The Future-Past of Cloud Security

CSO Online says they have four examples of “Cloud security in the real world”.

I think this one is my favorite:

“We know one of their three data centers have our data; it’s not just sent into the cloud and we don’t know where the data is,” he says.

Ok, that is just scary. The data is not in the big bad amorphous cloud, it is in one of three data centers. That is much more specific. We should trust controls in three data centers?

This seems to me like saying you know your child is staying in one of three cities, not just sent into a country but you don’t where. A city can be a very, very large place with many risks. The fact that you know the name of the city that the child is in does not mean it is safer than being inside a country.

In other words, a city could have controls and some secure areas but that does not mean a) the city is safe in general and b) your child stays in the safe areas. Does this analogy work?

A really good example of what I am talking about is in my visualization post from the other day; what’s your data altitude? Here is San Francisco:

The point (pun not intended) is that we must to attest to the security of the environment our data lives in. When someone says the data will be in one of three datacenters then those three datacenters will be in scope of an audit. Instead of looking at a neighborhood, or a house, we will now look at security in an entire city. Ouch.

That is a lot of real estate.

Another example in the same article gives a sightly different angle on this elephant:

“Because the rules haven’t changed to reflect cloud computing, regulations still require visits to the physical box, and you can’t do that in the public cloud,” he says. For data that falls under compliance regulations, Kavis plans to use a virtual private cloud. “The vendor will say, “Here’s your server, locked in a cage, and if you ever have an audit, you can bring in the auditors to look at it.’ We’ll use that for passing audits, but everything else will be in the public cloud.”

Ah hah! Don’t look at three data centers, just look at this one specific area. Smart, sort of.

Let me set aside the fact that this guy is clearly trying to appease the auditor rather than run a secure environment. That reminds me of this Far Side cartoon:

See a problem?

The issue I have here is how upside down and backwards this second example sounds.

I hate to hear people say the rules haven’t changed to reflect cloud. Consider that the examples in the article of real world cloud security involve the following concepts: authentication, firewalls, encryption. OMG! Can rules handle such new and different concepts in security? A firewall! What is that? What will auditors do now? When will they catch up to the cloud innovation?

Seriously, though, the hidden issue here is that clouds are still in their infancy and that means they are about sharing, not caring. Their value proposition thus far works through more open access to more resources. This should sound familiar to anyone who used very early operating systems. Security demands controls around data, regardless of where it goes. This also is far from being a new concept.

The rules do not have to change, the cloud has to change to meet the rules.

Clouds simply have not matured to accommodate the usual security requirements. Providers are finally approaching the point where they can handle the fundamentals of delivering primary services – making things actually work.

Security will start to come into better focus after the system is operating. It’s like watching the single-user operating system (DOS) evolve into the multi-user operating system called Windows — cloud products should soon start to handle the rules better. Not the other way around…and look how secure Windows is now after years of progress from the early days of sharing data. Am I being too sarcastic?

Sharing is better when there is caring. Let’s hope the cloud vendors can soon offer services and products that help them catch up to the rules.

Diesel Wins Le Mans! (Again)

Audi’s has won the Le Mans race nine times according to Eurotuner Magazine. The victory this year was especially important for them. They not only managed to take the top three places, but they proved yet again that a reliable engine with high efficiency is actually faster than a powerful one.

The development achievements of this year’s Audi R15 TDI bode extremely well for their consumer models:

In 2010 the demands on diesel engines were particularly high due to the restrictions imposed by the regulations. “Squeezing more output from the engines without sacrificing reliability posed a great challenge, which our team mastered in an outstanding manner,” said Ullrich after the race. “We did not use the full potential of the V10 TDI engine this year in order to be on the safe side. That’s why it was clear to us even before the race that we wouldn’t have the fastest car – but a very reliable and efficient one. The development objective of the R15 plus was 20 percent higher efficiency. We managed to achieve this. We’ve been working very hard for this over the past few months. This makes this success even more rewarding.”

20% more efficient? Congrats Audi! Reliable and efficient wins the race. More importantly it translates well to the average driver — still happy and more productive (fewer stops) while causing less damage to the environment.

Perhaps it should be noted that Audi had reliability issues last year that cost them the race, losing to Peugeot’s diesel supercar.

Peugeot out-Audied Audi

The R15 was new last year and Audi decided to save money by performing fewer tests before competition. This cost them the race. Peugeot capitalized, which setup Audi this year to relaunch the R15 with significantly more tests and a better understanding of risk from overheating.

Alas, it is hard to watch all of this and wonder when US car manufacturers will see the beauty of diesel efficiency in a performance vehicle. Dodge and Cadillac are the obvious candidates. Imagine a CTS diesel wagon…again.

Fruit Trees Save Girls’ Lives

The BBC says the risk of a young girl being put to death at birth is high in parts of India.

In Bihar, payment of dowry by the bride’s family is a common practice. The price tag of the bridegroom often depends on his caste, social status and job profile.

The state is also infamous for the maximum number of dowry deaths in the country.

The risk to a girls’ life is therefore a financial issue. The model has been changed in one town by a simple financial management plan. The parents invest in a set of fruit trees for every girl born. The fruit generates income as the girl is raised and the set of trees help offset the cost of marriage.

“This is our way of meeting the challenges of dowry, global warming and female foeticide. There has not been a single incident yet of female foeticide or dowry death in our village,” [villager Shyam Sunder Singh] says.

His cousin, Shankar Singh, planted 30 trees at the time of his daughter Sneha Surabhi’s birth.

The practice is not new. The article says the village now has nearly 100,000 mango and lychee trees for just 7,000 residents and has become far more lush with shade and hospitable compared to other villages in the area.

Now if only the Basel II accords, which require a capital investment/offset for financial and operational risk, could make banks less shady

The Cost of Survival at Sea

Two incredible stories. First the Telegraph reports a pet dog survived four months lost at sea off Australia. It was washed overboard in bad weather near Queensland.

To stay alive, the hardy dog swam five nautical miles through stormy seas to St Bees Island.

There, she managed to fend off starvation by hunting wild baby goats until she was captured last week by rangers who patrol the largely uninhabited island. They believed they had caught a wild dog until they were contacted by Mrs Griffith, who had heard that a cattle dog had been spotted in the region.

Second, the Telegraph also reports that the US teenager who was sitting on a dis-masted but safe vessel full of supplies in the Indian Ocean could cost the Australian government $300,000 for her rescue. Her parents say they can not afford to pay.

“What price would you put on a child’s life?” Maryanne Sunderland said yesterday when asked about compensation.

“The full cost of chartering an Airbus would be so high, you’d think they (Australian rescue authorities) would have to work with the US government for that.

“We’re not wealthy people.”

Sailing experts have criticized the Sunderland family for sending their 16 year old daughter into the south seas during winter, the roughest time of the year. Their defense has been that they, and she, knew exactly what they were doing. Now they seem to be backing away from the prior knowledge argument as the cost of her survival has been raised.

Bike Stand Design Award (Fail)

I would like to know who gives the Good Design award for a bike stand that has no security?

Sure the Meandre by mmcité looks good but it seems to me the most fundamental requirement of a stand in the city would include some kind of security — help prevent bikes from being stolen. Preventing accessories (seat, pedals, etc.) from being stolen would also be nice.

Bike stand Meandre by mmcité has won Good Design Award 2009‘ awarded by the Chicago Athenaeum (Museum of Architecture and Design in Chicago). mmcité product came through in tough competition of world’s famous manufacturers and managed to catch attention of international jury.

I see no practical way to lock the frame, let alone protect the bike parts, in this design.

Aside from the security issues, I also do not see how you would fit more than one or two bikes into this stand. The handlebars, especially on touring and mountain bikes, prevent such a close configuration — it’s a lot of wasted material.

the poetry of information security