Cloud providers like to boast about the safety and security of co-tenancy. Of course they would, it’s their business model, right? Virtustream (not to be confused with Virustream) says you will have “7x24x365 peace of mind” despite being in a shared space.

We draw from an extensive body of best practices to keep your cloud environment secure

That old “best practices” line is dangerous. No auditor worth his/her weight in RAM would ever be satisfied to hear those two words. Best for whom? Documented where? It means nothing on its own. Perhaps they could get away with stating that they are aligning with one or two or even a few best practices but “an extensive body” of cloud security practices? Show me this body. Where are they hiding it? A link, a contact, anything will do…

The following is one of the only clues they give their reader. Shared space is too dangerous to use:

Virtustream owns and maintains its own data centers, eliminating any concerns regarding others gaining physical access to the cloud platform you’re running on. The result: 7x24x365 peace of mind.

I find that an ironic marketing claim given their other statements about shared space.

In the physical world, where there is a huge body of knowledge approaching best practices for data centers, they do not want to share or use a co-tenancy model. Yet, in the logical world where there is still a lot of debate about what to do and how to do it…they stuff you in with everyone else.

Does the irony eliminate your concerns?

I wonder if they really believe that their datacenter is more secure than co-tenant datacenters. Let’s turn things around for a minute: a co-tenant datacenter has numerous clients frequently sending in different auditors. In theory a customer could actually end up with a higher level of security than in a single-tenant datacenter that gets only a single audit on an infrequent basis. The cloud advocate could argue that increasing the number of tenants increases the bar for security because the number of security assessments goes up, which forces a higher baseline.

This is not just speculation. I often find datacenters upgrading security controls because a new tenant has moved in that demands a higher-level of security than my clients would need. Armed guards, for example, are not a requirement for PCI but if someone from the DoD wants a rack…

If I give Virtuscan the benefit of the doubt, they probably meant to say that they can maintain a far higher level of security in a logical environment because the operational impact to them is lower than if they try to reach the same level of safety in a physical domain (e.g. they can handle segmentation with virtual systems at a nominal cost compared to the cages and cameras and doors required for physical security).

But right now their page says to me that cloud providers will come right out and admit they are spooked about shared space so they don’t use it, but they want you to feel comfortable because of “best practices” for shared space.

China Mobile is the largest telecom operator in the world with more than 600 million customers making 400 million calls every hour. It has launched an “overseas” subsidiary called CMPak, which acquired a GSM operation license in Pakistan. CMPak is known as Zong Telecom in Pakistan and has some interesting marketing language:

The basic idea is to allow people to communicate at their free will! Making it a stress free environment where you are not worried about Tariffs, Capacity Issues or Congestion, be it Network Coverage or Quality, it is all sorted!

Notice that their list of worries does not include privacy. I know what you must be wondering. Free will in Pakistan, courtesy of China?

The sceptic might have said in the past it’s just a plot by the Chinese to spy on the region, but the “free will” angle on this company now goes even further. “Meri Awaz Suno” is Urdu (میری آواز سنو) for “listen to my voice”. That’s the name of an Internet radio station sponsored by the Chinese promoting the voice of women in Pakistan.

Zong Telecom in collaboration with UKs Research Centre Islamabad, has launched its very own Internet radio, titled ‘Meri Awaz Sunno: Giving Voice to Pakistani Women’.

The launch ceremony of this unique initiative was organised at the Uks Office in Islamabad on Wednesday from 5pm to 7pm. Women comprise almost half of Pakistan’s population as well as form the single largest consumer group in the country.

One comes across several products and services targeting women, however, there is no representative mass media vehicle that addresses the issues and problems of this large and important segment. Uks’s Internet radio programme, Meri Awaz Sunno is being launched with the single objective of highlighting women issues and providing them with guidance and support.

On the one hand this could be a heart warming story about a massive population segment in Pakistan getting representation in the mass media — a story of Chinese technology companies working in other countries to promote free speech.

On the other hand, it is hard to believe that if women already have access to the Internet in Islamabad that one Chinese-backed radio station will be the first and only source to serve their interests.

And I suspect that technology from China (or any country, for that matter) comes to Pakistan with a price much larger than what is being reported. India, for example, was said in 2010 to have refused to give their phone companies security clearance to buy Chinese-made network equipment. Likewise the UK is hesitating to accept a telecom bid from a Chinese company due to security concerns. A country in South-East Asia also refused an offer for Chinese telecom investments due to fear of spying.

The security curmudgeon presents an excellent rebuttal to The Ponemon Institute’s analysis of breach data

Aside from pointing to the obvious conflict-of-interest due to vendor sponsorship and a lack of citation or substantiation for claims, curmudgeon raises the biggest question of all — is it really news.

Breaches have been rampant for years. Compromises that may or may not have involved the breach of sensitive data have been staggering for years. Zone-H.com shows almost 50,000 incidents (mass defacements generally don’t count as separate intrusions) in the last decade. Does Ponemon consider this when making the statement above? Or would Richmond / Ponemon like to qualify what “publicized” means to them? Just because you don’t look at a given publication, doesn’t mean it wasn’t publicized.

Hear him hear him! Here’s my favorite part:

How can you say with any certainty that “most are mercenaries, members of criminal syndicates or representatives of unfriendly countries”, if they “quietly get in and out”? How can you say anything about their demographics if they were undetected?

Exactly! At least Ponemon did not say the unidentified threats are Chinese.