RSA Conference Europe 2012 Keynotes; day two part one

Keynote 1 – Big Data; Threat or Opportunity>

Philippe Courtot, Chairman Qualys Inc.

Big data is everywhere, not just Facebook, Google and CERN.  Organisations from the police with cameras constantly taking photos of license plates to log data from corporate systems and web sites.  Many companies are now having to deal with or plan to deal with big data in order to understand their systems, their customers, and their users.

What is driving this for ‘ordinary’ organisations?

–          Increasingly complex and virtualised IT infrastructures

–          Workload mobility

–          Bring your own device / computer

–          Cloud computing

All require increasing amounts of data to be collected and aggregated in order for an organisation to understand and ensure compliance of their environments.

Cloud computing is both aiding this by making the storage and compute power available to any business that has to deal with big data, and driving this through its scale, virtual and always on nature.

How do we ensure the security and understanding of these complex environments?  We must build security onto to overall cloud and application architecture.  Realise that the cloud has multiple ‘flavours’ from IaaS to SaaS and these are not all the same from a design and architecture perspective.  Stop talking and thinking about the cloud as just ‘the cloud’.

From an infrastructure perspective, cloud data centres are fractal, you need to understand what your assets are, but also realise many are the same for example storage and compute.  You can monitor all your compute nodes with the same method.  Monitoring needs to be in real time and to have analysis and intelligence built in.

If you are running web applications you need to understand how many you have, where they are and how they are being used.  Need to look at hardening and understanding this perimeter and correlate logs across these environments.  How do we manage code issues and potential exploits and varying methods of authentication?  Your developers working on new code and functionality, your support staff may not have enough code experience.  Do we need a new breed of operations support with reasonably in depth coding abilities?

Was Philippe referring to DevOps here?  This is newish, but not a new idea, many organisations are already using or setting up DevOps teams with the skill sets that were talked about.

Mobile devices are also driving both big data and management challenges to organisations.  We need to ensure they are all monitored and managed; Single Sign on, Privacy, Corporate policies.  How do we do this to 100s / 1000s / 1000000s of thin devices that cannot have thick very thick applications installed on them?  Cloud based services for bath device management and aggregation of the collected data can provide these solutions and scale as required.

How do we ensure security remains ‘front and centre’  as we move to the cloud and scale up?  Many existing enterprise point solutions do not scale enough or integrate well enough with the cloud.  This is being solved by providing managed security services from the cloud; Security as a Service (SecaaS).  Obviously blowing my own trumpet here, but this neatly links to my research with the Cloud Security Alliance on SecaaS!

For me the key message of this talk is that real-time ‘Big Data’ is a key element of tomorrow’s security.  We need to understand the implications of this and plan our security strategy to take advantage of this and the insight it will bring.


Keynote 2 – The struggle for control of the internet

Misha Glenny – Author and Journalist

Control of the internet focusses on the debate between security and privacy vs. demand for freedom.  The US identifies four areas that need to be managed and prevented; Crime, Hactivision, Warfare, and Terrorism.

How do we balance the need for people to have freedom with the needs for safety and protection online?  Is the internet morally neutral?

Crime (cybercrime) quickly took advantage of the internet, from card detail sales sites such as Carderplanet and DarkMarket.  Carderplanet was set up >11 years ago.  Both these sites have since been taken down, but they paved the way for much more sophisticated criminal organisations.

Criminals now spend a lot of time watching organisations like SOCA and the FBI in order to understand them and anticipate their next moves.  So while those trying to catch the criminals are watching them, they in turn are being watched!  Hackers have accessed private police files to monitor current investigations and delete intelligence records etc.

There have actually been worldwide ‘carder’ and other criminal activity conferences.  For example Carderplanet organised the first worldwide carder conference in 2002.  The invite to this conference also alluded to the fact that Carderplanet had a deal with the FSB (Russian secret service) would not interfere with their ‘work’ as long as they did not attack financial institutions, and if they would perform attacks on behalf of the Russian government / secret service as required.

The lines between government spies and criminals are becoming increasingly blurred.

Currently the UK secret service (Mi6 / Mi5) is dealing with ~500 targeted attacks every day.  This is up from ~4 per year 10 years ago!  The international spend in the west on cyber security is currently around $100 Billion per year.  This is set to double over the next few years.

The west wants to work with China and Russia to improve the situation; however they want to be allowed to manage the web within their borders in any way they like if they are to cooperate.  This obviously has issues with preventing freedom of speech.

Will the Web brak down into massive intranets?  Iran has already stated its intent to disconnect itself from the Web and set up just such an internal intranet.  China and Russia want to control and largely segregate their internal users from the rest of the Web.

We need original thinking to resolve these issues!


Service Technology Symposium 2012 – Talks update 3

Cloud computing’s impact on future enterprise architectures 

This talk was fairly light and I didn’t make a huge amount of notes, but thought there were a few points worth noting;

Definitions and boundaries are changing.  Instead of defined boundaries we are used to around traditional architectures whether they are hosted locally or at a data-centre we are moving to much more fluid and interconnected architectures.  Consider personal cloud, private cloud, hybrid cloud, extended virtual data-centres, consumerism, BYOD etc.  The cloud creates different, co-existing architectural environments based on combinations of these models.

Consider why you should move to the cloud, which characteristics are important for your organisation such as;

–          Elastically scalable

–          Self service

–          Measured services

–          Multi-tenancy

–          Virtualised and dynamic

–          Reliability (SLAs, what happens when there are issues etc.)

–          Economic benefits (cost reduction – TCO, and / or better resiliency)

Do you understand any potential risks;

–          What are the security roles and responsibilities? –

  • IaaS – you
  • BPaaS (business process as a service) – Them
  • Sliding scale from IaaS – PaaS – SaaS – BpaaS

–          Where is your data?

  • Your business and regulatory requirements
  • Jurisdictional rules – who can access your data
    • Legal / jurisdictional issues amplified

For me some of this talk was outdated, with a lot of focus on where is your data; While where is my data is a key question, there was too much focus on the fact your data will be anywhere in the world with global CSPs, when most big players now offer guarantees that you data will stay within defined regions if you want it to.

So, what does this mean for your ‘future’ cloud based enterprise architecture principles, concepts etc.?

–          Must standardise on ‘shared nothing’ concept

–          Standardise on loosely coupled services

–          Standardise on ‘separation of concerns’

–          No single points of failures

–          Multiple levels of protection / security

–          Ease of <secure> access to data

–          Security standards to protect data

–          Centralise security policy

–          Delegate or federate access controls

–          Security and wider design patterns that are easy to adopt and work with the cloud

Combining these different architectural styles is a huge challenge.

Summary – Dealing with multiple architectures, multiple dimensions and multiple risks is a key challenge to integrating cloud  into your environment / architecture!

The slides from this talk can be downloaded here;


SOA (Service Orientated Architecture) environments are a big data problem / Big data and its impact on SOA

Outside of some product marketing for Splunk, the premise of these two talks was basically the same, that large SOA environments are complex, need a lot of monitoring and create a lot of data.

Splunk is incidentally is a great open source product for log monitoring / data collection, aggregation and analysis / correlation.  Find out more about it here;

SOA – great for agility, but can be complex – BPEL, ebXML, WSDL, SOAP, ESB, XML, BPM, UDDI, Composition, loose coupling, orchestration, data services, business processes, XML Schema, registry  etc..  This can generate a huge amount of disparate data that needs to be analysed in order to understand the system.  Both machine and generated data may need to be aggregated.

SOA based systems can themselves generate big data!

How do we define big data?

–          Volume – large

–          Velocity – high

–          Variety – complex (txt, files, media, machine data)

–          Value – variable signal to nose ratio

We all know large web based enterprises such as Google and Facebook etc. have to deal with big data, but should you care?  Many enterprises are now having to understand and deal with big data for example;

  • Retail and web transaction data
  • Sensor data
    • GPS in phones
    • RFITS
    • NFC
    • SmartMeters
    • Etc.
  • Log file monitoring and analysis
  • Security monitoring

The talks had the following conclusions;

–          Big data has reached the enterprise

–          SOA platforms are evolving to leverage big data

–          Service developers need to understand how to insert and access data in Hadoop

–          Time-critical conditions can be detected as data inserted in Hadoop using event processing techniques – Fast Data

–          Expect big data and fast data to become ubiquitous in SOA environments – much like RDBMS are already.

So I’d suggest you become familiar with what big data is, the tools that can be used to handle and manage it such as Hadoop, MapReduce and PIG (these are relatively big topics in themselves and may be covered at a later date)

The slides from these talks can be downloaded from the below locations;


Time for delivery; Developing successful business plans for cloud computing projects 

This talk covered some great points around areas to consider when planning cloud based projects.  I’ll capture as much as I managed to make notes on, as there was a lot of content for this one.  I’d definitely recommend checking out the slides!

Initial things to consider include;

–          Defining the link between your business ecosystem and the available types of cloud-enabled technologies

–          Identifying the right criteria for a ‘cloud fit’ in your organisation. (operating model and business model fit)

–          Strategies and techniques for developing a successful roadmap for the delivery of cloud related cost savings and growth.

Consider the outside-in approach ( ) which is enabled by four of the current game changing capabilities / trends;

–          Mobility – any connection, any device, any service

–          Social Tools – any community, any media, any person

–          Cloud – computing resources, apps and services, on demand

–          Big Data – real time information and intelligence

In a nice link with the talk on HPC in the cloud, this one also highlighted the competitive step change that cloud potentially is; small companies can have big company levels of infrastructure, scalability, growth etc.  Anyone can access enterprise levels of computational power.

Cloud computing can be used to drive a cost cutting / management strategy and a growth / agility strategy.

Consider your portfolio and plans – what do you want to achieve in the next 6 months, next 12 months etc.

When looking at the cloud and moving to it, what are the benefit cases and success measures for your business?  These should be clearly defined and agreed in order for you to both plan correctly, and clearly understand if the project / migration has been a success.

What is your business model, and which cloud service business models will best fit with this?  What is the monetization strategy for your cloud migration project; Operational, Growth, Channel etc.  Initially cloud based projects are often driven by cost saving aspirations, however longer term benefits will likely be better if the drivers are better and faster, cost benefits (or at least higher profits!) will follow.  To be successful, you must decide and be clear on your strategy!

As with all projects, consider your buy vs. build options.

Consider also;

Is IT a commodity or something you can instil with IP?  Depending on your business you will be at different places on the continuum.  Most businesses can and should derive competitive advantage by putting their skills and knowledge into their IT systems rather than using purely SaaS or COTS solutions without at least some customisation.  This of course may only be true for systems relating to your key business, not necessarily supporting and administrative systems.

Cloud computing touches many strategies – you need a complete life-cycle 360 approach.

–          Storage strategy

–          Compute strategy

–          Next gen network strategy

–          Data centre strategy

–          Collaboration strategy

–          Security strategy

–          Presence strategy

–          Application / development strategy

–          Etc.

Consider the maturity of your services and their roadmap to the cloud;

Service Management – Service integration – Service Aggregation – Service Orchestration

This talk highlights just how much there is to think about when planning to migrate to, or make use or, the cloud and cloud based services.

The talk also highlighted a couple of interesting things to consider;

Look up ‘The Eight Fallacies of Distributed Computing’ from 1993, and ‘Brewer’s Theorem’ from 2000 (published in 2002) to understand how much things have stayed the same just as much as how much they have changed!

Also consider your rate of innovation – How can you speed up your / your businesses rate of innovation?

The slides from this talk can be downloaded from here;


Service Technology Symposium 2012 – Talks update 2

Your security guy knows nothing

This talk focused on the changes to security / security mindsets required by the move to cloud hosted or hybrid architectures.  The title was mainly as an attention grabber, but the talk overall was interesting and made some good points around what is changing, but also the many concerns that are still basically the same.

Security 1.0

–          Fat guy with keys; IT focused; “You can’t do that”; Does not understand software development.

Security 2.0

–          Processes and gates; Tools and people; Good for Building; Not as good for acquiring / mashing

Traditional security wants certainty –

–          Where is the data? – in transit, at rest, and in use.

–          Who is the user?

–          Where are our threats?

What happens to data on hard drives of commodity nodes when the node crashes or the container is shipped back to the manufacturer from the CSP?  (data at rest etc.).  The new world is more about flexible controls and polices than some of the traditional, absolute certainties.

Security guys want to manage and understand change;

–          Change control process

–          Risk Management

–          Alerts when things change that affect the risk profile

Whole lifecycle – security considered from requirements onwards, not tacked onto end of process..  This for me is a key point for all security functions and all businesses.  If you want security to be ingrained in the business, effective, and seen as an enabler of doing things right rather than a blocker at the end, it must always be incorporated into the whole lifecycle.

Doing it right – Business –Development – Security – Working together..


–          Render the Implicit Explicit

  • Assets
  • Entitlements
  • Goals
  • Controls
  • Assumptions


–          Include security in design

  • Even in acquisition
  • Even in mash ups

–          Include security in requirements / use cases

–          Identify technical risks

–          Map technical risks to business risks (quantify in money where possible)

–          Trace test cases

  • Not just to features
  • But also to risks (non functional requirements!)


–          Provide fodder (think differently, black hat / hacker thinking)

–          Provide alternative reasoning

–          Provide black hat mentality

–          Learn to say “yes”

–          Provide solutions, not limitations!

Goal – Risk management

Identify how the business is affected?

–          Reputation

–          Revenue

–          Compliance

–          Agility

What can techies bring to the table?

–          Estimates of technical impact

–          Plausible scenarios

–          Black Hat thinking

 Compliance – does not equal – Security!

–          Ticking boxes – does not equal – Security!

So the key take away points from this are that regardless of the changes to what is being deployed –

 – Work together

– Involve security early

– Security must get better at saying ‘yes, here’s how to do it securely’ rather than ‘no’

No PDF of this presentation is currently available.


Moving applications to the cloud

This was another Gartner presentation that covered some thoughts and considerations when looking at moving existing applications / services to the cloud.


–          What are our options?

–          Can we port as is, or do we have to tune for the cloud (how much work involved?)

–          Which applications / functions do we move to the cloud?


–          Which vendor?

–           IaaS, PaaS, SaaS…?

–          How – rehost – refactor – revise – rebuild – replace – which one?

  • Rehost or replace most common, quickest and likely cheapest / easiest

You need to have a structured approach to cloud migrations, likely incorporating the following 3  stages;

–          Identify candidate apps and data

  • Application and data-portfolio management
  • Apps and data rationalisation
  • Legacy modernisation

–          Assess suitability

  • Based on cloud strategy goals
  • Define an assessment framework
    • Risk, business case, constraints, principles

–          Select migration option

  • rehost – refactor – revise – rebuild – replace

This should all be in the context of;

–          What is the organisations cloud adoption strategy

–          What is the application worth? What does it cost?

–          Do we need to modernise the application? How much are we willing to spend?

In order to make decisions around what to move to the cloud and how to move it you should define both your migration goals and priorities which should include areas such as;

–          Gain Agility

  • Rapid time to market
  • Deliver new capabilities
  • Support new channels (e.g. Mobile)

–          Manage costs

  • Preserve capital
  • Avoid operational expenses
  • Leverage existing investments

–          Manage resources

  • Free up data centre space
  • Support scalability
  • Gain operational efficiencies

Some examples of what we mean by rehost / refactor / revise / rebuild / replace;

Rehost – Migrating application – rehost on IaaS

Refactor – onto PaaS – make changes to work with the PaaS platform and leverage PaaS platform features

Revise – onto IaaS or PaaS – at least make more cloud aware for IaaS, make more cloud and platform aware for PaaS

Rebuild – Rebuild on PaaS – start from scratch to create new, optimised application.

Note – some of these (rebuild definitely, refactor sometimes) will require data to be migrated to new format.

Replace – with SaaS – easy in terms of code, data migration, business process and applications will change (large resistance from users is possible).

The presentation ended with the following recommendations;

–          Define a cloud migration strategy

–          Establish goals and priorities

–          Identify candidates based on portfolio management

–          Develop assessment framework

–          Select migration options using a structured decision approach

–          Be cognizant of technical debt (time to market more important than quality / elegant code!)

  • Do organisations ever plan to pay back ‘technical debt’?  Where Technical debt refers to corner cutting / substandard development that is initially accepted to meet cost / time constraints.

A pdf of this presentation can be downloaded from here;

Overall another good presentation with very sensible recommendations covering areas to consider when planning to migrate applications and services to the cloud.


Cloud Security Alliance; Security Guidance v3 released

The Cloud Security Alliance (CSA) has released the long awaited version 3 of the ‘Security Guidance for Critical Areas of Focus in Cloud Computing’.  This is the first update to the guidance since version 2.1 was released in 2009 and is a major overhaul bringing the guidance up to date in the new and fast moving world that is ‘cloud’ computing.

In addition to updating all of the existing domains of the guidance, there has been the addition of Domain 14 – Security as a Service (SecaaS), this is the domain I have contributed extensively to and has it’s basis in the white paper I co-chaired the publication or a few months ago.

As an overview version 3 comprises of the following domains in the context of cloud security;

Section I. Cloud Architecture

–          Domain 1: Cloud Computing Architectural Framework

Section II. Governing in the Cloud

–          Domain 2: Governance and Enterprise Risk Management

–          Domain 3: Legal Issues: Contracts and Electronic Discovery

–          Domain 4: Compliance and Audit Management

–          Domain 5: Information Management and Data Security

–          Domain 6: Interoperability and Portability

Section III. Operating in the Cloud

–          Domain 7: Traditional Security, Business Continuity, and Disaster Recovery

–          Domain 8: Data Centre Operations

–          Domain 9: Incident Response

–          Domain 10: Application Security

–          Domain 11: Encryption and Key Management

–          Domain 12: Identity, Entitlement, and Access Management

–          Domain 13: Virtualization

–          Domain 14: Security as a Service

The guidance can be freely downloaded from the CSA website here;

It is relatively long, but covers a lot of what you need to know about cloud security and things you need to consider if you are planning to move your data to a ‘cloud’ type service.


SecaaS overview webinar – recording available

For anyone interested there is a recording of the webinar session available from the Credant website here;


It’s a little dry as it was mostly me presenting, but there is an overview of cloud and Security as a Service.

Happy viewing and feel free to ask any questions!

If you want to get involved in the work we are doing around Security as a Service check out;


SecaaS overview webinar with Credant

For anyone who would like an overview of;

– What the ‘Cloud’ is

– Who the Cloud Security Alliance is and their mission

– What Security as a Service (SecaaS) is

– The work of the SecaaS working group so far and what is coming up

I am presenting a Webinar in association with Credant tomorrow (10/11/2011) at 1pm Central US time / 7pm UK time.

To register for this event please follow this link;

This should be an interesting event, and there will be a Q&A session included should there be anything you want to know about Security as a Service, the CSA or Credant that we don’t cover in the pitch.

For those not familiar with them Credant are one of the leaders in Data Protection.  From their website they describe themselves as;

Your Trusted Data Protection Experts

We help you protect critical corporate data by mitigating the risk of data breaches and managing the complexity of securing data with a single, management framework. Our Data Protection Platform comprehensively addresses the unique security challenges of your enterprise organization’s data to ensure you’re compliant.

Our comprehensive Data Protection Platform helps you control, manage and protect data holistically at your enterprise organization from endpoints to servers, to storage, to applications and in the cloud.

For further details or to contact them Credant can be found here;

For reference I am in no way affiliated with Credant and the opinions expressed both here and in tomorrows presentation are 100% my own.

If you have data to be protected I would recommend checking Credants solutions out.





Homomorphic Encryption – Saviour of the cloud? Ready for prime time?

Homomorphic encryption has been around for a while (in fact it has been debated for around 30 years), but most systems that are Homomorphic are only partially homomorphic thus limiting their use in enabling real world distributed, including cloud based, systems.

I’ll start by briefly describing what the term homomorphic means when used to describe a cryptosystem.  If a mathematical operation can be performed on the encrypted data to produce an encrypted output that when decrypted gives the same result as if the operation had been performed on the plaintext.

I’m sure you can see how this removes one of the main barriers to the adoption of cloud computing.  If an efficient, proven and thoroughly tested homomorphic encryption system would potentially revolutionise the view of cloud computing security.  Currently it is easy to send data to and from the cloud in a secure encrypted manner, however if any computation is to be carried out in this data it has to be unencrypted at some point.  When the data is unencrypted in the cloud the risk that employees of the cloud provider, and potentially other customers, could access the data becomes a real concern.  It is this risk that is one of the key road blocks to companies moving their data to the cloud.

Additionally some legal / regulatory rules prevent certain unencrypted data types, such as personally identifiable information (PII), leaving countries / regions such as the EU.  A system that enabled data to remain encrypted would potentially get around these regulatory issues and allow data to be housed in the cloud (many cloud providers have data centres located in various global locations and can’t guarantee where data will reside.   In fact this is one of the benefits of the cloud – the high level of redundancy and resilience provided by multiple data centres in geographically diverse locations).

Some existing algorithms are partially homomorphic, this means that they are homomorphic with regards to one or maybe a couple of operations.  For example the RSA algorithm is homomorphic with regards to multiplication.

IBM has published some research in this area in 2009 they proposed fully homomorphic systems that are linked to from here;

Currently fully homomorphic systems are too new and not yet practical enough to be implemented for production systems.  For any cryptographic algorithm to be recommended it requires considerably more time to be peer reviewed and tested by security and encryption researchers to allow a reasonable level of assurance that there are not attacks that could be used to unencrypt the data.  In terms of practicality currently proposed homomorphic encryption systems, the complexity of the system grows enormously as the number of actions you need to perform on the encrypted data increases.  This leads to a massive increase in the computational power required to run the system, this is a non-trivial increase that will not be solved by Moore’s law anytime in the near future.

So homomorphic encryption has now been proven to be possible which is a huge step forwards, and the work done by people like Craig Gentry and the guys at IBM and MIT must be hugely applauded.

Microsoft researchers published a paper in May of this year (2011) titled ‘Can Homomorphic Encyption be Practical’ that can be found here;

This provides an overview of a proposed partially homomorphic implementation along with thoughts on how it could be made fully homomorphic and how the efficiency could be improved.  The page also contains some useful links to cloud and lattice based cryptography.

However the reality is that we need several more years for a broader range of cryptographers to examine the cryptosystem to be assured it is secure, and for further work to go into making the system much more efficient.

These are definitely interesting times, and over the next few years I would hope to see homomorphic cryptosystems removing some of today’s key barriers to the adoption of cloud computing services!