Monthly Archives: August 2011

Security

Visa brings EMV to US; PCI DSS Waived for Merchants

Leave a comment

From the Visa media center:

Visa’s plan includes merchant incentives to upgrade to EMV chip-enabled terminals, requirements for acquirer processors to support chip acceptance and the introduction of U.S. liability shift policies.

Specifically, Visa will waive Payment Card Industry Data Security Standard (PCI DSS) compliance validation requirements to encourage merchant investment in contact and contactless chip payment terminals. Visa will also require acquirer processors to ensure that their systems support dynamic data acceptance (i.e., chip) and will institute a domestic and cross-border counterfeit liability shift.

This comes not long after Operation Night Clone, which pointed out ongoing weaknesses and loopholes of EMV. I also wrote about it earlier.

Update: Hat tip to Christofer Hoff for pointing to the InversePath presentation on EMV implementation flaws and recommendations.

History, Security

IDLELO 5 Conference to be in Nigeria

Leave a comment

The Free Software and Open Source Foundation for Africa is planning their 5th African Conference on FOSS (Free and Open Source Software) to be held in Abuja, Nigeria

IDLELO 5 will consist of hackathons, awards, tutorials, hands-on trainings, demos, field visits and presentations on key FOSS and information technology areas. It will welcome a diverse number of parallel events, an exhibition and a business round table. The conference will welcome FOSS and IT keynote speakers, project, companies, solutions and innovations, not just in Africa, but across the global FOSS community. IDLELO 5 will mark the 10 years of the Free Software and Open Source Foundation for Africa (FOSSFA)

[…]

IDLELO is a Southern African word meaning “Common Grazing Ground”.

The maddog keynote from IDLELO 4 is reprinted in Linux magazine

People sometimes have a problem understanding “software freedom”, so I use the term “software slavery” to show the opposite:

Software slaves are told:

  • when to upgrade their software
  • how many computers they can put their software on
  • how many users can use the software
  • how the software will or will not work
  • what languages the software will support
  • when they will receive needed bug fixes or enhancements

Ironically only the richest peoples can afford software slavery. Poor people are persecuted as “software pirates”.

This is obviously far too broad a definition. Maybe it’s meant to be provocative rather than useful. After all, it’s a keynote speech in Africa.

The first thing that comes to mind is software as a service (SaaS) could easily be defined as slavery even if it runs on FOSS. Even FOSS users in their own environment are told what to do and when (e.g. ubuntu-security-announce).

The difference between freedom and slavery does not seem to be just about being given instructions. It is about a user becoming a property of the software company — penalized for any attempts at liberty.

Security

Security in the Cloud: Data Sovereignty, Open Source and Multi-Tenancy

Leave a comment

A recording of today’s Focus round table discussion is now available:

Security continues to be a top concern as the enterprise looks to shift workloads from the traditional data center to the cloud. Applications rarely work in isolation – and as such need to share data back and forth between them. IT is being taxed with understanding and securing this approach to utilizing the cloud. In this roundtable we will discuss what is at the heart of these security concerns and some different approaches to the problem. Focus Experts discussed multi-tenancy, private vs. public cloud computing, data sovereignty, open source, and more.

Patrick Pushor
CloudChronicle.com

Davi Ottenheimer
flyingpenguin

Robert Taylor
Rackspace Hosting

Simon Crosby
Bromium, Inc.

Ben Goodman
VMware, Inc.

Energy, Poetry, Security

Cloud Security Different, Says Okta

Leave a comment

Okta has announced their series B financing today. It includes a recap of security in the cloud that reveals how they pitched it for money, and why it’s different:

The concepts of security, single sign on, user management and auditing are not new. They’ve existed since the first user logged into the first mainframe. Why is the problem different or the potential solutions better in the cloud?

  • There are more services and applications available to users within an enterprise than ever before.
  • The cost to build, deliver and sell the services is dramatically lower leading to more services available in the market. Literally, thousands of new SaaS start ups have spawned in the last 10 years.
  • Companies aren’t limited by their ability to build infrastructure to deploy and maintain as many applications as they want.
  • In addition to more services, there are more users. Each generation of technology, from mainframe to mini computers to client server to cloud has seen a 10X increase in the number of users. And each of these users is accessing the services in a variety of ways. Gone are the days of one desktop per employee. There are desktops, laptops, virtual desktops, tables and smart phones
  • Finally, companies need to support a mobile workforce. They can no longer rely on securing the physical network perimeter with a firewall and selectively permitting VPN access. They need to have the same kind of rich authentication, authorization, auditing and logging for all their critical services.

Call me anal, or haiku-obsessed, but it looks like that lists boils down into the following:

  • More services are available
  • It costs less to build services
  • Infrastructure costs are lower
  • There are more users
  • Users are mobile

Wait, let me try that again.

  • More services now
  • Can’t stop the mobile access
  • Deployed for less dough

Coming up with definitions and finding differences is fun. Who doesn’t love isomorphism? When is a muscle-car a muscle-car? I mean if a Toyota Camry races a Pontiac GTO and wins, do we still get to call the GTO a muscle-car or does the Camry get the title? More to the point, if we accept the Okta explanation, clouds do not seem far ahead of traditional IT departments. What really stops on-premise IT from providing more services at less cost to more users who are mobile?

But there’s more to a muscle-car than just measuring horsepower (the 268 horsepower Camry LE is still a second slower than a goat BTW. Efficiency is another story). Okta could have highlighted the new cloud use-cases and security issues from cloud behavior.

Many more roles/identities with far more relationships and yet less permanence are cloud specific. Tracking identities and meta-directory data when it’s not clear who exactly should be the one to track identities, now that’s a different problem than on premise where accounts are doled out more carefully by a clear authority.

They also could have highlighted the tall and wide shadows of data created and then “destroyed” when accounts and services are spun up and down on short cycles because “owners” come and go. You thought keeping track of hires and terminations was hard before, try managing it for systems you can’t see or touch and only get a utilization report from. That’s another difference, a sort of opaqueness to their hidden services with their secretive SRE (service reliability engineers), which all may be completely untrustworthy.

Maybe it’s all coming in their next installment and I’m just jumping the gun.

For now, congrats go to them for round B. Perhaps it’s best to end by saying they are in a great market space — cloud providers clearly need identity management solutions like a GTO needs seat belts, air bags and a catalytic converter to control behavior-induced risk.