Security Minded - from Kai the Security Guy - All Comments

re: New Editor of the Microsoft Technical Audiences Security Newsletter

Jon W — Thu, 12 Nov 2009 17:11:44 GMT

Thinking of DirectAccess as "a 5,000 mile CAT-5 cable" isn't doing it for me; I'd worry about that even more!

Some details would be nice about how/why it's safe to allow an additional access route that doesn't *appear* to require the same level of authentication as the old VPN route.

I'm sure I'm not the only one...

re: 2008 Crimes Against Children Conference

Sherry Friedlander — Sun, 08 Nov 2009 00:51:45 GMT

Hello,

Thank you for being a part of helping keep children safe. A Child Is Missing Alert Program is available to law enforcment 24/7/365 and is FREE. We are presently helping over 5000 departments nationwide. We are available to all departments in the US. so if we can be of help in your area please contact A Child Is Missing Alert for more information.

sherry Friedlander sherryf@achildismissing.org

re: New Editor of the Microsoft Technical Audiences Security Newsletter

Shems — Mon, 24 Aug 2009 01:27:57 GMT

Also, I want to hear your valid feedback. Don’t email me about how you ‘re sent in money to some Nigerian prince and you haven’t seen your money since.

----------------------

ROFLOL ...

Valid feedback; I'm about to write articles; I've done some preliminary work to test my ability to write -in english- and be considered valuable. If I write an article it has to be worthwile !!! Besides, I don't want to 'be foolish' or -worse- be taken lightly.

Shems

re: Sweetie…can I make some security modifications to the car?

Sean Kearney — Thu, 28 May 2009 06:36:28 GMT

I immediately thought as you commented about the "parking lot".

Now THERE'S a deterrent to anybody trying cause problems with security on the computer side...

"Quick Put that data down! Here comes the Administrator! And... what's that at the top of the truck?!?!"

RUN AWAYYYYYYYY!!!

BTW, Great Session you did in Sheridan College, glad to have met you :)

re: Is Cloud Computing Really Risk Transference?

John — Wed, 27 May 2009 20:01:26 GMT

I don't know why the technical media is blowing this up like it's some new great thing. Cloud computing has been around for at least the last 10 years if not longer.

Conceptually shared web hosting platforms and file repository/sharing networks were some of the first clouds to surface on the Internet. While, yes, these services are often used by the degenerates and vagabonds of the computing world, the concept in itself could be invaluable to smaller businesses without the financial or technical means to maintain their own datacenter.

The only thing that's really emerged from the idea of cloud computing is that companies like IBM and Google have essentially taken a less than reputable concept (and, yes, shared hosting is often a less than reputable means of web hosting when dealing with some of these providers), cleaned it up, sprinkled some glitter on it, and marketted the heck out of it until it shined.

But moving to the point of the discussion, I'd like to address Robert's take on the risk management factors of cloud computing versus in-house solutions. I would have to say that no company should ever maintain confidential (operational, financial, personal, and personnel) data on a cloud. To do so would be a liability that could and eventually will ruin you. Robert, I'm going to have to disagree with you about "Closer is not necessarily safer or more responsible." Closer, with offsite backups, is probably the most responsible thing any organization could do with confidential data. While, yes, there may be more security experts working in a datacenter, but nobody knows your data like you do. And more times that you would think, you know a better way of securing your data than the acclaimed "IT Professionals". As well, you lose the ability to define your security standards.

In my experience at my datacenter, data is most often compromised when people have extremely poor security standards or none at all. I would say to put more faith in your own security standards than some phone jockey at Google making $10/hr. You have no idea (outside of all the marketing and propaganda) what that datacenter's security is like, and they're not about to give you a technical breakdown.

Cloud computing is a great idea, though. I would recommend usage to just about any entreprenuers, small businesses, or educational institutions but never at the expense of their confidential data. If you can not afford to maintain your confidential data in-house, your probably should rethink your business model.

re: Is Cloud Computing Really Risk Transference?

tshinder — Fri, 10 Apr 2009 16:27:42 GMT

Hi Kai,

Great article.

Check my observations at:

http://blogs.windowsecurity.com/shinder/2009/04/10/is-cloud-computing-really-risk-transference/

Thanks!

Tom

re: Is Cloud Computing Really Risk Transference?

Miles — Tue, 17 Mar 2009 16:27:07 GMT

Internal or external hosting and how security control objectives are maintained is a very interesting topic.

Technical controls alone are not adequate when dealing with outsourced arrangements.

I'd suggest that as outsourcing data hosting becomes more widespread, attention to oustourced 3rd party Contracts is needed. Focus should cover specific security requirements, such as right to audit, compliance with your company security policies (or at minimum a gap analysis or theirs and yours to manage risks accordingly) and also getting that downstream liability clause agreed :)

I'd expect that some organisations will be attracted towards the financial benefit of cloud computing without understanding or factoring in the security exposure and implecations it presents. It is these types of organisations where visibility is needed.

re: Sweetie…can I make some security modifications to the car?

Dale — Sun, 22 Feb 2009 05:29:23 GMT

Now it just needs some sort of bag to catch the brass before it rains all over the vehicle.

re: Is Cloud Computing Really Risk Transference?

TechNet Archive — Fri, 20 Feb 2009 17:51:30 GMT

Great points Robert and thanks for starting the discussion.

I certainly agree that things can and often shoul dbe outsourced, but I worry about the ramifications as to what happens when the data for which I'm the legal custodian of, is compromised on someone else's box.

From what I've seen, this is a question that is only beginning to make the legal rounds.

re: Is Cloud Computing Really Risk Transference?

Robert — Fri, 20 Feb 2009 13:58:36 GMT

It would be unfortunate if companies decided that keeping confidential customer data on their own servers physically in-house was the only way to be responsible. It's rather like deciding that employing your own cleaning staff was the only way to keep your office premises secure, rather than hiring the services of an external cleaning firm.

I read somewhere that firms must divide work into 4 categories based on the questions "Can the business survive without this?" and "Does this directly contribute to our bottom line?". For IT operations, most firms would answer "Yes" to the first question but "No" for the second. In other words, it is critical to business survival, but more a supporting operation than a value-adding operation.

An IT firm might justify maintaining their own servers, but a non-IT firm is unlikely to have the expertise and is better off finding an external supplier to maintain their supporting IT operations.

Because IT is often such a critical system - all client data being stored etc - there needs to be a clear contract with adequate compensation being paid if ever systems fail (through data loss or theft) because it will inevitably have a damaging effect on the reputation as well as (value-adding) operations of the business.

There is no easy answer about data breaches, but there is still a risk of data breaches for in-house data, and you could argue you are being more responsible to your customers by out-sourcing to experts than keeping it in-house with potentially under-qualified staff. Think of the security in a data centre compared with your average small business! Closer is not necessarily safer or more responsible.

Someone else needs to answer the auditing question?