Archive for February, 2012

The Cloud’s Low-Rent District

February 16th, 2012 1 comment

I’m a  big fan of the work of Tim Ferriss. While I haven’t quite managed the 4-hour work week yet (more like the 84), the dude is smart and has no fear of saying what many of us just think. In Outside magazine’s July 2011 issue, while promoting his new book “The 4-Hour Body,” Ferriss describes his opinion on human motivations:

It pays not to be puritanical with incentives. Just look at what’s effective. We like to talk about reward, positive thinking, positive reinforcement. But the sad or useful fact of the matter is that shame, humiliation, peer pressure, financial loss – those things are all more effective.

There are so many corollaries to infosec in this statement it’s hard to know where to begin – the flaccid ineffectiveness of security awareness, repeated insane attempts to buy our way out of proper security process and tactics, and on and on. Here, though, I want to focus on the new and exciting realm of CLOUD SECURITY. There are numerous projects underway out there that are seeking to provide some degree of provider transparency. The most well-known include the following:

There’s lots of discussion in the security community around cloud standards and “best practices” related to cloud provider practices, architecture models, and such. This will continue for some time, surely, but one of the most pressing issues has been getting CSPs to disclose how well they’re safeguarding assets and operating a security-savvy environment. To this effect, STAR is probably the most high-profile effort to date, where shiny, happy CSPs can proudly proclaim that they are awesome. I think this has some merit, but I think we need a different model. Coming back around to Ferriss’ quote, this doesn’t really address the most successful motivations we have as humans (and as organizations, by extension). I think it’s time for a “Wall of Shame” for CSPs who blatantly disregard security. How many CSPs would take security more seriously if they knew there was a provision in every contract stating that customers could publicly describe security failings at the CSP, and immediately move their data and systems elsewhere with no questions asked. I’m sure you’re saying “Yeah, right, Shack – on a cold day in hell”. OK, we’re not there, but I think we need to get away from the “chosen few” mentality of STAR, which to date, has very limited participation, and on to a more realistic model, especially for SMBs and specialized companies who need very vertical-specific SaaS offerings, for example. Do you think a small healthcare billing SaaS is going to offer themselves up for STAR? Uh, no.

While some efforts along these lines have started (the one that still have hopes for is Cloutage, although it needs a lot more community involvement), we need to thinking about this problem a little differently. No STAR listing, SSAE 16, SOC2 or 3 report, etc. will get us to a point where people know what to do and where to do business. Or in this case, where NOT to do business.

Infosec: Where’s our “Long Tail”?

February 2nd, 2012 1 comment

Chris Anderson popularized the concept of the “Long Tail” in his 2006 book “The Long Tail: Why the Future of Business is Selling Less of More“. In a nutshell, this concept means that there’s a statistical distribution of products, services, and so on, meaning most people or populations tend to gravitate to the 80% of whatever is available. The “long tail” concept illustrates the subtle, often overlooked 20% market that tends to be more niche. For example, using one of Anderson’s case studies, Amazon sells a number of products that are popular across all buyers. Think hit movies, popular books, new gadgets, etc. However, there’s a smaller subset of customers that like incredibly unusual products that most don’t consider. This doesn’t mean they’re not profitable – far from it. That group of people that love 1950’s comic strips about hilarious talking farm animals will be incredibly loyal and devoted to the company that can provide them with goods in their space.

What does this have to do with infosec? My thoughts – we are really lacking a proper “long tail”. RSA is coming up soon – what will we see that points to real innovation in the space? I always tell people that I spend the majority of my time on the show floor at RSA roaming among the smallest, least flashy booths. The reason is that I’m always searching for that next trend or innovator that is doing something new or original. In a few cases, I’ve been rewarded – last year I saw a lot of “cloud” startups that were peddling Identity and Access Management (IAM) solutions. This space has a lot of growth, based on what we’ve seen in the last year. More often than not, though, you see a rallying cry of buzzwords. DLP!!! Cloud <insert term here>!!! And we all, of course, make fun of this with our usual, lovable snark. But snark only goes so far. At some point, we have to take a long, hard look at what we’re doing in security, and whether it’s working. Based on the breaches of the past 10 years, I think it’s safe to say that we’re not winning. Hell, I don’t even know that we’re SOLVING any problems, really.

Folks, we NEED a long tail. We need those organizations that are desperate to find unusual, different solutions that are not available at all right now. And we need small startups to provide them. Peter Kuper, a super-smart guy at In-Q-Tel who I love watching present, often gives talks about the lack of innovation and VC investment in security. His talks are amusing…and depressing. But we need that focus. One of our fellow security wonks in the space argued to me a few years ago that he was “really innovating” now that he was working at one of the biggest vendors. Bullshit. Big vendors typically buy their way to innovation. The question is – who are they buying? I encourage you all to pay attention to those tiny little booths in the dark corners of the Moscone Exhibit Hall at RSA 2012. And pray you see more of them.

Categories: Information Security, Musings Tags: