Over the decades (yeah – decades) – I’ve had the opportunity to be mentored by many great people all through my career. 25+ years later I still seek out people who can guide and teach me new things and new ways to think. When I first started in the IT business I was a typical wet-behind the ears kid with an extremely curious side to me. I worked as a machinist for a company that made X-Ray equipment. I’d managed to get some college under my belt but wasn’t consistently going to school. I think one reason was I was making enough money to survive and part of it was I really didn’t find the domain I was studying (mechanical engineering) particularly interesting.

At the time the first “home” computers were coming out and I managed to acquire one and became completely infatuated with it. In no time I got pretty good at making it do stuff including things it wasn’t even really designed for (6502 assembly rocks!). One day my companies TRS80 that kept the warehouse inventory on it decided to eat a floppy disk with the inventory. Losing the inventory meant we all had to go home for the day while they tried to figure out what to do. Since I had time on my hands I decieded to go see what was up and offered to try to repair the disk. I ended up writing something that read all the blocks off the disk that were good – which was 99.9% of the inventory. Needless to say – things changed after that – I got offered a job as the system admin of our “mini-computer” almost immediately which was going to run a “real” MRP2 system. I didn’t know anything about mini-computers – but hey! I was now working in the field I really seemed to have a knack for and really was having a lot of fun too.

The manager of the IT department had a PhD and also did real-time microprocessor programming R&D for the companies X-ray systems. Once I got my sea-legs in the new job I started troubleshooting problems. I’d go to his office, ask for help, and he would ask what’s up? I’d explain the problem and he would always asked if I looked the error up in the manuals? and those first few times I’d always say no and he’d give me the look over his glasses that sent me on my way. I’d look the error up, chase the possible solutions through the manuals, narrow them down to the 1-2 most likely and go back to his office. He’d ask me what I learned and I’d tell him what I read and what I thought the problem was.

He’d ask how would I prove it was the right solution and he’d listen to me explain the approach and sometimes he would have to make a small adjustment or two so that I didn’t take the systems down or break something.  This went of for a good number of weeks until I realized that I might as well look stuff up, prioritize the solution, and then go tell him what I planned to do. Years later he confessed that he didn’t know any of the answers to my questions – what he did know was how he would go about seeking the answers. At the time I hadn’t realized all he did was mentor and teach me how to solve problems on my own.

 

My advise is if you are going to spend the time looking for a mentor – find someone who is not close to your skill and capabilit. Find someone who will stretch your abilities the most. Once you hit your stride with their help – you can achieve things beyond what you thought was possible.

 

I’ve had the benefit of a plethora of mentors I’ve also been able to shape my career from what I learned from them. I am, and always will be,  incredibly grateful and indebted to all of them. Just four years ago I started work on a PhD and decided I wanted to find a sponsor at work who would provide some guidance and oversight for my research. After knocking on more than twenty doors, and dozens of  meetings/calls, I found someone who was willing to shepherd my research and take on the added responsibility of being on my dissertation committee. He is one of the giants in the security industry, Dr.  Burton Kaliski, founding scientist at RSA. For over two years he mentored me as a budding researcher and scientist. Most recently I’ve been working on several patents in privacy and once again I reached out to someone who knows a lot the innovation process - Steve Todd EMC Distinquished Engineer. Steve has written two books on the topic and has over 15o patents filed, making him one of the most prolific inventors I’ve ever met. Both of these people are giants in the areas I wanted to learn more about.

 

In grad school I took a leadership course that taught us that to be a good leader you also had to be a good follower. In my next post I’ll share my thoughts on taking on the roll of mentoring and why I believe that if your are going to have a mentor find a way to give back and mentor someone yourself.

/wayne

   During the process the team of course developers researched hundreds if not thousands of papers, read numerous books  (such as Nicholas Carr’s The Big Switch: Rewiring the World, from Edison to Google, David Linthicum’s Cloud Computing and SOA Convergence in Your Enterprise, Jeff Barr’s Host Your Web Site in the Cloud, Scott Lowe’s Mastering VMware  vSphere 4, and Edward Heletky’s VMware vSphere and Virtual Infrastructure Security to name a few), tons of blogs, and reviewed websites of manufacturers and consultants too numerous to list. We also spent time reviewing the standards and emerging standards developments such as the Cloud Security Alliance (CSA),  the European Network an Information SecurityAgency (ENISA), Also the great work that the National Institute of Standards and Technology (NIST) have been doing – all of which we’ve incorporated their guidance and definitions into the class.

   One of the modules included in the VDC and Cloud Architect course we’ve developed includes a Governance, Regulatory, and Compliance (GRC) section that I developed focused on VDC and Cloud GRC definitions and processes. As I’ve had a chance to first research this in-depth and to teach it to over 50 people now I’ve come up with a list of what the top ’10′ tenets:

1. Always OWN your information no matter where it is. This has to be the number one rule. Always own your own data. Make sure that wherever it gets created, stored, shared, etc.  that if it is your company’s information asset. Good providers will put that in writing in their terms of service.
2. If you don’t have good GRC today, what makes you think you will have good GRC practices in a VDC or Cloud?  Seriously – does anyone think that if they go to a cloud they are all of a sudden going to have these great new policies and processes? Can you inherit new ones that the provider has that improve your standard? Sure – but how will you know that if you didn’t come up with a standard in the first place?
3. Develop an information life-cycle for all information – cradle-to-grave. Information has a lifetime. Keep it too long and it gets you and your company in trouble. Either because it gets acquired by someone you don’t want to acquire it or demanded by a regulatory or legal entity that wants to get all the data they can going back forever if they can. Just like you can’t leave stacks of all printouts and correspondence around your office forever – you need to be diligent with your digital information. When it is created – set an expiration date, create an archive policy, and a purge date!
4. Less (information) is more. One of the bad habits of the past couple of decades is that we develop software and databases that collect and store a lot more data than we’ll ever need. Information is a powerful tool – but it can also be a liability. Collect what you need it will save you a lot of headaches and $$$ (minimally for storing and protecting) down the road.
5. Develop an Information Taxonomy. Back a few decades ago – enterprise development efforts had things called meta data dictionaries and information flow diagrams. Because a large enterprise has so many applications that not only collect new data but also reuse data collected earlier dependencies become critical for data accuracy reasons. For example when a new application is built that is customer facing – recollecting the same customer data each time they engage with your company is both frustrating for the customer as is the inherent probability of creating a nearly duplicate set of information. I said nearly duplicate for a reason – the customer may put the address in different the second time creating a second version of the data. So when another application needs it – which one is right? By creating a  taxonomy you can develop a methodology for single sourcing critical data, remove redundancies, and in this day and age – manage the regulatory and legal issues related to certain types of data.
6. Always know who your (data) handlers are. Let’s face it – systems in general let more and more information be seen and handled by more people. This raises the risk quotient considerably. When you leverage a cloud services provider – you need to take the time to find out their data handling procedures are. You are effectively increasing the risks and attack surfaces by extending your technology, people, and processes into the cloud. How do you mitigate this? One way is to go back again and read those terms of service. A good provider is going to say things like “our employees do not have direct access to your information nor are they allowed to engage with it without your express written permission” – when they want an affidavit attesting they are allowed to access it – they take their access to your data pretty seriously.
7. Cloud Security requirements regarding information should be at least as good as internal, recommend they are better. This is much like the GRC standards in-house in #1 – but has to be said. Make sure your security standards are met by the provider and ideally their standard is higher. We’ve developed some excellent tools in the course that help determine what this should look like.
8. Read, Comprehend, and Acknowledge all the information related cloud providers terms. Actually read them (terms of service, terms of use, service level agreements, security policy, privacy policy, retention policies, termination agreements, license agreements, etc.) print them to PDF’s and sit with your legal department/contracts groups in addition to your information security and privacy offices. On-demand or not – these agreements will define roles and responsibilities and things like what happens when you no longer want to use the service and now you have to get all your data back, or what kind of data does the provider keep about you as a customer, for how long, who do they share it with, etc.
9. Think about Transitivity! This one applies to both service levels and other items like 3rd parties. For service levels – always look at what each discreet service you are using has for an SLA and then think about what happens when you bundle services. For example when you combine a Virtual Machine service that is 99.95%, and a storage service that is 99.99% and a messaging service that is 0.00% – you get a combined service bundled that you can expect a 0.00% SLA. When it comes to other items of concern – make sure the provider has the same standard for their 3rd parties as they do for their employees. For example the provider uses a security contractor for their info-sec department. Do they do the same background and drug tests on the 3rd party’s as they do for their employee’s? Does the provider have the same standard as you do for your employee’s? See the transitivity issue here? Make sure the standard is as good as or better!
10. Evaluate your assets in terms of Asset Value. We spend a lot of time in the class talking about this one. take the time to come up with asset valuations that are going to go into the cloud. For example come up with a quick score that rates the asset as High/Medium/Low in value. Then make a policy decision that all High value assets either need special security provisions in the cloud or they just can’t be put in the cloud for now. This process helps prioritize the start of the process for assessing the cloud for your information assets and prioritizing the candidates but it is only the beginning.

This isn’t an exhaustive list – but is a good starting point for coming up with some good practices for building trust in the cloud and assurance for Information Handling. Want to learn more – then come take our EMC Proven Professional VDC & Cloud Architect Class!

/wayne

PIA Image from ENISA

cloud and how would it be accomplished as a service. The second one just got published in a special edition of IEEE Security & Privacy on cloud computing and is about cloud provider transparency.

These are related to the dissertation study in that they all look at aspects of how privacy risk can be assessed in cloud environments. The dissertation study will differ in that it will empirically test three different privacy assessments against a ‘reference application’ that would run in cloud environments. The reference application will contain data that is regulated or needs to be protected as it is considered private data. The objective of the study is determine how well the privacy assessments work in cloud environments. Does multi-tenancy have an impact on the outcome or does elasticity? Does one assessment versus another do a better job in cloud environments?

The study is not an exhaustive one because it has to be something I can finish in a reasonable amount of time (and finish is the key word here!). It is however unique based on my review of the literature. There does not appear to be a lot of empirical data when it comes to privacy in the research. I honestly couldn’t find anything published about privacy assessments other than Clarke’s work which provides some excellent background and perspective on privacy assessments and where they originated from (hint: environment impact). Breaches – yes – lots of good stuff, privacy assessments – no, not so much. 

Now I just have to sign up three to five cloud providers to allow me to do the study. A bunch of folks said “sure, when you are ready let us know” when I approached them before but now I need real commitments from cloud providers. If anyone can help me by putting me into contact with the decision makers on research at the CSPs or is interested in learning more – please feel free to send me a note or a tweet. The abstract can be found here: Dissertation Abstract and I’ll glad provide more details to the study if you would like to learn more.

/wayne

email: wayne.pauley at gmail.com   twitter: @wpauley

Facebook heads-up headed to teachers:

 ”All school district employees are reminded that personal information posted on the Internet is not truly private as it creates a permanent record that may be retrieved and retained and thus any expectation of privacy may be unwarranted,” the proposed policy states. “Information posted on the Internet is routinely reviewed by potential employers and may impact future employment opportunities.”

No-Facebook for Teachers

I have a couple of problems with this first statement.. First of all – what an employee does with their personal information is – well their personal information. But, and there is a but needed here – public school teachers are public employee’s and should be guided by a code of ethics that holds them to a high standard. I would think this standard would include requirements on what is allowed in terms of types and modes of communications between students and teachers. I would think that this code would exist without any specific technical method for communication. So if a teacher only has a pen and paper or a landline based phone - there should be guidelines for what is acceptable and what is not acceptable. Ok – so now we have Facebook and Twitter and texting – so what? These should not have to have a new policy associated with them – the same guiding principles should apply.

The article continues with:

“The policy also prohibits teachers from inviting students to be “friends” on social networking sites or agreeing to student friend requests. They should not chat, text, e-mail or Instant Message with students “in an overly casual, unprofessional, inappropriate or offensive manner.”

Huh? Now the policy is going to thwart productive and useful interaction between students and teachers. What kind of message does this send to the students? Social networks are bad? The issue here is what is communicated and transparency. If a teacher wants to communicate with a student – then there needs to be guidelines that are based on a code of ethics that the teacher has to follow. Private conversations are allowed between students and teachers - so why not allow private communications using other methods? The teachers ethics must be held to a high standard and that has to go beyond the classroom. We must also continue to find ways for our children to grow up in a world where the rules are the rules and good behavior is good behavior. Digital information technologies are part of our children’s DNA – they are growing up as digital natives. We all have to learn to appreciate usefulness and capabilities of technology and also sustain the trust and control mechanisms that protect our students and the teachers. We must create an atmosphere of trust and the right to privacy.

I found another article on the same matter that mentioned that the school system had filters on its firewalls to stop the use of Facebook. Geeze do these people realize that 1 out of 2 Americans will have a smarthphone by Christmas 2011 and that the first apps that are built for the phone is Facebook, Twitter, and Texting? Who cares what the firewalls do?

Ironically the teachers handbook for the Nashua school system that has put this new policy forward has nothing about a code of ethics on its website or in the Teachers Handbook. Why not? Transparency seems like a good policy – especially when it comes to ethics.

 What do you think?

/wayne

For those who are prolific peer-reviewed researchers and writers my hat is off to you. With all the work work, school work, dissertation efforts, and errata activities I decided to give “published” writing a break.

In the past 2 months a funny thing happened – call it aligning the stars or something in the water – whatever it is I had a brainstorm for a paper, ran across a great venue for it, and my idea was accepted. I had blogged about and posted on other sites about cloud transparency so I thought why don’t I do the real research and empirically do a quick (small population study). The process forced me to analytically break down the notion of cloud service provider transparency, do the literature review, and come up with a workable scorecard. Then I studied six cloud providers to see how they fared based on the scorecard. The process all forced me to re-evaluate the scorecard. I also had a few friends help out – like Randy Bias at Cloudscaling who made a few suggestions on the scorecard.

The second event came about through someone sending me the link to a venue and saying to me – “hey Wayne – you should present at this”.  “This” happens to be this summers Usenix HotCloud conference. When I read the event structure and topics I knew I wanted to do something for the conference but … how do I do something that is related to my dissertation without spilling all the beans on what my study is about (this is a primal fear in researchers – for good reason – stolen work)? So I asked a colleague at work who I am so privileged to know Dr. Burton S. Kaliski, Jr. and who has so very graciously agreed to be on my dissertation committee. He suggested – why not take your thesis topic and we do something related as a position paper? So the scramble began and in two weeks we wrote a position paper on Risk Assessment as a Service in Cloud Environments … won’t hear if we got in or not for a few weeks. The whole process of working with such a knowledgable person who can write a paragraph faster than I can read one! He is amazing and so fluid with his thoughts. We took a years worth of white board discussions and came up with a closely related topic that has already provided me greater insight into what I have to clarify in my thesis process.

So now the fun begins – I wait and hopefully go from – almost published … to published. Either way the experience and learning was well worth it. Now back to my thesis …

/wayne

Updated May 7th:

We (Dr. Kaliski and I) got accepted into the Usenix HotCloud workshop on June 22. We have some minor edits and then I will post the paper. You can find the program for the day here which has sections on Performance/Power, Economics/Pricing, New Programming Models and Usage Scenario’s, and my favorite Security and Reliability.

Updated June 25th:

My second article got accepted by IEEE Privacy and Security. The article will appear soon online and be printed in a special edition on Cloud Computing this fall.

What strikes me as a point of interest is that 99.999% of the content seems to be about the user/consumer/citizen – the person. Not that this is a bad thing – because lets face it – most private information comes from people.  We have contemporary privacy scholars who focus on the legal aspects of privacy like Daniel Solove (if you haven’t read his book “Understanding Privacy” – I highly recommend it!). Software Engineering privacy experts like  Lorrie Cranor who has driven incredible changes in how software, user interfaces, and web tools gather and use privacy related information. Roger Clarke who has looked at privacy statements and privacy impact assessments in-depth. Or Herman Tavani who has shaped much of the theoretical basis for IT Ethics (he has published some excellent research on Privacy & Ethics) And I could go on and on with the list of really great minds.

Recently I have had a few discussions with folks who are privacy experts - in fact a few of them are world-renowned in the academic circles. When I bring up the fact that business has a privacy requirement too – let’s just say I usually get a pretty strong negative response to that. One person even suggested that maybe I’m just working for a business and not really doing research.

Let’s face it – particularly here in the U.S. companies have been very liberal with their controls of their customers (and even just prospects) information. Take the days of the 3×5 warranty card. How is it that a company that sold you a baby carriage needed to know your annual income or your age? All that they need to know (if they need to know anything) is the date it was purchased, where it was purchased, a serial number, and your address.

But … what if we thought about privacy a little bit different? What if we thought of it as if the corporation were a person. For example – a corporation has to worry about the data of their employees, customers, and their own “information”. Their own information could include protected things like intellectual property or more grey area things like temporal or tribal knowledge (e.g. current incentives given to sales to drive sales behavior against a competitor).

Also – has anyone every heard the phrase “it would be like pushing on a rope”. In other words if the discussion/argument/definition is one sided – how do you really move your position forward if there is nothing there to resist the progress? Benjamin Franklin said “Reading makes a full man, meditation a profound man, discourse a clear man.” How can the tension between man and corporation when it comes to privacy be one-sided? It seems valuable to research and understand the privacy privilege, violation, protections, perspective, and purpose from the corporate side of the coin seems to be not only valuable – but a requirement. How can we fully understand where the line needs to be drawn with regard to individual protections if the fight is one-sided?

H. Jeff Smith wrote in his book “Managing Privacy” that corporations only respond to privacy requirements when there is an external event (breach, lawsuit, regulation) – why not choose to find a different – proactive course? One which embraces the needs of the enterprise, assesses it against the needs and rights of the citizen – so that we can find the middle ground? Why constrain our forward movement in the realm of privacy to just the outcome of complaint or the past tense of lost privacy?

And no, my research is not for the corporation or by the corporation. My personal opinion is that corporate America does have too many liberties with our private information and we’re not adequately protected. However my opinion doesn’t count when it comes to research and one of the most interesting ways to study a problem is to reverse it.

/wayne

   Today marks the one year anniversary of my finding out I’m a Type 1 Diabetic. With over 20 million Americans currently diagnosed with Diabetes and evidence that the number is going to more than double of the next decade – you might actually know someone who has this disease. In a recent American Diabetes Association Magazine article I read that every 20 seconds someone becomes a diabetic. Every 20 seconds! Wow.

I thought I would share some of the things I’ve gone through and learned in the process … so lets start with a year ago. Everyone asks did you have symptoms? Yup … did I ignore them – yes, for a few months. The symptoms were weight loss – 35 pounds in 3 weeks. I was going to the gym so I was thinking – wow this was working great. The problem was I really only wanted to lose about 15 pounds and what I didn’t know I was losing fat and muscle. The next symptom I had was that I was run down all the time – in fact I would get home from work (which took everything I had to get through and commute home) and would sit on the couch and fall asleep – sitting up. Now I’ve always found it easy to catch a cat nap but my wife knew something was wrong and was urging me to go see the doc. Nope, not me – I was fine. The final symptoms were I had to urinate all the time – every 20 minutes, and was craving sweetened drinks like Gatorade and coke which I’ve never been big on.

So on March 3rd last year, I remember that it was a Monday and that we had a snowstorm – so I opted to work from home. My wife said that was it – I was going to see the doc who probably had openings due to the storm. I went to the Dr’s and shared my symptoms and he took the usual fluids to test and said he would call me the next day. Three hours later I get a call from him and he said go to the hospital – now and to have someone else drive – because he was pretty sure I had diabetes and my glucose levels were off the charts. The healthy person usually ranges from 75-150 my levels were in the 800′s! Needless to say I spent a few days in the hospital while they stabilized me and spent 2 days teaching me what my life was going to be like as an insulin dependent person.

I thought I’d share some of the experiences – which for me has been a life changer. Not because I have to eat better and workout to stay healthy – because I already did that for the most part. No, it is more that for me I’ve always had relatively perfect health and never had anything serious happen to me health-wise. No broken bones, no hospital visits, no pills required – to having to test my blood 4-5 times a day, count my carbs, and inject 2 kinds of insulin into my body 4-5 times a day.

When I first started dealing with the insulin – I would scurry into the bathroom if we were out or hide in my office and test and inject. Why? I was afraid to have anyone see me do what I’ve done over 1500 times in the past year. At the time I was very self-conscious (still am somewhat), worried people would think I was damaged goods at work, and didn’t want people to stare at me. For the most part I’ve found people are mildly curious or have seen it all before and don’t care – plus I can get through the whole process in less than a minute at this point. Some people stare at me – but hey I have to get over it – and it is my lifeline and the technology and products are so much better now than even 1o years ago. I’ve got it easy compared to those who didn’t have the medical tech we have today or have had to deal with diabetes since they were small children – I’ve had decades of great health (and plan on many more).

I also went through the whole denial, anger, why me stuff. That took most of the last year – and still comes on in short blasts still even a year later. The Dr’s not being able to explain to me what caused it, what I should have/could have done differently, etc didn’t help me understand the question of “why me”. For my trip in this journey – I’ve become more focused on my health overall – more gym time, dialing in the food/diet/insulin ratio’s and reading/learning what I can about the disease and the medical technology and progress toward curing this disease. I’ve also learned to listen to my friends and family and couldn’t have made it this without their caring and support – they have been awesome. The last thing is I’ve dialed back  pushing myself quite so hard. It means things slip off the list until I can get to them – this is probably the hardest thing of all for me.

So one last bit before I end this posting. I had to share one moment that was really hard for me. I finished working out at the gym was stopping at Dunkin’s on the way home for a nice hot coffee and walked in and stopped and just stared at the racks and racks of donuts. For some reason it just hit me so hard – here was all this stuff which I liked to have as a treat once in a while – and it was all off-limits – why did I have to be different? The moment passed and I can actually have a donut once in a while (as long as I take my meds and don’t make it a habit). What I did learn is that – yes my life is different now, I have to plan my days and stay on track with my changed ways – and maybe someday Diabetes will be cured. In the meantime – I’ll do my part.

My call to action to you is – get your glucose levels tested, find out what your A1C  number is, watch your diet, exercise, and live long. Oh – and cheers to another year that we get to walk the planet.

/wayne

  Why is “security knowledge”  (SK) such an important construct? To those who have been in the security business a long time – they probably already have a good idea of what SK is. SK is made up of a thorough understanding of context of the infrastructure, the collecting of requirements, the actions that are to be deployed, and value of information assets.  Most organizations have some or all of these elements in their security knowledge base – though it is likely diffused over several people or even departments or stored in multiple products. The diffusion of security knowledge  is not a trivial problem in its own though beyond what I wanted to try to get to in this posting.

As a privacy researcher, what struck me as a key concept in this research is that there is a  parallel need for “privacy knowledge” and it has to stop being an “also ran” to security knowledge. Privacy is important because privacy is based on Information and we are literally exuding Exabytes of information annually – much of it personal (70% according to this IDC link).

In the security domain one of the metrics listed by Hermann in her book “Complete Guide to Security and Privacy Metrics” is security policy management. I found it interesting that of the 972 metrics she listed there is not a corollary to security policy management which I would think would be called  “privacy policy management“. Yet with the Cloud or any Internet-based business these days – Privacy Policies are kind of treated as “ho hum – ya we got one” item – but have you ever read one (Microsoft has an excellent one that is easy to read , while Wal-Mart’s is easy to enough to read but is lacking in navigation friendliness)? Maybe when you do online banking you take the time to read it, but I’d bet a $1.00 you never read it when you sign up for another widget you want to use on Facebook (that the FB folks wash their hands of when it is not their widget! - What! you didn’t know their privacy policies were NOT transitive? ). So why not have a privacy policy management metric? Why not include the privacy policy as part of the Privacy Knowledge (PK) that the enterprise has to manage since the privacy policy defines a set of requirements that the what the company is adhere to when they DO something with your not-as-private information that they now have.

What if we had a full-blown PK though? To some folks this seems like slicing the onion a different way – but bear with me for a minute. What if you actually took all the SK steps and applied to privacy knowledge and treated privacy knowledge as important as we do security knowledge? The steps would be:

• Get a full inventory of all your information assets (instead of the infrastructure itself) that applied to your customers, employees, and intellectual property.
• Understand who has access to the information and can transform, store, or transmit this information (who being people, process, or technology!)
• Extract privacy knowledge (privacy requirements) from the privacy policy
• Associate the privacy requirements with privacy controls.  Control instruments would include rule-of-law, regulations (HIPAA, SOX, etc.), and internal business rules as defined in privacy policy.

   Hypothetically speaking if you took these steps and put the resulting information into a database, married it to the Privacy Rights Clearinghouse database, throw in some information asset values - you could begin to perform analytics against the policies. With the  historical breach data you could model potential exposures and perform what if’s. Minimally you could begin to evaluate privacy risk quantitatively. If nothing else you would be a lot closer to understanding X, X standing for the unknown.

/wayne

The Clouderati were nestled all snug in their beds,
While visions of standards danced in their heads.
Dot.Gov and her ‘cyberchief, and OVF in his cap,
DMTF and OCCI messed with our brains before a long winter’s nap.

When out on the Vaporware there arose such a clatter,
I sprang from the Mac to see what was the matter.
Typed away on the keyboard, I tweeted like a flash,
Private & Public, for Hybrid - just add a dash.

The predictions had come, for 2010 like new-fallen snow
Predicted the cloud #fail, all of the vendors we know.
When, what to my cloud-washed eyes should appear,
But a transparent cloud provider, and eight controls simple & clear.

With a bunch of new VM’s, and security we designed to stick,
I knew in a moment SAS70, I wouldn’t pick.
More rapid than Cloud Security Alliance, then ENISA came,
And they covered their _aaS  and called out the controls by name!

“Now Bochagalupe! Now, Suredy! Now lmacvittie, Werner and Alverez (cloud Vixen)!
On, Ruv! On, WattersJames! On GeorgeReese, on Jamesurquhart and Randy-Biaz!
On Samj! On Aneel! On Mfratto! On ShlomoSwidler and Swardly!

To the top of the storage farm! to the edge of the firewall!
Now compute away! Compute away! Compute away all!”

As the competition heated up, like the wild hurricane fly,
When they meet with an obstacle, change their offers on the sly.
And finally the enterprise, to the providers they flew,
With the sleigh full of AWS, Google, and now Microsoft too.

And then, in a twinkling, I heard where’s the proof
Will my data be safe, VM’s can the hackers spoof?
As I drew in my head, an architecture that was sound,
I conferred with my cloudmates, not an exposure was found.

Along came one all dressed in fur, with a tail longer than a foot
Yet his nickname was beaker and he often says !woot.
He carried a bundle of Cloud Toys he had flung on his back,
And he told us about frogs, while opening his pack.

Others worried about interop and if there was privacy!
Some call the process a mobocracy and others an isocracy!
Some speak of the cloud and security as ones in the know,
One has his sock puppets and beard as white as snow.

They spoke not a word, but tweet’d while they work,
And filled all the demand, keeps them from going totally berserk.
And laying out standards, all gaps they expose.
Ready their clouds, for enterprise rose!

They sprang to their work, this A-team gave a whistle,
And away they all flew, like the shot of a missile.
And I heard the Clouderati exclaim, ‘ere they drove out of sight,
“Happy Cloudness to all, and to all a good-night!”

Many of the providers want you to believe that they are in fact transparent – which also happens to be the latest buzz word in the blogosphere (there are some great articles by Hoff, Randy Bias to name a few)  regarding the information that the providers is willing to put up on their website. On the one hand I’ve found that just getting this information as a non-customer is not an easy feat. Some providers like Google and Microsoft provide what I would call one-stop-shopping (e.g. Google Privacy Center, Microsoft OnLine Privacy) . They have a web page that gives you the core stuff like their terms of service, privacy policy, and either a security policy or at least a white paper on their controls. Microsoft has developed a full online Compliance Framework that they “appear” to be applying to Azure.

First lets tackle what constitutes transparency for the customer (customer being someone who is going to place a business ON the cloud providers systems). As a potential customer I’m likely to want to see the following:

• SLA’s – What are the SLA’s? Are they Five 9′s? Four 9′s? What are the aggregated service levels if I’m a typical customer? So if I use your messaging services, your storage, and compute services do I get an aggregate of Five 9′s still or was one of the services at a lower level? Is there a service level credit? For example GoGrid provides a 10,000x credit for downtime while others just credit your minutes of lost time. Several providers will also actually provide the customer payments for business lost though this is provided via an insurance policy that the business could otherwise acquire.

• External Audits – The rage seems to be SAS70 Type II audits which are designed to have provide an element of financial systems trust by having a third-party certified auditor look at security policies and procedures and determine what controls are in place and measure their effectives as they relate to an audit of their financial statements (see SAS70 details). This is great if you are trying to make sure the provider has controls in place that support SOX requirements but what about general PII/PCI controls or HIPAA? What about their security posture? I’d argue that this type of audit is a good “business” control type of audit. What is still needed is a Security and a Privacy audit to complete this picture. Minimally as a customer I would want to see the SAS70 audit results and the mitigation plans. While many of the providers have this audit done – none of them currently provider the results on their websites and would not provider the details to me via email though one provider did provide a list of the SAS70 control “buckets” that they include in their audit but they would not let me publish them via a blog or post to the web – to quote them it would “lessen it’s value” (not sure how that is – but they provided it for my research). One last note is that I found that ADP would provide the results to of their SAS70 audits to their paying customers for the areas that aligned to the services that they used.

• Internal Audits/Assessments – It is assumed that the security and privacy policies need to be in place as SOP for data center operations. Along with the policies are internal audits/assessments that are performed with due rigor and regularity. The International standard ISO/IEC 27001:2005  is for security assessments and is considered by many to be one of the best and most thorough.  There are several other well know security assessments such as OCTAVE  from Carnegie Mellon which uses a Bayesian Model based on quantitative analysis of qualitative data and is designed to be used by internal resources. The US Government also has developed a series of standards in a he NIST SP800-53 standard The results of these audits are not generally available to “prospects”, actual customers, are not published, nor are they necessarily “honest”. For example – I ran across this statement on risk assessments from Pivot Points Security:

At this point Risk Assessments are a lot like a bikini; “What they reveal is suggestive, but what they conceal is vital”. Worse, it’s easy (and common) to make what they reveal what you want them to reveal.

Having performed and participated in OCTAVE, ISO/IEC 27001, NIST SP800-53, and COBIT audits myself I found out a few things in the process. Purely internal or purely external assessments introduce too much bias. OCTAVE was designed to be run internally because the subject matter expertise lie within the organization and employees/security staff have a better understanding of “asset value” (and I’m not going to get into the whole debate on usefulness of ALE/ROSI valuation methods). The internal bias could potentially be mitigated by having an external firm provide oversight and guidance. Perhaps the best (and most expensive method) would be to have an internal and external audit performed and compare them for patterns and gaps. Having run the operations for a managed service provider in the past it was my experience that we would have internal assessments run on off cycles from the external ones and the external ones would go through a “rough pass” phase, allow us to fix the most egregious problems, have a final pass run, and then the results would be provided to requesting and paying customers. If they weren’t both they didn’t see our security audit results.

One last comment on Risk Assessments – there is a new method name FAIR that Hoff pointed out developed by Jack Jones from Risk Management Insights that takes a different (and refreshing) approach to assessment methods. While most assessment methods rely heavily on interviewing and subjective qualitative data FAIR uses quantitative analysis for the asset valuation, threat impact, and also uses Monte Carlo simulations to pinpoint where the threats are most probably. This seems to be very unique because it is far more quantitative and makes it potentially far more machine readable/executable (I’ll expand on why this is important in future blogs).

• Employee Certifications/Expertise – If you go back a bit in time to ASP/MSP’s vs. Hosting there was a line of demarkation that happened when you wanted help. The MSP had excellent subject matter expertise on the services they provided all the way up through the stack to whatever level they provided. If they were a database MSP they had experts in database, security, backup, etc. at your disposal. If they were a hosting provider - they stopped at the lowest level – they knew a lot about power/pipe/ping (physical security, power, cooling, core network) but they usually left the but they usually stopped at the lowest level and if you needed OS support – they may/may not provide if and if they do it is not included in the service.

When looking at cloud providers you should look at the experience and certification levels of the staff as part of your investigation. I would also suggest looking at “where” the talent is and what hours they work. For example if they use a “follow-the-sun” method – that may mean the staff you are using during your normal workday does a hand-off  when the clock strikes 5:00PM and you have to re-educate someone new who may want to have too much creative license on what the focus of the troubleshooting effort. No matter what – find out if they people working in support have names that are followed by the alphabet soup we are all accustomed to int he IT industry – CISSP, CIPP, CNE, CNA, MSCE, RSA/CA, etc. and make sure they have these certs from reputable organizations such as Cisco, ISC2, etc.

Also consider using a provider that is ITIL certified or at least has ITIL certified staff members. Why? Well for one ITIL was designed to improve the quality of service management by creating a framework of best practices for organizations to establish a service desk, a services catalog, and to measure service levels against. The latest version of ITIL v3 included the use of third-party providers extending the standard into the cloud/MSP/ASP world.

• Miscellaneous – The final set of things to look at is – have these guys been in business a while? Are they solvent? What outage/security events have they had? Are they willing to provide you with the things listed above (and anything else you need) to make a good decision? Also make sure you really understand their billing model – some providers charge you for the “max used” or “burst” rate for the month while others do some averaging. Some include or group services together (such as DNS is part of network usage) while others are 100% a-la-carte and you need to pay for them separately. Perhaps someday we’ll see finer grain metering systems (due to competition) like with networks that tend to use 95th percentile billing that allow for short bursts.

One final thought on this tome I’ve written (assuming you read this far!) – consider what happens with your cloud provider when they are part of a set of service providers. For example if you are using one provider who gives you an easy portal to set up and manage your cloud infrastructure, then another behind that provides the core services (storage, compute), then another for backup/DR, then another for Security – start to think about the complexity (=risk), and does this aggregated service (what I like to call the service-stream) still have the security level, SLA, etc. that you had when you started? Do they have the same privacy standards and requirements? Are the protections transitive? Are they willing to test an outage and share the results or actually include you in the process (like you do internally when you test your DR test plan)?

In the end – you need to decide is the provider making it easy for me to understand how they do business with you? Are they open to sharing the controls/methods/etc? Or do you have to work really hard to find out what they really are doing on your behalf – don’t take the thinly veiled answer that it is for your protection that they won’t provide the information – you are the customer but if you are just using a free service – you get what you pay for.  If you are a real paying customer – then you don’t deserve to be treated with obscurity or directed to talk to someone else. The cloud is supposed to be self-service and automated – it is up to the providers to include in that service making it easy for potential/paying customers to get the answers they need to make their stockholders and customers happy.

Attached are the results of my looking at various providers via search and the web. It is incomplete – some sites had everything in one place making it easy to find. Others that have empty spaces are because after trying for hours I gave up. Could be my skills are not what they should be with search – but I think if a 25+ year IT vet can’t find stuff easily on the web or with search then you are losing customers already.

/wayne
Resources:

SAS 70 – http://www.sas70.com/index2.htm, http://infotech.aicpa.org/Resources/Assurance+Services/Standards/SAS+No.+70+Service+Organizations.htm

RMI & FAIR – http://www.riskmanagementinsight.com/