The Amazon A-Z guarantee. Not what it seems..

This post is a slight departure from my usual content, but as a long term Amazon customer who has recently lost a reasonable sum of money due to an unscrupulous market place seller, and Amazon’s misleading A-Z guarantee.  Given what we have lost, and the fact many people likely use the Amazon market place believing they have the protection from Amazon.  However based on this experience, when things go wrong, that ‘guaranteed’ protection may turn out to be worthless.

I’ll start with a quote from the A-Z ‘safe buying guarantee’ on the Amazon UK site;

What is covered under the A-to-z Guarantee?

  1. The buyer didn’t receive the item they ordered.

The very first item on the list states you are covered if you do not receive the item you ordered.

So now we are clear on the Guarantee, onto the tale of woe..

We ordered some furniture from a company called Decorious based out of this address;

Decorious Ltd
Unit 24
Business Innovation Centre
Sunderland
SR52TA

After a period of a couple of weeks when we had not received anything we contacted the seller, and were told the item had been delivered.  We obviously challenged this and received a response that the courier had said it was delivered, on a Monday at about 3.30pm.  We explained that it could not have been delivered to us as there were only two people living at our property both of whom were out at work at this time.

The courier then confirmed that the goods were indeed delivered to someone other than us and a different address, but that they didn’t seem to know where this was!

At this point we thought that would be fine, as UK trading standards clearly states that the seller of a posted item is responsible for ensuring it is delivered to the purchaser.  So we asked Decorious to resolve the issue and resend or locate our goods.  They stated they would investigate with the courier and come back to us.  Several chasing emails later they then changed their tune and started sending generic ‘please use this tracking number, apologies for any inconvenience caused’ emails.  No matter what we sent or what we asked we just got the same response from a lovely lady called ‘Kelly’.

At this point, while somewhat annoyed as realising Decorious and their employee Kelly were a less than honest company relying in the fact we wouldn’t take further legal action as is would be so time consuming, we were not too worried.  Assuming on past experience that Amazon were generally decent and resolved delivery issues, we contacted them to ask for the A-Z Delivery Guarantee to be invoked.  We explained the situation to them, how we were not in at the time of delivery, Decorious’ admission that we didn’t have the goods, then their change of mind etc. all of which is on record in the Amazon email system.

Amazon customer service duly went and ‘investigated’, then came back and said there was nothing they could do, so we asked why, and how the guarantee was satisfied when the goods were not received.  Further unhelpful standard responses followed.

Amazon doesn’t make it easy to escalate issues so I searched online and discovered some options;

buyer-guarantee@amazon.co.uk

Managingdirector@amazon.co.uk

cnorth@amazon.co.uk

Now I’m under no illusion that Mr North, the current MD of Amazon UK would actually respond to these emails, but we did get Anthony Bennis from ‘executive customer relations’ responding on his behalf.  Anthony said he would investigate, and surprisingly came back with the same helpful advice – there was nothing they could do and perhaps we could try trading standards.

So I asked him to explain what investigations they had carried out, this was not answered.  I then asked him to explain how the A-Z Guarantee of delivery had been fulfilled, this was also not answered.  I then asked him to state clearly that the guarantee had been fulfilled despite us having been out at the time of delivery and the courier admitting they didn’t know where the good went – again, not answered.

All we got was generic responses then ‘sorry we won’t talk to you about this issue any further’.

So the moral of the story is that the Amazon A-A guarantee is frankly not worth the html it’s written in, and buyer beware.  The market place is no worse than buying from anywhere else, but don’t be fooled that Amazon provides you any real protection should you face issues.

As for Amazon, Anthony Bennis, or Christopher North (as you allow people to speak for you), I ask you publically to explain how you supposed guarantee was satisfied in this situation.

Finally as for Decorious just don’t use them, there are many furniture sellers, most of whom are decent and honest, Decorious are not.

Normal service will be resumed with my next post J

K

Computing Summit – Enterprise Security and Risk Management 2014 part 2

Protecting against phishing and social engineering techniques – Neil Thacker – Websense

90% of all attacks begin with email – phishing / spear phishing.  Spear phishing is the most common vector into companies.

Success = Talent + Luck.

In spear phishing – Talent = making the email seem as real as possible.  Luck = someone clicking on it and the malware or similar running / user clicks link.

Take away points;

People and Process;

–          Limit the information you share about yourself online

–          Verify all messages with links and attachments

–          “Catch of the day” gameification program

Technology;

–          Link email and web events in real-time

–          Real-time user education at point-of-click

–          Measure and phish at risk employees… with permission

 

Useful link for people to see if a link they have been sent may be malicious; http://csi.websense.com

 

Securing Mobile – The new enterprise desktop

Presentation by Entrust

Mobile and traditional ‘desktop’ worlds are colliding.

People have multiple identities across devices and systems, both personal and work.

Huge numbers of people using personal, BYOD, devices to access corporate systems.

Growing mobile and ‘always on’ workforce.

–          Sensitive information now travels outside of the office to the home, car, gym, anywhere

One breach leads to..

–          A successful attack on one identity has the potential to open the door to all other identities; social engineering, same or similar passwords used etc.

Mobile – A unique blend of security and usability;

–          Mobile devices have powerful features built in that organisations can leverage

o   Application sandbox

o   Crypto

o   Biometrics

o   Secure elements

–          Users want to carry them – always in hand, always connected, convenient, support work / personal balance

–          The good – Applications signed and vetted, applications sandboxed, GPS, Bluetooth, biometrics and cryptography

–          The bad – Malware in apps, apps can view other data such as SMS etc, jailbroken devices, insecure logons (e.g. simple pins, finger print smudges, weak biometrics etc.)

 

Mobile Smart Credential Concept (Entrust product) – phone used for physical and logical access – Physical access to building, logical access to systems, digital signatures, encryption, cloud, vpn, out of band alerts to confirm transactions.

.Mobile – a catalyst for change.

Talk was pretty much a product sales pitch, but a few interesting points.

 

Redefining Network Security: Detecting and preventing Advanced Persistent Threats

Presentation by Paloalto

Another one starting with the attack kill chain;

–          Breach perimeter

o   Initial compromise

–          Deliver Malware

o   Deliver malware and communicate with attacker

–          Endpoint operations

o   Move laterally and infect additional hosts

–          Exfiltrate data

o   Steal intellectual property

Prevent attacks by stopping one step in the kill-chain.

Attackers disguise attacks in other traffic – specially crafted UPD packets, DNS, https, skype traffic (e.g. customised encryption, port hoping etc.).  Many ways to hide and exfiltrate data, it’s not always obvious, or obviously malicious traffic.  We focus heavily on web / email / known bad traffic, but are we looking in the right places? Are we missing data leaving via less obvious or assumed OK channels?

Requirements – Detect and Prevent

Detect unknown threats, prevent all known

–          Automatically detect unknown threats and makes them known.  Prevent all known threats – they are known after all so there should be little excuse for missing these!

Prevent across all networks – provide consistent security across the environment

–          Prevents threats at; internet edge, data centre edge, between VMs in the DC, between mobile devices and core systems etc.

Closed-loop protections

–          Closed feedback loop creates shared protections for all systems in your environment, and ideally all customers via sharing in the cloud.

Talk became a product overview of the Palo Alto solution, but the above points are I think relevant generally.

 

ISF Congress Post 5: Expect the worst; Operational risk quantification process

Expect the worst case;

Approach for quantifying operational risks – special focus on cyber security risks

Presentation by Hanno Lenz for the ERGO Insurance group

ERGO splits risk management into three categories / lines of defence;

  • Risk Taker (Owner) – Business line
  • Risk Controller – Risk Management
  • Independent Assurance – Internal Audit

 

This is then further split into lines of business and risk categories (Strategic Risks, Market and credit risks, operational risks, liquidity risks, repetitional risks).

This presentation had some excellent graphics highlighting their risk process, how they move from threats to risks, how to assess the probability, impacts and then the actual risk.  This process is outlined below.  Click on the images for a larger view.

 

They created this Security and Continuity Risk management model;

Screen Shot 2013-11-04 at 09.38.08

This model for working through from threats to the actual risks;

Screen Shot 2013-11-04 at 09.39.15

The process they follow from threat to actual business risk and impact is outlined in the diagrams below.

Assessing the Probability of the threat occurring;

Screen Shot 2013-11-04 at 09.42.44

Assessing the Impact should the risk occur;

Screen Shot 2013-11-04 at 09.44.35

And finally, working out the actual risk by combining the probability with the impact;

Screen Shot 2013-11-04 at 09.46.09

 

I think this provides a very good, easy to understand overview of a relatively simple and workable risk assessment process.

Remember in order to make any risk assessment process success and for the results to be worthwhile you need to ensure the input data is as accurate as possible, and also that the analysis is performed by people with the relevant expertise.

For the inputs, ensure you consult with the business streams, have an in depth understanding of the organisation, it’s IT structure, where the data and applications are, the number of employees, office locations etc.  Also ensure you have engaged with the BCM teams to understand recovery requirements and plans, recovery costs, degree of outsourcing etc.

For the outputs, as well as the IT security and BCM teams, ensure you have the right experts for creating realistic examples, creating actual security situations, estimating the costs of the risk should it occur, and also experts in mathematical modelling so that the results are modelled correctly and not just estimates.

K

ISF congress post 3: The state of Quantum computing…

The state of Quantum computing…

… And the future of InfoSec

Presentation by Konstantinos Karagiannis from NT andJuniper Networks

 

Enough Quantum Mechanics to get by;

  • Richard Feynman “I think I can safely say that no one understands quantum physics”
  • Unlike macro objects, quantum ones exhibit weird behaviours that make amazing things possible
  • Max Planck proposed electromagnetic energy only emitted in discrete bundles or “quanta”: E=hf
  • Planck’s constant (h) and derivatives (Planck unit) may prove important in future information theory (one ‘bit of information = one planck unit..)
  • Light – made of waves (Thomas Young) made of photons, not waves (Einstein), Geoffrey Ingram Taylor – wave interference patterns even with one photon at a time – Particle wave duality!
  • Superposition – if you observe the light, the superposition is destroyed and it appears to work as you would expect.
  • This concept of decoherence is key to QC.
  • Entanglement – the key “mystery” of QM, and important for QC.
    • Created by a quantum event, entangled particles share a quality in superposition such as spin up or down.
    • If you observe the spin of one particle, the spin of the other is immediately known even if it is the other side of the galaxy.
    • No this doesn’t break the cosmic speed of light as it is effectively just random information.
    • This does have real applications in QC and quantum cryptography
  • QCs must maintain coherence / superposition in hundreds of particles e.g. via
    • Quantum optics
    • single atom silicon
    • Large artificial quits
    • NMR

 

Qubits and how a quantum computer (QC) will impact some areas;

  • Qubit
    • can be zero, one, or a superposition of both (with probabilities of each)
    • To over simplify: Qubits can perform certain functions with a percentage of effort of a classical computer
  • Public Key crypto, e.g. RSA;
    • Relies on classical computer’s difficulty in cracking certain mathematical functions
    • QC – Shor’s Algorithm – QC can easily reveal the factors of large prime numbers.
      • Shor’s algorithm puts quits through mathematical paces where likely answers interfere constructively, unlikely ones destructively.
      • Classical computers can’t so this in a timely manner.
    • Imagine the impact of being the first country with PKI-slicing capabilities!!
  • Grover’s Algorithm;
    • For searching databases / data;
    • Traditional DB – N/2 searches for N entries
    • QC Root of N searches for N entries..

Scanning with Quantum AI

  • Vulnerability scanners need to run and compare results quickly – Grover’s algorithm
  • Quantum algorithms may advance artificial intelligence – more useful for scanning web apps than networks
  • Traditional top-down AI approach fails – bottom-up may be easier to do with Quantum parallelism

Quantum networking

  • Routing quantum data is tricky – when you observe the quit, you destroy the data
    • create photon pair – one to observe, one to route

Quantum Teleportation

  • Entanglement allow for teleportation of quantum state – look up ‘Alice and Bob’ quantum entanglement example.
  • Teleport state of algorithms for distributed computing

 

Where are we now?

D-Wave claim to have a 512-qubit QC (with 439 operational qubits)  – There is currently some scepticism around this)

  • Google and NASA have teamed up on acquiring a D-Wave second generation machine (512-qubit)
  • Created the Quantum Artificial Intelligence Lab
  • University of waterloo has an advanced QC department
  • Lockheed Martin also using and developing a D-Wave QC

 

Moore’s Law;

  • QCs are not better than classical computers at everything
  • QCs still inevitable – we are getting to the single-particle level on transistors
  • No more miniaturisation possible to keep Moore’s Law going

 

Staying relevant – Encryption;

  • Shor’s algorithm only proven to work on PK, grover’s may help with
  • Toshiba developing quantum network with polarised photons, these provide encrypted, tamper evident networks.
  • We must stay relevant, new world of research and development coming – everything from the basics to security tool programming
  • Threat modelling
    • If AI improves scanning, hackers will have much better ways of finding application flaws

Closing thought;

  • Feynman’s first proposed QC was a universal quantum simulator
  • Seth lloyd showed a QC can perfectly simulate any quantum system in the universe
  • Turns out universe is a giant, 13.7-billion year old quantum computer
  • What will we be hacking one day?

This was a very thought proving and fast paced talk.  The above notes are very high level, but cover the main points of the talk and can be used to aid searches for more in depth reading.  This presentation really highlighted to me I need to read up more on this stuff.

We are not there yet, but Quantum Computers are coming and they will have huge ramifications for pretty much all areas of computing.  From a security standpoint, we will likely need a full overhaul of cryptography and threat modelling, along with application and system vulnerability scanning.  Of course not forgetting a whole new class of computers and networks to understand and secure!

Interesting times ahead, and I highly recommend further reading on this topic.

K

 

ISF congress post 2: Communicating information security value to the business

Communicating information security value to the business using words and pictures.

Presentation by Steve Jump from Telkom SA SOC ltd.

I have high hopes for the usefulness of this talk as we all seem great at explaining and discussing security issues with other security and technical people, but fairly terrible at getting the board and other business people to understand the issues and importance of remediating them!

 

Highlighted at the start that this is a work in progress, but already proving useful.

If you are trying to obtain budget for upcoming initiatives  you need to get the board on board and ensure they understand the risks from a business standpoint.

  • Why business gets turned off by security
    • Too much shouting about risks, creating policies and standards, more talking about risks – who is looking at your data (criminals, governments, hacktivists), where is your data, more standards and policies
  • What the business actually wants (and needs) to talk about
    • What do these threats mean to my business?
    • Why should I worry?
    • How does this affect the bottom line?
    • What happens if I ignore you? (e.g. is the cost of doing nothing lower than the cost if fixing the issue?)
    • Can you put a value on that?
    • If I do ignore you, will anyone notice?
  • Its all in the words we use;
    • Business Impact Taxonomy!

 

Regulatory

  • Non compliance to legislation, risk of fines, prosecution etc.

Fraud

  • Illegal access to information leading to fraud, Identity theft, mis-representation, corrupt practices, banking and card fraud etc.

Theft

  • Theft of information or revenue, direct theft of assets

Service Availability

  • Service denial or interference

Business Agility

  • Prevention of business growth and reduced opportunity for profit due to reduced agility of systems and increased need to deliver custom protection of solutions.

Reputation

  • Loss of business reputation resulting from information loss or device interruption resulting in loss of credibility with customers and investors.

 

So that’s all the jargon sorted out?

Think of creating threat cubes – they have a LOT more words than this and are technical.

So how do we bridge the gab between the jargon and output from threat analysis etc. to a simple taxonomy the business can understand, relate to and use in budget and planning discussions?

 

Add pictures!

One for each of the six words in the simple taxonomy;

 

Warning triangle – Regulatory

Credit card – Fraud (may need to be different for you if you work in a PCI environment as this may get confused with the regulatory one)

Money Bag – Theft

Road block sign – Service availability (things with this could impact our ability to do business)

Rocket ship – Business agility – faster, innovative

Happy / sad masks – Reputation

 

So the taxonomy now has words and images for each item.

So when you create a threat cube or other form of threat analysis you can then relate each item on the list back to one or more of the taxonomy words and images – images can be added to aid understanding.  For reporting, each should be mapped to the main area it impacts.

 

How this works in practice;

  • Formal Information Security Risk assessment process
    • Asess solution, change product or service against technical business threat models
    • Identify key threats, recommend mitigations and evaluate impact of residual threats
  • Summarise business impact in business terms
    • Use six key business impact areas to describe and prioritise impact areas
    • Use business impact icons in formal / technical risk assessment (in body text and headings) to ensure continuity
  • Technical risk assessment and Business risk owners still work in different areas
    • Icons bridge experience and jargon barriers
    • Technical designers and security specialists understand business drivers
    • Business owners understand where technical short cuts will affect overall risk model

 

 

The chosen icons work on mac and windows as standard keyboard short cuts so should work across most businesses using Word / PDFs / spreadsheets etc.

For larger threats, use more icons – so one, two, or three icons depending on low, medium or high issues size.

For reference, the symbols used to represent the 6 areas;

Fraud 1F4B3 <Alt-X>

Regulatory 26A0

Theft 1F4B0

Service Availability 1F6A7

Business Agility 1F680

Business Reputation 1F3AD

If Unicode character is used (Win7/8 – type code, press Alt-x) it will display automatically if font is Segoe.

UI Symbol on Windows (Word/Excel/PowerPoint/Outlook) or as emoji font on OS X, iOS, Android.

 

It will be interesting to test this method out at work to see if it helps get engagement from the board and wider business.  This definitely seems like a good idea, and anything that will help engage and lead to greater understanding of security issues has to be worth a try1

It would be great to hear from anyone who s trying this method, or a similar one in their business.

K

Training update 1..

Well I’ll obviously have to think of some more catchy titles for training related posts than 1..2..3.. but that will do for now. (ideas welcome!)

So I said I’d be posting these under the training page, however it seems WordPress doesn’t really like that idea and wants to just dump everything on the home page so we’ll just use category tags for now. There does appear to be come ways to change this by adding code to the pages / posts so I will probably look into this at some point, although it’s not exactly high on my agenda of interesting things to be getting on with!

Recent progress includes completing the foundation course at Crossfit Antaeus (http://crossfitantaeus.com/) and beginning to work more on cleans and false grip. False grip is a gymnastics inspired way of holding rings / the bar that makes the transition from chin up to dip more feasible in order to do muscle ups – they will be next on the list once I have mastered the grip.

Double unders continue to elude me in any real form – I can do one, then a few singles, then one and so on. I’ll no doubt get there soon.

Motivation is currently very high, and progress is in reality good although it is easy to get frustrated as I know where I want to get to and want to get there now. I have to keep reminding myself I have an 18 month to 2 year plan, not a 3 month plan!

In terms of gym, I can’t speak highly enough of Antaeus and Matt the head coach – he is an excellent coach and annoyingly good at all the technical movements.

This week has included, power and squat cleans, thrusters, skipping, rowing, kettle bells, push press, false grip chins, ring dips and squats amongst other things. In terms of strength I have dropped in a lot more low rep work so much of my squatting is 5 rep sets, and we also tend to do one or two 1 rep max sessions a week as well. This is great and a real departure from the approximately 10 reps per set for everything rut I was in before.

Tonights WOD was Elizabeth, first time I have done that one, and second set of cleans this week.. Took 11.32 which is pretty poor, but lots of room to improve once I get my clean act together. Luckily dips are easy so provided some respite! (Elizabeth = 21, 15, 9 reps of 60kg squat clean and ring dips. Shredded hands are an added bonus!)

I want to cover of diet in some detail as well, but I’m at the gym again in the morning so it’s time for bed!

Read this today which amused me;
On Being An Asshole
Basically work hard and don’t be lazy 🙂

K

Puppet introduction

Puppet is currently being deployed in the environment where I work, so I thought it would be a good idea to get at least slightly up to speed around how it works.  Like I am sure quite a few of you I am familiar with Puppet in terms of what it is and what it is commonly used for, in terms of it being an IT automation tool written in Ruby that can manage both *nix and Windows systems.

I didn’t however know much of the detail around exactly how it works and can be configured.  Given that there are probably others in a similar position who either need or want to learn a bit more about Puppet and system management and automation I thought I’d share a couple of the better introductory resources I found.

If you are completely new to Puppet and want to find out what it does the ‘What is Puppet page is an excellent starting point;

https://puppetlabs.com/puppet/what-is-puppet/

The next link is a good introduction to coding with Puppet and nicely covers the fact Puppet is Declarative.  This can be a challenge for some people especially those with coding experience as most languages are Imperative which is quite a different style of explaining what you want the application to do.  Read on to find out more;

http://spin.atomicobject.com/2012/09/13/from-imperative-to-declarative-system-configuration-with-puppet/

I also found this three part series that covers what you need to set up and get running with Puppet with the minimum of extra information.  This is great if you need to get up and running quickly as much of the full documentation is more book like;

Part 1;

http://justfewtuts.blogspot.co.uk/2012/05/puppet-beginners-concept-guide-part-1.html

Part 2;

http://justfewtuts.blogspot.co.uk/2012/07/puppet-beginners-concept-guide-part-2.html

Part 3;

http://justfewtuts.blogspot.co.uk/2012/08/puppet-beginners-concept-guide-part-3.html

Finally if you want a full understanding of Puppet and have the time the Puppet Labs documentation is excellent and should remove any need to buy a reference book;

http://docs.puppetlabs.com/

K

 

Cloud Security Alliance Congress Orlando 2012 pt4

Keynote day 2 – panel discussion around ‘Critical Infrastructure, National Security and the Cloud.

Discussions around the role of ISPs in protecting the US from attacks, e.g. by dropping / blocking IP addresses / blocks of IP addresses from which attacks such as DDoS are originating from.

Should they be looking more deeply into packets in order to prevent attacks?  What does this mean for net neutrality and freedom?

How does this apply to Cloud service providers (CSPs)?  What happens when the CSP is subpoenaed by the courts / government to hand over data?  This is another reason why you should encrypt your data in the cloud and ensure you manage the keys.  This means the court / government has to directly subpoena you as the data owner and give you the opportunity to argue your case if they want access to your data.

Should the cloud be defined as critical infrastructure, if so which parts, which providers etc.  Will need to clearly define what means critical infrastructure when discussing the cloud.

Next discussion point was China;  Continuous economic growth means we are more and more involved in trade with China, however they are also stealing huge amounts of proprietary data across multiple industries and literally stealing all of their manufacturing data to copy what is made and how.  According to some vendor reports 95% of all internet based theft of intellectual property comes from China.  This is both from Chinese governmental bodies, and Chinese corporations.

Look up Internet Security Alliance documentation around securing, monitoring and understanding your global manufacturing supply chain.  This document has been strongly resisted by both Chinese Government and companies.  There is a clear need to protect sensitive information and work to reduce global supply chain risk.  Us Government working on constant monitoring capabilities to help corporations monitor their global supply chains.

Proposed that IP theft should be on the agenda for the G20 next year.  Also proposed the US and other countries should have an industrial policy, if they don’t already, that allows the military and intelligence communities to defend corporations and systems that are deemed part of the critical infrastructures.

Counterfeiting is also moving into cyberspace, what do we do with counterfeit infrastructure or counterfeit clouds?

————

A practical, step by step approach to implementing a private cloud

Preliminary points – have you ever decommissioned a security product?  How many components / agents does the “AV” software on your laptop now have?

Why is security not the default?

Why would you not just put everything in the public cloud? – Risk, Compliance – you cannot outsource responsibility!

This is where ‘private cloud’ options come into play.  Could also consider ‘Virtual private cloud’ – this is where VPN technology is used to create what is effectively a private cloud on public cloud infrastructure..

Many organisations have huge spare server capacity – typical results find 80% of servers only used at 20% capacity.  You can create internal elasticity by making this spare capacity part of an internal, private cloud.

5 steps to a private cloud;

  1. Identify a business need– what is your cloud driver?  What will benefit from;
    1.  Greater agility
    2. Increased speed to develop and release,
    3. Elastic processes that vary greatly over time such as peak shopping days, or month end processing etc.
    4. DevOps
    5. Testing
    6. Rapid prototyping

2. Assess your current infrastructure – is there excess capacity?  Is the hardware virtualisation ready?  Can your existing infrastructure scale? (Note that a cloud can be physical, not virtual if this is required).  Is new cloud infrastructure needed?  What are your storage requirements?  What are your data recovery and portability requirements?  How will you support a private cloud with your existing security tools and processes (e.g. where do you plug in your IPS?) – are your processes robust and scalable? – can you monitor at scale?  Can you manage change at scale?

3. Define your delivery strategy – who are your consumers? Developers.  Administrators. General employees. Other?  Competency level of consumers defines the delivery means. (e.g. developers and admins may get CLI, General employees may get the ‘one click’ web portal).  Delivery mechanism matters!  Create a service catalogue.  Ensure ‘Back end services’ are in place

4. Transformation – You cannot forklift into the cloud – legacy applications that do not scale horizontally will not work.  More resources != greater performance.  Need to design in scale and security.  Modernise code and frameworks.   Re-test – simulate cloud scale and failures.  Re-think automation, scale.

5. Operationalize – Think about complete service life-cycle – deployment to destruction.  Resilience.  Where does security fit into this? – Everywhere! – whether applications or services.  Secure design from the ground up – embed into architecture and design – then security no longer on the critical path to deployment!

Overall this was an entertainingly presented talk that was a little light on detail / content, but I thing the 5 points are worth bearing in mind if you are thinking or implementing a private cloud in your organisation.

—————

Cloud security standards;

Talk over-viewing some of the current standards relating to cloud security.  Below is a list of some of the cloud security standards / controls / architectures / guidance that you should aware of if you are working with or planning to work with any sort of public cloud solution.

ITU – 

–          Cloud Security Reference Architecture

–          Cloud security framework

–          Guidelines for operational security

–          Identity management of Cloud computing

ISO  –

–          27017 – guidelines on information security controls for the use of cloud computing services based on ISO/IEC 27002 2

–          27036-4 – Supply chain security: Cloud

–          27040 – Storage security

–          27018 – Code of practice for data protection controls for public cloud computing services

–          SC7 – Cloud governance

–          SC38

–          Controls for cloud computing security

–          Additional controls for 27001 compliance in the cloud

–          Implementation guidance for controls

–          Data protection implementation guidance

–          Supply chain guidance

NIST – 

–          800-125 – Guide to security for full virtualisation technologies

–          800-144 – Guidelines on security and privacy in public cloud computing

–          NIST cloud reference architecture

OAISIS – 

–          Identity in the Cloud

ODCA (Open Data Center Alliance) – 

–          Provider assurance usage model

–          Security monitoring usage model

–          RFP requirements

CSA – 

–          Cloud Controls matrix

–          Trusted cloud infrastructure

–          Security as a Service

–          Cloud trust protocol

–          Guidance document

The CSA Cloud Controls Matrix maps many of these standards to cloud control areas with details of the specification and the standard components each specification meets / relates to.

While a pretty dry topic, this is a useful reference list if you are looking for more information on cloud / cloud security related standards and guidance.

K

 

An Awarding Week!

I had planned a wrap up post around my thoughts from the RSA conference for this week, but it has been a very busy and surprisingly rewarding week..  A combination of some University coursework due Monday and some great news have meant little time for writing (well non university writing anyway).  There will still be a wrap up for the RSA, likely early next week, but I wanted to share some exciting news relating to the Security as a Service working group I help lead for the Cloud Security Alliance (CSA).

I found out this week that the CSA are giving me an award for the volunteer work I have done for them over the last year or so.  They are also assisting with getting me to their congress in Orlando from the 6th to 9th November, so I’ll be packing my bags and jetting off to the US for a few days!

The award is called the Ron Knode Service Award in honour of one of the early members of the CSA who passed away earlier this year.  For me this is a great piece of recognition as it is the first year these awards have been given out, and of the ~40000 members of the CSA, only 6 people have been recognised with this award!

Rather than continue on about it myself I thought I would include the emails I was sent confirming the reward as they probably cover if better than I could;

The first was from  Luciano (J.R.) Santos the CSA’s Global Research Director –

Dear Kevin,

It is my great pleasure to inform you that you have been selected to receive the 1st Annual Ron Knode Service Award recognizing excellence in volunteerism. On behalf of the Cloud Security Alliance, I would like to congratulate you on receiving this award for the EMEA Region.  Ron Knode was a information security expert and member of the Cloud Security Alliance family, who passed away on May 31, 2012. Ron was an innovative thinker and the author of the CSA Cloud Trust Protocol. Ron was a cherished member of CSA, with endless energy and humor to guide his volunteer contributions.  In Ron’s memory, the Cloud Security Alliance in 2012 instituted the annual Ron Knode Service Award, recognizing excellence in volunteerism for 6 honorees from the Americas, Asia-Pacific and EMEA regions.

At this time, the ceremonies are being planned, but exact dates and locations have not been confirmed.   Daniele will be in touch with you when additional details become available.  In the meantime, if you have any questions please don’t hesitate to contact me or Daniele.  Warmest thanks for all of your hard work and outstanding contributions as a member of the Cloud Security Alliance.  We recognize how much time and energy you put into our organization, and we deeply appreciate all of your efforts.  

 We are thrilled to present you with this award.  Our PR Manager Kari Walker will be reaching out to you as we put together a press release officially announcing the winners.  In addition, we’ll need you to send a current photo and bio to our webmaster Evan Scoboria.  Evan will be creating a section on the CSA main site honoring the winners of this award.  We value your volunteer contributions and believe that the devotion of volunteers like you will continue to lead CSA into the future.  Congratulations on a job well done!

 Best Regards,

 Luciano (J.R.) Santos

CSA Global | Research Director

———

The second email was from Jim Reavis, the CSA Executive Director

Thank you all for your efforts.  To narrow this list down to 6 globally
was a major chore and you should be proud. Volunteerism for the common
good is among the highest callings in our industry, and the CSA family
appreciates your outstanding contributions.  Please let us know if there
is anything that CSA can do for you.  As we continue to grow, we look
forward to working together and being able to do even more for you.

Best Regards,

Jim Reavis
Executive Director, Cloud Security Alliance

———

As you may have guessed, I am extremely pleased to be receiving this award, it really has helped make the work worthwhile, on top of the satisfaction of seeing it all published of course!

for those of you going to the CSA congress I look forward to seeing / meeting you in a couple of weeks, for everyone else, watch this space for the RSA conference wrap up and further writings on security and architecture.

K