Here is the detail on my session at this year’s VMworld North America conference, in case you are interested in attending. I will join Jian Zhen, VMware Director of Cloud Solutions, to present on Compliance in the Cloud: Managing Risks and Addressing Concerns:

As more and more Enterprises consider Infrastructure as a Service (IaaS) as part of their overall IT strategy, questions around compliance and security in public clouds are often raised. Where does the data actually reside and how is it being protected? Has the service provider gone through specific compliance audit controls for their data center and infrastructure? How about control over access to my environment? How is role-based access managed? How are security and firewall policies managed? Join this session to learn about: – The current state of security and compliance within IaaS – What Enterprise customers are saying about their requirement needs for security and compliance in the cloud – What the industry is doing to address these needs.   – What to look for in a cloud provider to ensure that your compliance requirements are met.

Session ID: PC9920

• Tuesday, August 31, 12:30pm, Moscone West #2006
• Wednesday, September 1, 9:00am, Moscone West #2006

The Brazilian Embassy has this description posted on their home page:

III International Congress of Free Software and Government. CONSEGI is an important space to promote the exchange of experiences and information among Govemment Institutions, Society and representatives of partner countries. Lectures, panels and workshops will take place in the 2010 edition that will be marked by discussion on the topic “Cloud Computing”.

CONSEGI is held in Brasilia, Brazil each year (photo by me):

It would be an understatement to say I am super impressed with the energy, skill and expertise of computing in Brazil that was found at CONSEGI. Another American at the conference, who travels constantly for work, commented to me there that many in the US are unaware of many amazing developments happening outside our country. It is easy to see why he would say this. Surveys show technology adoption rates now skyrocketing in Africa and South America, yet it is Asia and Europe that still dominate the “international” section of tech news at home.

We should avoid thinking this as a language barrier. Portuguese may be less common but the CONSEGI conference ran smoothly with attendees speaking Spanish, English, French and even Korean. I found myself wondering why real-time multi-lingual translations are not an option at Black Hat or RSA. Have I missed something? CONSEGI offered it as standard and I was very grateful to be able to attend sessions with language options using some cool technology.

Paola Garcia Juarez presents in Portuguese, a mathematical model to estimate trust and security of Cloud Computing services (photo by me):

Actually, I was more than grateful. After I played around with a “translation box” I had a discussion at lunch with a brilliant executive from a major Linux distribution. We covered details of infrared wave technology, security and economics. It was a real change from the RFID focus (kind of like laser focus, but not) I usually find at conferences. Since US Army deployed massive amounts of RFID for military operations in 1992 (Somalia) it seems RFID has dominated the American perspective. That brings me to my second point.

We also should avoid thinking of this as a cultural barrier. Disparity in culture and aims actually is a benefit. The topic of the conference was Cloud Computing. A panel of eGovernment experts representing countries of the Southern Hemisphere (hint: there are five Portuguese-speaking countries in Africa) quickly brought to the table universal technology advantages and challenges, from very different perspectives. Ten minutes into just one of these sessions would probably blow the mind of most IT managers that are used to hearing only one perspective. The resourcefulness and creativity of people with diverse backgrounds working together created a rich source of new information.

The Cloud Camp was another highlight of the conference. Topics such as security of virtualization, best practices in cloud compute memory and storage management, and how to evaluate providers all were discussed in detail by attendees.

Technical labs were organized around the conference and it was cool to see them packed full of students learning their P’s (e.g. Postgress, Python, PHP, Perl).

Meetings and sessions ran smoothly, the weather was superb, live musicians were very talented and attendees represented a very wide range of ages and cultures. CONSEGI is a world-class event that should not be missed by anyone interested in global technology. I was honored to present this year on Digital Forensics and Investigations in the Cloud.

Amãpytuna? It is a word from the Tupi area of Brazil and the title of a book on cloud computing that came in the registration packet. Just one example of the many details not to be overlooked; keys from a wider perspective that could help find solutions in the future of information security.

The Register says at least 40 applications and the Windows operating system are vulnerable to remote-code execution. Here is the bit that caught my attention:

“Since Windows systems by default have the Web Client service running – which makes remote network shares accessible via WebDAV – the malicious DLL can also be deployed from an Internet-based network share as long as the intermediate firewalls allow outbound HTTP traffic to the Internet.”

This immediately reminded me of CVE-2010-2568, the recent and infamous Windows shell exploit that also relied on the WebClient based on Web Distributed Authoring and Versionsing (WebDAV). Could it be coincidence or was someone researching that exploit — they tried the same attack vector from the network — when they found this one? I know I was asking why a WebDAV exploit was used for the USB-based attack and whether it would work with a network share. That itch is now scratched.

I wrote earlier

WebClient is even disabled by default in server versions of Windows since 2003.

That contradicts The Register but it is true. I just checked again and as far as I can tell not all Windows systems have WebClient enabled. Many more should probably have it disabled by default.

Newsflash. Heartland was not breached again today. Ok, I am being faecetious but there also is a very important point of truth to this post.

The CIO of Heartland, Steven Elefant, called me about my blog post the other day called “Heartland Breached Again?”. He wanted to clarify the incident and how it was handled. We spoke briefly and I am happy to admit I was wrong in my assumptions. I would like to follow the Heartland CEO playbook and say I actually was misled (just kidding) but I will take the heat for this one.

According to Mr. Elefant the real story is that Austin Police were misquoted and the press has not (yet) done a retraction.

My take on the responsibility for Heartland — the opportunity for them to step in with better end-to-end solutions — was inspired by the statement from police quoted in the news. Changing this statement does not affect my position on responsibility. On this point I was really surprised and pleased to hear that Heartland actually agrees with my post. Although their press releases did not reflect it they had offered the retailer a secure terminal to replace the system believed to be at fault. Set aside the question of who pays for such an upgrade the retailer received a secure option that goes far beyond just moving from Internet to POTS. I had assumed that nothing like this had been done. My bad. Good job Heartland.

The lesson in the breach may boil down to just much greater urgency in replacing insecure payment applications in the Austin retail area. I think that is a message Heartland can agree with.

Many thanks to Heartland for taking the time to reach out and explain in more detail. I hope that helps clarify.