I’ve had the opportunity to digest a couple of good reads over the past week. First up was Charles Leadbeater’s Cloud Culture: The Future of Global Cultural Relations, and if you’re at all interested in emerging technology and the way it’s impacting (the global) society then this is a must read. I really liked the style used and how the 81 pages just flew by (maybe the formatting?). Some interesting pointers that stuck with me (nothing really new but worth paraphrasing none-the-less):

• The future will be of many clouds. This can only be achieved by embracing an open source approach to technology and information.
• For all the benefits that we’re starting to perceive in this new open communication platform, there are still powers that are working their tentacles to slow it down, for example, authoritarian governments. For example, Thai authorities “have used crowdsourcing to uncover the addresses of websites making comments critical of the Royal family..“. Maybe to a different degree our own government here in Australia and their unremitting push on Internet filtering.
• “Cloud culture” will enhance the creativity of people, giving them new methods to collaborate, but this can only continue as long as we don’t make it too restrictive to share and work on material.

Of course, this could’ve just been written as the “Internet” culture, but it carries more weight when it focuses on the collaborative nature of how the Internet looks these days.

Secondly I had a chance to read something a little more local. The team over at KPMG have released their December 2009 Fraud Barometer and similar to above, nothing entirely earth-shattering, but sometimes it’s useful to cite local reports when trying to “scare” people about their control environment. And by scare, I mean reinforce your fantastic risk assessments on your projects and other important information assets. I also found it interesting to see the number of frauds committed against Government, considering they don’t appear to defraud that much money compared to say finance or commercial companies.

So the prize for “no-surprise-graph-most-useful-to-reinforce-or-scare” is Figure 6, Frauds by perpetrator. In particular, towards the bottom of the number of frauds is Management, but they’re responsible for the largest amount of money defrauded. On the opposite side of the table is the massive number of frauds perpetrated by employees and how little they defrauded. This makes sense of course, management have access to more resources and there’s less of them to normal employees. Pretty anyway.

Enjoy!

I’m surprised it took ISACA (or ISC^2 or maybe FAIR) this long to create an information risk certification. The first question that we asked when we saw this was “well what about all the other risk certifications, how is this different?” I immediately responded with how those other certifications or qualifications have been around for a long time, the disciplines they are based on are mature, whilst information risk on the other hand is still in its infancy. In addition, most of the existing certifications are based on financial risk.

Current tweets on the topic don’t appear positive, and until ISACA release some more information, or any information, I would tend to agree. Thinking about how such a certification may make an impact within my workplace my mind drew blanks. I mean will it make the people who perform risk assessments any better at it? Probably not. Will it increase their accuracy? I don’t think so. Would it make the people receiving the outputs of these risk assessments trust their output more? Probably not.

It wasn’t until I got home and started thinking about this post and re-reading the material before I realised that the certification appears more control based than risk based. (Emphasis placed by me)

The Certified in Risk and Information Systems Control™ certification (CRISC™, pronounced “see-risk”) is intended to recognize a wide range of professionals for their knowledge of enterprise risk and their ability to design, implement, monitor, and maintain IS controls to mitigate such risk.

I think this highlights some of the core issues with this certification. Knowledge of enterprise risk is something that is refined with time and experience. It’s a complex and almost completely people & process driven exercise. A certification will not help the people side of this exercise, you can’t get experience through a certification.

Therefore an IS risk certification’s strength relies on its ability to bolster the process not the person, but most of the current wordings appear to indicate that the certification is about designing, implementing, monitoring controls. This to me sounds like a mashup of a security architecture certification (SABSA perhaps?) and security operational certifications (with a splash of GIAC).

Regardless of all this, I think there will be a flurry of activity within the industry around April when ISACA open up the certification to the grandfathering program. I mean if you already do this in your job why not acquire this cert without having to sit an exam? We all have the experience, we’ve been doing risk assessments since we started to walk, followed swiftly by advising the business of why they shouldn’t do stupid thing X. If we can’t actually get more objective with our assessments, at least the certification will give the appearance of being more objective. Win win!

If the decision of whether or not to place your information in the “cloud” comes down to a simple matter of trust, trust in whether the cloud provider can deliver the availability they market, trust in the protection of your information in a multi-tenancy environment, trust in their staff (including all the staff they outsource to) to not damage or impact on the service. And this trust is all we have because we aren’t able to view their premises, their procedures, their audit statements and we aren’t able to assess their systems, their applications or environment. Who is it that stands up and says “Yes, we trust them. Lets do it“?

At first I used to think this was the business, I mean they’re the ones fronting the cash to move their important information into the cloud. They’re they ones who will see all the benefits of not having to rely on IT. Then I realised that they wouldn’t know whether or not to trust the cloud provider, surely more often than not they would ask someone within IT “Hey, can we trust these guys?“.

So can IT really dictate back to the business that “Yes, we trust them. Lets do it“? Can the CIO put his hand on his chest and declare yes? How does IT even come up with that answer? Do they even know? Is it the architecture teams perhaps that look at the service being offered and reviewing what the business is trying to do and going “Yes, we trust them. Lets do it“? At this point I would imagine those architects turning to the risk/security/governance people within their organisation and once again asking the question “Hey, can we trust these guys?“.

Hopefully this is where the line of questioning comes around full circle. Hopefully this is where the downwards questions stop. Hopefully this is where the security people ask the business people “What’s the value of your information? What would happen if it was unavailable, or disclosed, or modified?” While this is an important question, and one that will have to be answered at some point, it doesn’t really help anyone with whether or not they can trust the provider. It’s often here that things get difficult and the incessant pushing and probing of the provider starts to weigh heavy on the heads of the business. The costs are piling up and time has run out.

The next thing you know you’re in the cloud. But who gave the definitive answer to the question of trust? Probably no-one.

Well ‘10 has started off with a bang and already I’m trying to clear my head and set a vision for what I’d like to personally and professionally accomplish in the next 12 months. Looking back over what I was hoping to achieve in 2009 I can safely say that in the past 12 months within my info sec sphere of fun (mostly work – but also elsewhere such as the Perth OWASP Chapter) I’ve achieved what I’ve hoped to, primarily that of raising awareness of security issues, in particular those found due to issues within the software development lifecycle.

Personally 2010 will bring the following (this is not a wish list, this is a todo list):

• Purchase a house (Ten and I are got an offer accepted on the 30th of Dec so this is done and dusted – I can’t really explain how exciting this is, but it’s definitely the biggest thing to happen in my life and I’m so thrilled that Ten and I are doing this!)
• Spend more time honing my music skills (This is drumming skills, not SingStar skills. I’m already excited with what’s happening in Grenade Baby Lemonade, what with our 3 track EP on the way. In addition I’m going to also get started on another project *wink*)
• Cycle to work more

Professionally I’ll be focusing on working even more closely with development teams to truly embed security within the SDLC. This has already started with some fantastic engagements towards the tail of ‘09. The trick will be to not let up, not lose focus, to continue to make myself available to those who have queries and to package information that’s useful and not too bloated. It’s helpful that there is so much great information out there, including but certainly not exhaustively:

• Security Ninja’s Checklist Approach to Security Code Reviews
• Jeff Jones’ Post on Expanding SDL for Cloud and Agile Development
• Nick Coblentz’ material, including Observed Secure Software Development Stages
• And of course the Security Maturity Models, including OpenSAMM

Here’s to 2010! Hope everyone else started it as well as I have!

Cheers!

I read this article by Andrew over at ozrisk the other week and I’ve been meaning to comment on it but have only gotten around to doing it today. The main concept that Andrew focuses on is quite simple:

“The more regulation you have in a market the more that regulation will favour the big suppliers – i.e. the larger incumbents – over the smaller incumbents, any potential new players, and, crucially, the individual consumers. So the more that you regulate the worse the situation gets for everyone but ‘Big Businesses’.”

Whilst the article focused on regulatory requirements of Australian financial institutions, after my first read I thought to myself how relevant and aligned these statements were to the information security space as well. This is of course because the relationship is almost one-to-one, a component of having to comply with additional regulations often relates to the protection of your information, and therefore increases the rigour and cost of your security efforts.

Interesting stuff and I’ll have to endeavour to get my hands on Tim Carney’s “The Big Ripoff“

Issue 22 of the (IN)SECURE magazine came out at the beginning of the month and as always it’s packed full of juicy sec goodies. In particular Alexie Lesnykh’s “Making Clouds Secure” article. As the title suggests it’s taking a look cloud computing and some of the security issues around this technology/paradigm. If you follow Hoff’s Rational Survivability or twitter you’re probably aware of a lot of the risks that pertain to cloud computing, but what I found particularly interesting about Alexie’s article was the breakdown of what the actual issues are, especially in the context of corporate use of cloud computing.

The issues are then split into 3 main categories: security of the provider platform; security of data transmission; and security of the end-point workstations or clients. This last category was something that I had never thought too much about, given that endpoint security is something that IT have been doing for a while, and mostly we seemed to be concerned about the security of the cloud and how to trust that the provider is securing the information and systems as they market. As Alexie highlights though, attackers don’t often target the provider’s platform, knowing that it’s a very well protected fortress, and instead have been focusing on the endpoints. This issue is exasperated because one of the driving characteristics of cloud computing is it’s Broad Network Access (if we’re using NIST’s words) or Dynamism (CSAs) that, because of its ubiquitous nature, means that corporates often allow (nay – encourage) access from outside the organisation in order to leverage the cloud computing model. Why outsource your email to a cloud computing provider yet only allow access from within your secure, internal network?

Trying to get my head around the particular issues of endpoint security in the context of cloud computing started to hurt my head, especially when trying to understand how does an IT function secure the businesses information when it ends up in the cloud and is accessed from non-controlled endpoints? Is it IT’s responsibility to then secure those endpoints as well? Or is it something that the provider should look at? Google look at most of the traffic out there on the Internet, they probably have a pretty good idea of if IP address A has visited malicious site B and therefore perhaps shouldn’t be logging on. Or perhaps we need to see some more integration with things like Checkpoint’s WebCheck.

Solutions aside, corporations, if not already, will start utilising these services soon, so start thinking about these issues sooner rather than later.