Sunday, 4 July 2010

Does it really have a silver lining?

They say that every cloud has a silver lining but is this true about cloud computing. If the providers of cloud services would have you believe, it is true but is cloud computing the answer? It is quick to provision, you have instant resilience, you don’t need to worry about backups, DR or offsite storage. In fact it does look rosy, as I have shown, there are plenty of advantages to cloud computing, after all we have our own online backup that we provide to customers that is offering a backup solution in the cloud, but there are a lot of things to consider that they don’t tell you.

The first thing about cloud computing is the connectivity, the host of the cloud may have enough network bandwidth, but do you? A local area network typically runs at 100 – 1000mbps whereas a connection to the cloud is limited to your internet connection speed, typically the slowest part of your network.

The second thing to consider is where is your data residing? How much security does it have? As the owner of the data you are the data controller but you are outsourcing the security of your data. Regulation states where sensitive can be stored so if it is in the cloud, how can you be sure where it is?

The third thing to consider is do you want to get tied to the service. It is quite difficult to decouple services once they are in use, try to move your email, in bulk, when it is hosted in the cloud and realise how hard it is so you effectively are tied to the provider.

The fourth reason is it is expensive if you use it in anger. Great for start-ups or provisioning temporary storage but not good for long term use but difficult to break free from.

So does cloud computing have a silver lining? Only sometimes!

Tuesday, 8 June 2010

Call me a cynic

I read with interest that Google are trying to ditch Microsoft Windows operating systems on the basis of security. Instead they are going with either Linux or Mac OS. Call me a cynic but I can't but get the feeling that this is more of a marketing ploy than actual security issues.

Yes they had an issue with security in China involving Windows but I just wonder how many other security issues they have also encountered with Mac and Linux? Probably a few but not so willing to shout about them because neither is running a rival search engine. Hence my cynicism!

I think Microsoft gets a bad press here. Lets look at the stats. Being generous to Mac and Linux lets say Microsoft is installed on 80% of all desktops. The other 20% being spread amongst the rest. Now let's flip this to a similar scenario. Lets say there is a bank out there. It has 80% of all branches out there and there are several smaller banks making up the rest. Out of all the banks which one do you think would suffer from the most robberies? The one with the most branches obviously.

Now flip back to computers. Why are Microsoft computers attacked the most? Because they have the largest footprint to target and it causes the most impact and generates the most press, not because it is the least secure but because it is the most popular.

So is this a genuine security concern or just a marketing ploy, my mind says the latter.

Monday, 31 May 2010

When marketing fails to deliver

Well it has been a while since I last blogged and that is because I have just been so manic, busy beyond belief, mostly because of work. It has been eventful, firstly with new deployments eating most weekends as well as technical challenges.

Lately I have been battling with Blackberry encryption. In the past this was a straight forward setup with their old version of BES Professional so I thought I would try out the new version BES Express. According to the marketing blurb on RIM’s website it leads you to believe their new freeby product Blackberry Enterprise Server Express 5 supports PGP.
This link

and has the following info:

Flexible security architecture
For implementations requiring additional security, PGP®, S/MIME and PGP/MIME are also supported. Over 35 IT policies further support the needs of your business by providing adjustable security levels and capabilities that include the following:
• Impose a device lock-down
• Wipe data from a lost or stolen device
• Wirelessly enforce security settings such as Bluetooth® lockout”

Having read the bit that says “flexible security architecture for implementations requiring additional security, PGP, S/MIME and PGP/MIME are also supported” I thought bingo! This should be quick and easy to configure however after two weeks of pulling my hair out and eventually deciding to bite the bullet, admit defeat and pay for Blackberry support, they have come back to say, “errrr actually it doesn’t support PGP”.

This has been a bit of a blow for me seeing as I had recently deployed a new BES Express server for our business based on this info, predominantly to get the new features such as HTML mail. Alas, when it came down to it I could not find the option to configure PGP in the server and so it turns out neither could their support team.

I guess the bottom line is that you can’t always believe what you read! It is a shame that this little exercise has cost me a support ticket and also two weeks of my time on and off trying to sort this out.

Wednesday, 12 May 2010

Time for change

After a week of political uncertainty we now have a new government, a historic moment of political compromise. It will be a time of change and a time of spending reviews. There will be cuts to public spending, there has to be because it is unsustainable and you definitely cannot borrow your way out of debt so something must give.

My only worry is that it will be cuts that are deemed low hanging fruit and the significance or importance is not appreciated compared to a quick budgetary win. As always it is down to perception of what is important to the individual making the cuts and there will be some difficult decisions to make however this should in no way compromise our security or information assurance. Data is precious, it is valuable, I am mindful of the average cost of a record for a data breech and also how valuable data is to the criminal world.

There were some interesting facts presented at the Ecrime Congress in London this year about how much personal data is worth, information about individuals that is being bought and sold around the globe. Credit card details, addresses, bank details, information we all hold dear is being traded.

My overarching fear is that with the exabytes of data that the last government harvested will become vulnerable unless security measures are kept and tightened. This is a difficult task in a climate of prudence and austerity where it would be easier to cancel the security project and save a bit of money now and worry about data loss later which would be a bigger crime than the wasting of billions to date has been.

So by all means cut the waste but let’s not cut back on security, especially when it comes to the data they have about you and me!

Thursday, 6 May 2010

is this the death of PGP innovation?

It has been a little while since my last post, I have been manic. The big news for me has been the recent purchase of PGP by Symantec. I make it no secret, although I try not to promote it here, that I think the PGP product set is a great platform for encryption. I love the way the product platform fits together than delivers the company slogan, defending data to the core. It is a Ronseal slogan, it does what it says.

All business, no matter how big or small, rely on data, without data you cannot function no matter what your business. Think about it, even if you don’t have computers you still keep financial records, transaction histories, customer information. All examples of data. PGP deliver a great product suit that gives end to end protection and has the widest spread of products delivering the most protection in the market.

My only worry is that with Symantec taking them over (along with several other encryption businesses) that the innovation and product diversity will start to dwindle and we will lose what has been, up until now, the market leader with regards to encryption. Their boast used to be that they were agnostic only delivering encryption products rather than a whole portfolio of products with encryption being one of them.

I am interested to see how this develops, especially now that Symantec has binned its consulting division, and I hope that Symantec value the strength of the PGP product portfolio as much as I do and keeps on funding the innovation rather than just absorbing it into their ever growing range of products.

Saturday, 17 April 2010

To patch or not to patch, that is the question...

Well patch Tuesday has been and gone and I see that Microsoft has been put in a difficult situation this month with XP security patches. The month before last they released a patch that, when installed on computers that were infected with the Alureon rootkit, caused the machines to endlessly crash. The dilemma they face is if people suffer a bad experience when applying security patches then they are less likely to apply future patches. A kind of damned if they patch and damned if they don’t.

A lot of people slate Microsoft for producing insecure operating systems but the bottom line is that the products are so huge it is almost impossible to prevent vulnerabilities. Think about the complexity of creating an OS that will run on hardware that is outside of your control. A one size fits all product, it is a tall order. Also if I had a pound for the number of times I have heard "if you buy a Mac you won't have these problems" I would be very rich and it shows how naive this viewpoint is. Macs don’t suffer as much because it doesn’t make the headlines as much due to the number of users. Microsoft has far higher market share so generates more attention when exploited and you have a much wider attack surface.

When XP was first launched it comprised of approximately 40 million lines of code, Vista was 50 million lines, which is a lot of room for unforeseen errors.

So in this round of security updates Microsoft has made smart patches. They will check the machine to determine if it has the Alureon rootkit and if it does it will not install the security update to prevent the machine from endlessly crashing. Whilst I understand this approach it defeats the object of patching in the first place.

I think the only solution to this problem is that if you want machines to be stable and to function correctly then don’t be lazy, secure it with decent products and patch it regularly. After all, a security patch is an admission by Microsoft of a problem and highlights where the problem is, if you don’t fix the problem by patching someone will invariably exploit it.

Monday, 5 April 2010

Don’t we learn from lessons? Obviously not!

I read with worry that the NHS is offshoring medical records to India. The NHS is already the leakiest organisation in the UK haemorrhaging data as though the NHS computer system has a severed artery so what are they doing? Offshoring data processing to India, following the likes of mobile phone and credit card companies will only end in disaster, after all look what has happened, data has not been lost, it has been sold!

It infuriates me, offshoring data management has been proven to be insecure, impossible to regulate and a false economy. It is not cheap, it doesn’t save money in the long run, it costs money because of compensation, the cost of changing personal records and financial details and monitoring accounts for fraudulent transactions.

So a false economy and the stupidity of not learning from others mistakes make us all potential victims of data loss. What makes me even more frustrated is that Principle 8 of the DPA states:
“Personal data shall not be transferred to a country or territory outside the European Economic Area unless that country or territory ensures an adequate level of protection for the rights and freedoms of data subjects in relation to the processing of personal data”.

Judging by their track record so far I would suggest that the Indian sub-continent has so far been found to be willing when providing adequate levers of protection for the rights and freedoms of data subjects, all that they have done is sell personal details to criminal gangs and now our medical details are about to go the same way.