I’ve had the opportunity to digest a couple of good reads over the past week. First up was Charles Leadbeater’s Cloud Culture: The Future of Global Cultural Relations, and if you’re at all interested in emerging technology and the way it’s impacting (the global) society then this is a must read. I really liked the style used and how the 81 pages just flew by (maybe the formatting?). Some interesting pointers that stuck with me (nothing really new but worth paraphrasing none-the-less):

• The future will be of many clouds. This can only be achieved by embracing an open source approach to technology and information.
• For all the benefits that we’re starting to perceive in this new open communication platform, there are still powers that are working their tentacles to slow it down, for example, authoritarian governments. For example, Thai authorities “have used crowdsourcing to uncover the addresses of websites making comments critical of the Royal family..“. Maybe to a different degree our own government here in Australia and their unremitting push on Internet filtering.
• “Cloud culture” will enhance the creativity of people, giving them new methods to collaborate, but this can only continue as long as we don’t make it too restrictive to share and work on material.

Of course, this could’ve just been written as the “Internet” culture, but it carries more weight when it focuses on the collaborative nature of how the Internet looks these days.

Secondly I had a chance to read something a little more local. The team over at KPMG have released their December 2009 Fraud Barometer and similar to above, nothing entirely earth-shattering, but sometimes it’s useful to cite local reports when trying to “scare” people about their control environment. And by scare, I mean reinforce your fantastic risk assessments on your projects and other important information assets. I also found it interesting to see the number of frauds committed against Government, considering they don’t appear to defraud that much money compared to say finance or commercial companies.

So the prize for “no-surprise-graph-most-useful-to-reinforce-or-scare” is Figure 6, Frauds by perpetrator. In particular, towards the bottom of the number of frauds is Management, but they’re responsible for the largest amount of money defrauded. On the opposite side of the table is the massive number of frauds perpetrated by employees and how little they defrauded. This makes sense of course, management have access to more resources and there’s less of them to normal employees. Pretty anyway.

Enjoy!

If the decision of whether or not to place your information in the “cloud” comes down to a simple matter of trust, trust in whether the cloud provider can deliver the availability they market, trust in the protection of your information in a multi-tenancy environment, trust in their staff (including all the staff they outsource to) to not damage or impact on the service. And this trust is all we have because we aren’t able to view their premises, their procedures, their audit statements and we aren’t able to assess their systems, their applications or environment. Who is it that stands up and says “Yes, we trust them. Lets do it“?

At first I used to think this was the business, I mean they’re the ones fronting the cash to move their important information into the cloud. They’re they ones who will see all the benefits of not having to rely on IT. Then I realised that they wouldn’t know whether or not to trust the cloud provider, surely more often than not they would ask someone within IT “Hey, can we trust these guys?“.

So can IT really dictate back to the business that “Yes, we trust them. Lets do it“? Can the CIO put his hand on his chest and declare yes? How does IT even come up with that answer? Do they even know? Is it the architecture teams perhaps that look at the service being offered and reviewing what the business is trying to do and going “Yes, we trust them. Lets do it“? At this point I would imagine those architects turning to the risk/security/governance people within their organisation and once again asking the question “Hey, can we trust these guys?“.

Hopefully this is where the line of questioning comes around full circle. Hopefully this is where the downwards questions stop. Hopefully this is where the security people ask the business people “What’s the value of your information? What would happen if it was unavailable, or disclosed, or modified?” While this is an important question, and one that will have to be answered at some point, it doesn’t really help anyone with whether or not they can trust the provider. It’s often here that things get difficult and the incessant pushing and probing of the provider starts to weigh heavy on the heads of the business. The costs are piling up and time has run out.

The next thing you know you’re in the cloud. But who gave the definitive answer to the question of trust? Probably no-one.

Issue 22 of the (IN)SECURE magazine came out at the beginning of the month and as always it’s packed full of juicy sec goodies. In particular Alexie Lesnykh’s “Making Clouds Secure” article. As the title suggests it’s taking a look cloud computing and some of the security issues around this technology/paradigm. If you follow Hoff’s Rational Survivability or twitter you’re probably aware of a lot of the risks that pertain to cloud computing, but what I found particularly interesting about Alexie’s article was the breakdown of what the actual issues are, especially in the context of corporate use of cloud computing.

The issues are then split into 3 main categories: security of the provider platform; security of data transmission; and security of the end-point workstations or clients. This last category was something that I had never thought too much about, given that endpoint security is something that IT have been doing for a while, and mostly we seemed to be concerned about the security of the cloud and how to trust that the provider is securing the information and systems as they market. As Alexie highlights though, attackers don’t often target the provider’s platform, knowing that it’s a very well protected fortress, and instead have been focusing on the endpoints. This issue is exasperated because one of the driving characteristics of cloud computing is it’s Broad Network Access (if we’re using NIST’s words) or Dynamism (CSAs) that, because of its ubiquitous nature, means that corporates often allow (nay – encourage) access from outside the organisation in order to leverage the cloud computing model. Why outsource your email to a cloud computing provider yet only allow access from within your secure, internal network?

Trying to get my head around the particular issues of endpoint security in the context of cloud computing started to hurt my head, especially when trying to understand how does an IT function secure the businesses information when it ends up in the cloud and is accessed from non-controlled endpoints? Is it IT’s responsibility to then secure those endpoints as well? Or is it something that the provider should look at? Google look at most of the traffic out there on the Internet, they probably have a pretty good idea of if IP address A has visited malicious site B and therefore perhaps shouldn’t be logging on. Or perhaps we need to see some more integration with things like Checkpoint’s WebCheck.

Solutions aside, corporations, if not already, will start utilising these services soon, so start thinking about these issues sooner rather than later.