Richard Stallman - the man that gave us GNU - doesn’t trust Cloud providers with his data and says you shouldn’t either.  Richard believes we should store our private data on our own computers using ‘free’ (as in freedom) software.  The ironic part for Richard is that a significant portion of the Cloud is powered by open source software which he indirectly created (think gcc).

Richard sees it as a question of control.  Control is important but it isn’t the only variable.  Rather, I see it as a question of control, competence and economics.

The quick rebuttal to Richards’ view is this: the average computer user is not as smart as you.  Control is not the same as competence.  Control is about exercising choice, not about requiring everyone in the world to develop sufficient skills to protect complex hardware and software systems (aka their computer) against ever increasing threats.

My view is that privacy is not ‘free’.  It comes at a cost.  Whether you run your own systems or rely on someone else to do it, there is a cost.  There is cost in designing and implementing mechanisms to support privacy.  Beyond upfront costs there are ongoing expenditures to ensure privacy is maintained e.g. maintaining access control lists, testing and applying security patches, data leakage prevention etc.  None of these things are ‘free’.

If we agree that privacy costs money then how much is your privacy worth?

Stop for a second - think of a number…  

Now did we all think of the same number?

The problem with a one size fits all approach to privacy is that we each place a different value on it.

Checking in on the EPIC site, I saw this:  

A new report from Pew Internet and American Life Project indicates that “cloud computing” applications, such as web-based email and other web apps, are raising new privacy concerns. The report Use of Cloud Computing: Applications and Services found that 69% of online Americans use webmail services, store data online, or use software programs such as word processing applications whose functionality is located on the web. At the same time, “users report high levels of concern when presented with scenarios in which companies may put their data to uses of which they may not be aware.” For example, 90% of respondents said that they “would be very concerned if the company at which their data were stored sold it to another party,” 80% say “they would be very concerned if companies used their photos or other data in marketing campaigns,” and 68% of “users of at least one of the six cloud applications say they would be very concerned if companies who provided these services analyzed their information and then displayed ads to them based on their actions.”

What does that tell us?

The average (American) Internet user finds Cloud services convenient but has concerns about how their privacy might be affected by Cloud providers actions (duh!).  The survey identifies a lack of awareness in how private data is used in some consumer based Cloud services (consistent with web advertising awareness surveys).  

Unfortunately, the results of this survey are not very actionable.  The survey doesn’t mention whether these are all ‘free’ Cloud services (we can only assume they are) or ask the respondents what their expectations of privacy are and how much they would be willing to pay for different privacy assurance levels. 

On a sidenote, respondents were not asked if they had actually read the privacy agreement for the services they signed up to.  But the providers know if they did or not…  Or at least, they have the data to figure it out.  At sign up time they can measure the time between displaying the privacy agreement and the user clicking ‘I accept’.  If its just a few seconds then its pretty obvious there was more scrolling than reading going on.  But I think we can probably guess the answer without the data ;-).

I believe we need to be able to link expectation of privacy with cost.

• How much are you willing to pay for privacy?  What level of privacy assurance do you need?
• How much is your Cloud Provider paying to protect your privacy today?  What privacy services could they reasonably offer if they had customers willing to pay?  How might this compare with how you manage your private data on your home computer today?

The cynical view is that we expect privacy but don’t want to pay for it.  Its a bit like uptime - there is a parallel universe out there, where internal IT departments allegedly meet their 99.999% uptime SLAs, but when Gmail goes down, the Sergey Brin witchcraft dolls come out.

From a provider perspective, the “cost” of privacy invariably gets bundled under that line item called ‘Information Security’.  And don’t be fooled, the cost of privacy in reality is more than the salary of the person employed to be the privacy advocate (if there is one).  If we can’t see how much our providers are spending on our privacy then how can we judge if they are spending enough?  And what is enough?  And what can I get if I’m willing to pay a little extra?

Personally, I would rather we get some transparency around privacy costs and assessment of offerings.  However, without a sufficiently sized market of customers willing to pay for privacy assurance and Cloud Providers willing to be more open, I won’t hold my breath.

What about you?  Would you be prepared to pay for privacy?  Should providers be more transparent about what they do and don’t do and how they do it?
 
 

A 24-year-old convert to Islam has been sentenced to 35 years in prison for plotting to set off hand grenades in a crowded shopping mall during the Christmas season.

But I thought "weapons of mass destruction" was reserved for nuclear, chemical, and biological weapons.

He was arrested in 2006 on charges of scheming to use weapons of mass destruction at the Cherryvale Mall in the northern Illinois city of Rockford.

Like the continuing cheapening of the word "terrorism," we are now cheapening the term "weapons of mass destruction."

Dan described the Managed Hosting and colocation sector as “on fire” The sector is humming – incredible growth, outstanding execution, blowing away expectations. I must say, looking back 5 years ago after the tech bubble collapse, I can’t believe how strong the sector bounced back from those very difficult times.

His presentation was focused on a future, and a longer view for the industry. The HTS conference is packed this year with the largest attendance of Datacenter owners, Managed hosting and colocation companies ever to attend this conference.

• Demand steady or increasing in all markets, driven largely by capex constraints and greater awareness and choices.
• Supply is growing more slowly in the past 18 months as the credit crunch has hurt the ability of providers to expand ( it is very hard to get mortgages, loans only on new datacenter projects). Expansion build-out of existing shells is occurring, but very little on spec.
• Demand Growth of 15% in 2008. (Steady and increasing in the out years) However after supply growth peaked at 7.5% in 2007 supply growth now has slowed to 5%
• Dan believes that supply growth will pick back up again in 2011

Conclusions – supply is tight, demand is high and growing…this very good news for the industry.

• Some other trends:
  • The green initiatives are more than just a trend as datacenter owners who don’t figure out how to maximize power efficiency will be painted as villains.
  • Internet traffic and services consumption are linked as Internet traffic growth has been doubling every year (2005-2007)
  • Prediction: 2011 -2012 - internet traffic will get an exaflood – it is coming with a new breed of applications (set to boxes HD Video, games, etc.) that will drive new traffic patterns. Growth driven by consumer broadband + applications (HD video) applications, which in turn will drive demand for Managed Hosting / Colocation Services…

Managed Hosting Services Highlights

• Incredibly fast growth 30%+
• $10 Billion worldwide revenue by end of 2008
• We’ll keep growth pace until at least 2011
• Good news, Dan believes that fears about slowdown in growth are wildly overblown.

Why is managed hosting growing so fast?

• Demographic shifts – new breed of IT employees that embrace outsourcing
• Growth in internet applications (SaaS) The acceptance and growth of browser based applications has been enormous!
• Ambiguity between web hosting and managed hosting has turned positive

Dan’s Key success factors managed hosting and services

• High margin services – and not too many – it is so tempting in our day to day business when a customer comes along and wants to come and give us money for a unique on-off service… at this point the answer has to be no – or do it through a partner.
• High level of support delivery is critical – don’t cut pay in support people or outsource support to save a nickel… what you are selling is support. Keep doing this well or you will head into a bad place… just as examples in retail like Home Depot and others who have struggled with customer service challenges – the whole business starts to slide into the toilet… High levels of support delivers a strong word of mouth buying cycle

Final thoughts, the industry is healthy and will continue to thrive. Customers are looking for the one stop shop, one company that is a trusted advisor to the customer. As customers place more eggs in the Managed Service bucket, the industry will need to tighten-up those SLA’s. Today some parts of the industry have been getting away with loose SLA’s… as customers get more sophisticated and have more on the line, they will become more demanding and require robust multi-component SLAs and back-it –up.

OnAir has so far tested their calling/texting-only service on two aircraft--one operated by Air France, one by TAP Portugal--even though RyanAir announced plans that its planes would started being unwired with the service by late 2007. Still no word on that fleet progress.

Qantas will apparently launch cached Web browsing and limited Web email (probably through a proxy) along with instant messaging, with full Internet service coming "later in 2009." This is clearly due to a lack of satellite coverage that was just remediated a few weeks ago (see below). The first plane with limited service, a new A380, should be in flight 20-October-2008.

The Morning Herald seems to overstate the importance and scope of a complaint filed by the union representing American Airlines' flight attendants. The detailed coverage in the U.S. had more to do with the potential for issues, and likely attendants lack of interest in policing yet another media on the plane. Filtering doesn't work, the attendants probably already know, and this may just be a negotiating point with the airline.

On why Qantas is waiting until late 2009? This requires unwinding how OnAir gets its signal.

Aeromobile and OnAir both rely on Inmarsat satellites for their service. Both companies had several years ago staked their futures on the fourth-generation network Inmarsat was to inaugurate with three satellites that would use beamforming to allow precise delivery of nearly 500 Kbps per receiver, with hundreds or thousands of regions being able to be targeted from a single satellite. Inmarsat's third-gen network--don't confuse this with 3G cellular ground-based networks--can deliver about 64 Kbps per channel.

Now, unfortunately, Inmarsat was three years late on launching its trans-Pacific bird. While the company claims 85 percent coverage of the earth and 98 percent coverage of population, there's a big gap over the Pacific that also prevents them from having good overlap between the U.S. and Japan/China/Korea, as well as the southern Pacific, covering Australia. Since the biggest market for long-haul flights would likely be Australia, Japan, and China, traveling trans-Pacific or trans-hemispheric routes, that gap is rather large.

Aeromobile opted to build out a service, deployed only by Emirates airline as far as I can tell, that uses the 3G service since it was available, and most necessary equipment is already installed on most over-water planes. OnAir was waiting for 4G, which has necessitated a long wait, but allowed them to launch in Europe with a seemingly next-generation service. Given that OnAir is controlled by an airline-owned integration firm, SITA, and by Airbus, they're not going anywhere.

Inmarsat finally lofted its third satellite on Baikonur Cosmodrome in Kazakhstan on 19-August-2008, and the launch and separation was reported as successful. Previously, the company has needed up to a year to verify and deploy its 4G satellites. (You can read extremely close coverage of the launch at a Web site devoted to space enthusiasm.)

However, the dirty little secret about Inmarsat's BGAN is that it costs a fortune to heft bandwidth across it. Thus, in-flight broadband over BGAN, if it's ever available, is going to be changed on an extremely high per-MB rate. None of the providers want to say this. This is in contrast to Row 44 (and, once, Connexion by Boeing), which relies on leased Ku-band transponders where they can fix costs and they require high volumes to keep per-bit costs efffectively low.

OnAir's launch of calling on Air France's service involves paying a few euros per minute for calls, which might help you understand what data costs could ultimately run.

In any case, if you do pentests, think about all the RECENT cases where you break in to a major corporation through:

• a Solaris system with Internet-exposed telnet with a guessable password OR a telnet vulnerability (circa 1994!)
• an exposed VPN appliance with a manufacturer's administrator password
• a router with default "enable" password
• or, something else entirely - but something that rivals the above example in its unparalleled, unbelievable, abysmal, deep idiocy.

Indeed, many of my pentesting friends still report plenty of such cases (one was also featured in the presentation mentioned above). Whenever I hear about it from a pentester, I always ask:

Do you think "somebody bad" had already passed through the hole you just discovered?

Maybe an hour ago, a day ago - or a year ago?!

I cannot see how the answer can be "no."

Even though pentesters usually don't focus on forensics (no time for this), it is not uncommon to notice "your predecessor's" intrusion traces while you break through systems, "plant flags", change screen backgrounds [for the admins to notice that you've been there...], etc.

Let's think what this situation really means? Here are the choices I see:

1. Nobody discovered the hole - a law of large  numbers (aka "dumb luck") have "shielded" the company from an incident. Yes, Virginia, dumb luck IS a security strategy for some companies... AND it works for them.
2. It was discovered, but not used/abused by the attacker - maybe he was busy hacking other systems, or saved this for later and never came back due to his ADD. Congratulation, you win! The immense power of dumb luck wrapped you in a protective "security" blanket ... again :-)
3. It was discovered; the attacker went in, looked around and compromised a few others systems, but found nothing of interest (no low hanging fruits)  - and he was not a bot herder. Again, you win. Next time you are in Vegas, bet on "00."
4. It was discovered; the attacker went in and deployed a bot on "your" system - given how many botnets are there, this situation is clearly acceptable to many organizations. In this case, dumb luck strategy, apparently, still work: so they use your box to spam and phish somebody else ... big deal!
5. It was discovered; the attacker went in and stole all your credit card information (it is now for sale) - even in this case, the user of "the dumb luck strategy" still "wins" (in some perverse sense)! Unless and until the stolen information IS tracked back to you OR a friendly neighborhood PCI auditor come and jams a broomstick up your ..., you can still continue to be stupid at your leisure and ignore basic security practices.
6. It was discovered; the attacker went in and stole your CEO's Inbox, including the email related to his affair (it is now on CNN) - now, in this case, you lose AND it is time to stop being stupid! Welcome to the "0wned world." Time to launch (relaunch?) your security program and get serious.

What does this teach us about RISK? The lesson here is important:

• For a security professional, an Internet-exposed system with "root/root" is an obvious HUGE risk!
• For your boss's boss's boss, it is NOT!

This is exactly why I think that the most critical problem in security today is METRICS. Metrics that a) work AND mean something to decision makers and b) can be clearly communicated to said decision makers [BTW, a) and b) are two separate problems.] Metrics that cover not only threats and vulnerabilities we face, but also the effectiveness of security countermeasures we deploy. Metrics you can act on - and ones your boss (and his boss) will act on. Metrics that lead to correct decisions about which risks to accept, which to  mitigate (all while knowing with what efficiency such mitigation occurs) and which to transfer.

Until that time, the dreaded "C-word" (compliance) will trump "the other C-word" (common sense) as a driver for security ... and we will continue to live in the "0wned world."

Possibly related posts:

• Risk vs Risk 

• Moderator: Jim Metzler, Vice President, Ashton, Metzler & Associates
• Rowan Snyder, CIO, KPMG
• David Michael, CIO, United Business Media Group
• Joanna Young, Chief Information Officer, Corporate Information Systems & Enterprise Services, Liberty Mutual

Jim: Is the CIO a technical job anymore? For example, inside Liberty there are business projects with an IT component.

Joanna: We are organized to partner with internal business clients or vendors who provide objectives and business requirements. We strive to figure out the smallest amount of an IT investment we can make to get this to work.

Rowan: We have both. Part of the dilemma is that the thing that sells the best is fear. I don’t want to use that to get business.

Joanna: One good example is security from an application perspective. It’s hard to talk about security investments in business terms. We put it into terms like “this is what it will cost us if we DON’T do this.” For example, a solution for spam required us to do research into what it was costing us overall. Once we put it together, the business was all for it. You have to put your business hat on and think “how can I make this important for a businessperson?” If you can’t, you may need to ask yourself why you’re pushing services on them that they may not need.

Jim: Can you give us insight into business-IT alignment? What about governance?

Rowan: Governance is the hardest part of IT. It’s not like the technology is easy. If it’s a business project with an IT component, I don’t usually get involved. It comes down to overall budget. The infrastructure we own and let people know exactly what it will cost to do it. We are a distributed IT firm, there are multiple groups. This is the most distributed and risk-prone organization I’ve worked in. It can be difficult for the business to exert control. It demonstrates risk, in security, compliance, methodologies, etc.

Joanna: Governance has become a word that nobody wants to use. It suddenly implies that IT is the holder of all the money and they are the ones that get to decide. We stopped using that word and position IT as a strategic business partner.

David: We have a highly decentralized IT set-up. We have about 600 globally and around 40 in the headquarters. We have 10 CIOs for each division, and within each division it is decentralized. We try to run each unit as autonomous. This is a close alignment with IT and business. However, then the problem of how do you have commonality between divisions and collaboration?

Jim: How can you minimize risk in distributed environment using standards and procedures?

David: The reality is it can be impractical for an organization. You end up with a patchwork of platforms and technologies. We have to accept that we’ll have multiple solutions. We can attempt to push a standard, but overall have a much more relaxed approach to manage everything. There is a lot of equality between divisions in what they can choose to purchase.

Joanna: Standards are easier to apply the further down the staff you are. The most important thing with any of this is to understand why you are making the decisions. If there is a process and pros and cons are identified, there is a clear record of why decisions were made.

Audience Poll: Everyone raised their hand that MORE standards were needed.

Audience Question: Are there inefficiencies in the data center in terms of energy and green IT? What are you doing about it?

Joanna: Everyone focuses on cars for carbon footprints. But, it’s really buildings…and then data centers. The data center has the same importance as any other efficiency. They need to be running as cheaply as possible. Corporations have a responsibility to make sure they are energy efficient.

Rowan: We recently did a carbon footprint analysis, and found that half of carbon comes from electricity, with half of that from the data center.

David: Every company does have a responsibility to look at its carbon emission globally. Consider international travel, flying, etc. As much as possible, we are not building data centers. We are using other people’s data centers in an effort to get out of the data center business.

Audience Question: How do you balance the good from standards with agile development and possible roadblocks?

Joanna: Luckily agile development is under the CIO’s control. You can see the lifecycle and savings that occur. When I look, I check what the standards are that I’m measuring by.

Jim: Does web 2.0 have any business meaning in your environment? If so, what are you doing about it?

Joanna: I’ve been in IT for 20 years. It’s another component to business IT investment, and has to be presented as such. As IT professionals we have a responsibility to identify what Web 2.0 is, and then translate to see if there is anything the company should be doing with it. Monitor it based on your current portfolio, and consider its impact.

David: It’s pretty important to our business as a media company. I don’t think it means one thing, it’s a term people use to talk about the web and what’s going on online. From mobile, to ajax, cloud computing or mashups - you can draw multiple conclusions. More and more business is being done online. We have a lot of growth opportunities online.

Rowan: Compliance, security, and privacy issues just explode with Web 2.0.

Introduction

Virtualization is a word used by consumers and also by IT. But, do we all mean the same thing?

A very cool video from Cisco provided answers to “what is virtualization” from an  engineering perspective, data center perspective, IT perspective and the user perspective (virtual world).

Virtualization is about breaking the bonds between applications and server hardware, nodes and networks, applications and operating systems.

Why is this interesting? Virtualization holds the promise to transform the way we work, live, learn and play.

Why virtualize?

The real estate boom over the last 30 years has driven people to the suburbs. People didn’t mind commuting for an hour with lower gas prices. Today, we have a weak economy and gas prices are high. Something has to change.

Many are opting to stay at home. Businesses are trying out telecommuting, some (like Cisco) are even offering telepresence. This helps by reducing carbon footprint. Corporations are breaking free from physical requirements. The global workforce is also having an impact on the network. These changes are having a huge impact on the network.

We are on the cusp of transitioning from virtualization to VIRTUALIZATION.

“One to many….many to one.”

This is Cisco’s idea of virtualization.

Consider the different roles we play in life - one to many. Spouse, executive, friend, parent, gym rat. This would be “one to many”. This is exactly what virtualization does. It allows you to partition resources off that you can use on the fly.

Where do I start?

Virtualization starts with server and storage. But, it’s the network that touches everything - it spans the physical, the virtual, and the cloud. This provides the connectivity to all these resources. The network brings transparency to the picture. It allows you to better monitor performance and better implement security - great benefits!

Why do I need this?

At Cisco, we saw that we were only using 20% of our storage utilization. We wanted to virtualize our datacenters. When we did that, we were able to get 68% storage utilization. For each year that we were able to defer buildup, we saved $40 million.

From a business standpoint, virtualization helps you differentiate and work faster. Provisioning in minutes, improved productivity and competitive differentiation, using less power (environmental impact), and up the ante of business continuity. If VMWare fails? It’s OK. You can reprovision it on the fly.

Is it for everyone?

IT organizations tend to be siloed. You have the IT side and the Operations side. Each has responsibility. For virtualization to work, these walls have to come down. The concept of virtualization depends on shared resources.

Metcalfe’s Law of the Network Effect

Everytime you add a node to the network, you increase the value. This is what happens with virtualization. Every device you virtualize increases the power of each device. More control of environment and more efficiency.

This leads to…

Cloud computing.

Wow, show of hands from the audience when Marie asked “how many are using cloud computing?” and “how many are using your own clouds?” - not a lot of hands were raised. Interesting considering the coverage cloud computing has and the focus of it.

Cloud computing has three possibilities at Cisco:

• Flexible infrastructure (hosting)
• Abstract services (APIs)
• Application services (SaaS)

Automation is going to be key, and will need to integrate virtualization-aware elements.

Can you imagine if you wanted interoperability in the cloud? People haven’t even begun thinking about it.

Conclusion

As you virtualize, your role will change. You will think more about strategy. But keep in mind these “minefields” of virtualization:

• Insufficient planning
• Lack of standards
• Weak security

Security cannot be an afterthought. It has to be planned. We’ve seen new forms of malware, hypervisor attacks, and root kit infections.

As higher expectations from end users evolve, we’re becoming not server oriented, but SERVICE oriented.

Tips:

• Think holistically
• Consider IT culture - equipment and people

Blogger: Trent Henry

Burton Group’s Catalyst Europe conference is just around the corner. With financial services industry failures at the top of everyone’s mind, now’s a great time to revisit how risk management shortcomings have tremendous impact on organizations of every kind. In a reprise of his insightful Catalyst North America talk, Nick Leeson will once again detail how inadequate controls (and foolish actions on his part) brought about the fall of Barings Bank. In addition, security conversations at Catalyst will include:

- How large enterprises are grappling with governance, risk, and compliance (and why “GRC” is actually a four-letter word)
- What large, distributed organizations are doing to create effective “security embassies”
- The role of metrics in managing protection and communicating with Management
- How information-centric security will unfold over the next five years