The title of this post is based on a monarchial concept of succession. It seems very fitting to the situation I see unfolding in the debate about the future of software as a service (SaaS). The move to outsourcing led to offshoring, which then evolved to cloud and SaaS.

It does not have to be a direct progression, but each end created a new beginning.

Another way of looking at it is this: WordPress, Google and Salesforce recently reported major outages. The reason many companies hoped to put their applications into the hands of those companies was to avoid major outages. So what is new?

With this in mind I read an InfoWorld review of a report by Gartner on how to approach the risk in SaaS. The author asks Is the SaaS experiment finally over?

Gartner advises its clients to perform extensive diligence before signing with any SaaS vendor. That includes not just weighing the costs and benefits of a specific solution, but also developing an in-house SaaS governance policy to help gauge the solution’s real-world performance. Such a policy should be a collaborative effort between business and IT, Gartner says, and it should consider not just the business performance of a given SaaS vendor, but its technical and operational capabilities as well. That means SaaS vendors will need to be transparent enough in their operations to instill customer confidence in their offerings.

That is good advice no matter where your application lives. Moving software outside the company still leaves you with the responsibilities of managing software, and introduces new challenges (instead of eliminating) to control security concerns such as availability.

The answer to the author’s question is therefore yes, the SaaS experiment is finally over and now begins the SaaS experiment.

In other words the SaaS should deliver fair services, but if not then hopefully the next SaaS will be fair, and if not, then hopefully things will progress…long live SaaS. All is not over or lost when there is succession. Things really can change for the better. For example, analysts from Gartner and I will discuss soon how best to put forth a more discrete set of requirements for cloud security. Dragging out my tired analogy of political systems just a little longer, I hope I can help Gartner customers clearly see why they need a Magna Carta of cloud. Remember how that worked out for the monarchies?

I have searched the city of San Francisco for a museum and historical record of the great fire of Aptil 18, 1906. The best, so far, seems to be the Virtual Museum of the City of San Francisco and a collection of images and letters on a few walls in the Bay Model Visitor Center in Sausalito. Another collection is in the Fairmont Hotel. None tells a complete story but they do reveal much controversy at the time that is probably far from anyone’s mind today.

The resident federal militia started a campaign to dynamite large sections of the city to back-burn as well as establish a fire break. This apparently is why Van Ness avenue is so wide. Some said the fires created by the Army were far worse than the quake causing far more destruction to the city. The San Francisco Museum has letters that suggest residents actually were in favor of burning down their own homes to collect insurance.

The death toll is another example. It is said to have been severely underestimated for three reasons. First, politicians wanted to paint a positive picture and keep property values high. The reality was that the city had such severe displacement that Los Angeles quickly gained prominence as a new port for commerce in the West. Second, racism prevented many thousands of people living in China Town from being counted. Third, the Army had been authorized to shoot and kill anyone suspected of looting. With more than 400,000 residents approximately 4,000 troops killed around 500 people; the quake was said to have killed 3,000.

This post, however, is not really about San Francisco. The BBC reports that the Great Fire of London in 1666 is being recast. Today we can look back at this disaster and learn a great deal about investigations and security.

Everyone learns at school that the fire raging for four days in that hot, dry summer began in a bakery in Pudding Lane.

But a new Channel 4 documentary focuses on the lesser known story of the fire – it sparked a violent backlash against London’s immigrant population, prompted by the widely-held belief at the time that it was an act of arson committed by a foreign power.

The countries already least in favor with the English, the Netherlands and France, were quickly suspected of some involvement. The BBC tells of how the British Navy attacked the Dutch weeks before the fire. That created a sense of victory that turned to guilt and led people to believe the Dutch were counter-attacking. The desire to find a cause of terror also led many to blame Catholics, whom they already disliked. Interrogation practices during an investigation ended with officials placing blame on immigrants from France, and one man in particular:

At the end of September, the parliamentary committee was appointed to investigate the fire, and a French Protestant watchmaker, Robert Hubert, confessed to having deliberately started the fire at the bakery with 23 conspirators.

Although his confession seemed to change and flounder under scrutiny, he was tried and hanged. Afterwards, colleagues told the inquiry Hubert had been at sea with them at the time, and the inquiry concluded the fire had indeed been an accident. No-one knows why he confessed.

I suspect the toll from this fire is wildly underestimated and there was likely to be conspiracy that made the fires spread, similar to San Francisco. Wanton destruction could have been a natural reaction to the plague of 1665. While the San Francisco fire is a study of human behavior relative to technology and liability a clear lesson in the London fire is how prejudice dictates a sense of security. We must fight the urge to satisfy ourselves with false resolutions and declarations, such as this one:

Until the 19th Century, the plaque at London’s Monument stated that followers of the Pope were to blame, says Ms Horth, and named Hubert as the fire-starter. It was only after Catholic emancipation in the 19th Century that the government decided the plaque was inflammatory and had those inscriptions removed.

Speaking of plagues, we know today that the disease was spread by rats and fleas. Those who washed regularly as part of their customs were unlikely to be infected. Some deduced in the 1300s that this meant a group of people were to blame. Those who practiced clean living and did not get the plague were thus attacked for being its cause.

Monty Python’s “She’s a Witch” skit does a fair job of reenacting how fear can have a powerful yet absurd influence on the concepts of security and justice.

Major David Willson is an attorney in the US Army. He has spent more than a decade providing legal advice to the DoD and NSA on information security. Yesterday at the BSides Denver conference Willson presented a paper titled “When does electronic espionage or a cyber Attack become an ‘Act of War’“. The BSides are an informal gathering of information security professionals from the local area.

His paper provides analysis and context to help with the definition of war, but he also offered concrete suggestions in his presentation for how nations can be better prepared to respond in the event of a cyber attack or cyber war. He calls for an international approach.

The audience response was interesting, to say the least. Most of the opposition came from a small vocal group that raised the following issues:

• Can an International group be trusted?
• Can an International group be trusted?
• And last, but not least, can an international group…be trusted?

I say this in all seriousness. Although I would like to think security professionals are familiar with trust as it relates to controls (how to detect, prevent and verify) the mention of an international approach seemed to send certain people into a spell. A centralized authority model, especially one of international membership, clearly upset the audience; eyes rolled back, arms folded, heads shook.

One person in the audience asked several times “Who will be King?! Who will be the King of the group?!”

King?

It quickly appeared that political science concepts (study of human behavior) could have helped this group see past whatever hurdles they were stuck upon. They struggled to transition from the technical material to more organizational security. While (expectedly) comfortable discussing locksport (picking locks), the mention of human behavior and power relationships resulted in comments that went awry. Here are a few suggestions for what Willson’s presentation might have started with to better prepare this particular audience.

1. Forms and types of governance (or how to distinguish monarchy from democracy)
2. Allocation and transfer of power in decisions
3. Disciplines (or how to distinguish realism from instrumental rationality, positivism and behavioralism)

This might have done the job, explaining why a centralized group with international authority would not easily be compromised by a “bad apple” (pun not intended).

One person shouted:

International authority? Someone could compromise it! Isn’t this a case where the cure is worse than the disease?!

Another person asked:

So the US could just turn off the network in another country?

First, this response suggested to me a group that works with information security can nonetheless be missing key concepts of how to apply security in a real world. Security professional know that controls can be used to detect and prevent unauthorized access. These concepts can be adapted and applied to the model(s) put forward by Willson. His point is that there is a legal framework for technical controls to be introduced. That makes sense and so we could have discussed how those controls might work to achieve the purpose of the model. Instead the audience heckled the speaker about unfamiliar topics they feared: politics, law and trust.

Second, it reminded me of non-interventionalism and isolationist movements in America. After the First World War, for example, instead of ratifying Versailles the US essentially walked away and refused to be involved with international security frameworks such as the League of Nations and International Court of Justice. The 1920s also saw tough tariffs raised on imports and immigration severely restricted.

Another example could be the American Revolutionary War. The alliance with France was essential to victory in the war, yet many in the US strongly distrusted and advocated against ties to foreign states. President Washington spoke out against intervention. Thomas Paine published a book on the subject titled provocatively Common Sense.

With all this in mind President Roosevelt presented the state of international affairs as a cause for intervention in 1940:

Some indeed still hold to the now somewhat obvious delusion that we of the United States can safely permit the United States to become a lone island, a lone island in a world dominated by the philosophy of force. Such an island may be the dream of those who still talk and vote as isolationists. […] On this tenth day of June, 1940, the hand that held the dagger has struck it into the back of its neighbor.

The US President said intervention was justified to fight a power when the goal of that power is to destroy American ideologies. This led to legal arguments like the Fourth Neutrality Act that enabled international support (US aid to France and Britain) for defense against German aggression.

It makes perfect sense to me why a military legal expert like Willson would make a case for a platform of cooperation to fight international cyber attacks and cyber war. It makes sense in non-commercial as well as commercial spheres. Companies that compete can still work together when it comes to fighting fraud and crime. It does not, on the other hand, make sense to me why this particular audience of security professionals was so delusional as to ask “who will be king” or shout “cure is worse than the disease”, unless they represent the philosophical equivalent of mis-guided American isolationists.

Although there is a colorful past of non-interventionalism movements in America, no argument of logic or historic reference was raised by the hecklers. They simply, and ironically, expressed that they have a fear of authority and of foreigners. I suspect if they were prepared better, or approached in a different way such as how to build a secure lock for a door of their car, they would be full of ideas how we might build authentication and authorization. Instead they sat and spun in fear.

The BBC reports that the British archive of secret codes is soon to be made public:

More than a million documents from Bletchley Park, Britain’s wartime code decryption hub, are to be digitised and put online. The project will take several years. What follows are some examples of the documents in the archive.

Work in progress. This shows an analyst’s workings as they decipher an intercepted encoded message. The next stage was to enter these codes into the mechanical devices developed at Bletchley Park to produce the final decoded message.

More information can be found here:

…the archive is so big nobody knows exactly what each individual document stored there contains.

However, the information they expect to dig out will definitely include communication transcripts, communiques, memoranda, photographs, maps and other material relating to key events that took place during the war.

The BBC says HP is subsidizing the conversion to digital and started the project when they heard Bletchley Park was in financial trouble.