoring of increasingly complex networking, Wireless, VOIP, and collaboration needs.

However, it turns out there’s other effects as well. In a paper I presented last week to the Fifth Conference on Email and Anti-Spam (CEAS 2008), I showed that the first letter of the local part of the email address also plays a part.

Incoming email to Demon Internet where the email address local part (the bit left of the @) begins with “A” (think of these as aardvarks) is almost exactly 50% spam and 50% non-spam. However, where the local part begins with “Z” (zebras) then it is about 75% spam.

However, if one only considers “real” aardvarks and zebras, viz: where a particular email address was legitimate enough to receive some non-spam email, then the picture changes. If one treats an email address as “real” if there’s one non-spam email on average every second day, then real aardvarks receive 35% spam, but real zebras receive only 20% spam.

The most likely reason for these results is the prevalence of “dictionary” or “Rumpelstiltskin” attacks (where spammers guess addresses). If there are not many other zebras, then guessing zebra names is less likely.

Aardvarks should consider changing species — or asking their favourite email filter designer to think about how this unexpected empirical result can be leveraged into blocking more of their unwanted email.

[[[ ** Note that these percentages are way down from general spam rates because Demon rejects out of hand email from sites listed in the PBL (which are not expected to send email) and greylists email from sites in the ZEN list. This reduces overall volumes considerably -- so YMMV! ]]]

On the 29th episode of The Silver Bullet Security Podcast, Gary talks with Dennis Fisher, executive editor of The Security Media Group at TechTarget. Dennis helps run SearchSecurity.com and Information Security Magazine. Gary and Dennis discuss the current “BS factor” in security journalism, shopping at TJ Maxx right after the TJX privacy breach, the state of software security, and which is harder: being a fry cook at Hardees or working as a PR flack.

• Dennis’ blog
• TJX
• Joe Walsh plays dirty laundry
• Software Security Grows
• Dennis’ un-named podcast
• Series of Tubes
• Hardees
• Nike/iPod

This blog gives us a place to talk about our experiences from using the SDL here at Microsoft and hopefully provide useful information that will help you implement it more effectively at your company.  So, I would encourage you to use the Comments section at the bottom of each post to ask questions, give us feedback, or request other topics for us to cover.

Some quick definitions before we dive in. I’ve been using the imagery of learning to “crawl, walk and run” as a way to provide some basic starting points that would move your organization toward implementing the Security Development Lifecycle (SDL).  “Walking” is the point where your security development practices become a lifecycle – a repeatable, reusable process that makes security a part of your development culture. To relate the analogy to SDL a bit more closely, think of crawling as the “SD” in SDL. For this post, we’ll continue to talk about walking – or adding the “L” in SDL.

Let’s jump into another component for adopting the Microsoft SDL to expand your own Security Development Lifecycle.

Expand Security Training

Once you have management approval, it is necessary to gain grassroots acceptance of the changes – at the developer, QA/test, and PM levels. If you have been “crawling”, you have probably already implemented some sort of discipline-specific training around things like threat modeling, using compiler defenses, and fuzz testing. Now that you are building a lifecycle, your goal for security training should expand. Security training should be about creating an environment where writing secure software is everyone’s mission. While security training should be undertaken with the goal of understanding security issues and how to address them, good training (and instructors) will also explain why solving security problems is in their best interests and create an environment where they know voicing security concerns is encouraged.

Training has been one of the earliest and most important elements of the SDL at Microsoft. From our experience, we learned that the most effective approach is to divide your training into two tracks: general security principles and role-specific security practices. Before I jump into the details, I want to encourage you to also read Shawn Hernan’s very good post about SDL training that highlights some of the ways to make security training effective.

The general security principles should explain why security is important, how you define security requirements, the process you will use for writing and validating secure code, and how security relates to each phase of the lifecycle or unique roles contributing to the development process. A key factor for building a development lifecycle is educating your individual contributors on the value of investing in security. Of course changing culture takes time, but using the opportunity of structured training to explain your principles will be one of your most effective platforms for influencing change.

At this point in your organizational maturity, you are also beginning to expand your security thinking by focusing on each role in the development process. Discipline-specific security training is where you dig into the details of implementing a Security Development Lifecycle.

·         The developer needs to understand the practical details of how to write code securely, how to set compiler flags, what a security code review means, how to avoid using banned APIs, and what tools are available for them to perform security analysis before checking in their code.

·         The QA/tester needs to know how to set security rules in test tools, how to perform penetration testing, and what the security quality criteria is for your product, or how to file a security bug.

·         The PM needs to understand how to define measurable goals or how security policies can be factored into feature design.

·         The business decision maker of your organization should understand how to track security metrics alongside other product measurements or how security policy plays a critical role in the overall quality and value of your product.

·         Finally, it is critical for the employees occupying all job roles to understand the value of threat modeling – both as a tool for understanding threats early in the design phase and throughout the development process as a key barometer to the security pulse of your product.

Discipline-specific training will be the place to address these issues for your organization. In case you were wondering, all job roles should be required to attend both types of security training before working on your product.

Our new SDL website [http://www.microsoft.com/sdl] will be a very good place to watch for future training materials. The SDL Training and Resources page has some useful material up now and more will be coming in the future.

That’s Part Two. In Part Three, I will discuss the important “walk” components of formalizing security requirements and reusing threat models and attack surface reviews. Then we will close with the discussions on conducting final security reviews, and managing post-release documentation.

I’d like to hear if anyone is using the concept of “crawling” and “walking” to implement SDL in your company.

?        Do you provide security training to your employees today?

?        Do these additional training topics make sense in your organization?

?        What would you add to this that is unique to your application or company?