Impacta Blog

That was a quote from Barry Briggs, CTO for Microsoft’s internal IT department, from the article at http://www.techflash.com/seattle/2010/05/microsoft_cto_cloud_computiing_an_inevitable_tidal_wave.html.  In the article Mr. Barry was asked what he thought might slow down the growth or adoption of clouds and he brought up the topic of cloud security and some of the security question marks around this topic.  If you ever wondered what those security questions are check out the PDF here http://www.enisa.europa.eu/act/rm/files/deliverables/cloud-computing-risk-assessment.

I read this while developing our secure online file transfer and storage platform called LOCKBOX and the assessment section was very good, especially for people who are in the process of creating a cloud adoption strategy or just determining if they should at all.  Enjoy,

–Kevin

“OK … here comes the pain …” –Scarface

In August 2009, I booted up the home computer to offload some photos taken during a recent trip across Europe only to find (to my “delight” of course) that both primary and backup drives had failed. Failed drives on a home computer. No big deal normally; however entombed in those drives were all of my digital photos since 2001 and for a photo “nut” like myself, this was a big deal.  I spent 10+ hours over the course of two days setting up another computer, searching for discontinued computer parts, installing operating systems and in the end thankfully I got all of those photos back.

Necessity: The Mother of All Inventions and How the Idea Behind LOCKBOX was Born …

Looking back, I am glad that both my primary and backup drive failed at the same. I am glad that I almost lost all of my digital photos. Why? Because I learned the hard way that I never ever want to be in that position again. No thanks. I pass.  And if I think about it, even if I had multiple backup drives, those would not help (knock on wood) if say my house was burglarized while I was on vacation, or what if the  house burned down (knock on wood again).

So that got me inspired to dive into cloud-based storage some more and some of the interesting security, privacy and reliability challenges storing data in the cloud. For instance, how would you protect data on a system that is not even yours?  How do you protect your data if someone on the inside goes rogue. If you want to exchange data with someone on the cloud, could you do it securely and more importantly easily (if you know anything about deploying PKI you feel pain right now, and if you don’t, trust me you don’t want to know)?  Pssss, what’s more interesting is that most of the current players I’ve seen aren’t really doing much or don’t know how to meet those challenges, and hence we developed the LOCKBOX platform.  So in one sentence:

LOCKBOX is highly secure and reliable data protection platform for professionals and businesses who want to keep their customer data safe.

And on top of this platform you can easily build all sorts of interesting reliable data protection services.  For now that’s all I’ll say about LOCKBOX.  If you want to sign up for our limited beta 1 release, head on over to http://www.golockbox.com/beta/Default.aspx.  And with that said, I am proud to announce that the beta 1 release of LOCKBOX is released!

–Kevin

Last week I came across two stories about PayChoice (a payroll processing company) and the United States National Security Agency (NSA) getting hacked and really didn’t think twice about them.  Every organization is susceptible to online risk regardless of best-efforts employed, in-house expertise yada yada. A trip to Vancouver, British Columbia this past weekend however got me thinking deeper about those stories and the lessons we can all (security experts and non-security experts alike) can learn.

First, the lesson to be learned  is NOT ’if security-expert organizations like the NSA and PayChoice can’t get security right, we’re all doomed.’  That’s not what we’re looking for here.  As an aside, good ‘security’ requires many different moving parts working together, great ‘security’ even more.  The question I am more interested in is why hasn’t security guidance, process and tools been better adopted by now? Why are vulnerabilities like SQL injection still possible even for the NSA and PayChoice, or any organization for that matter, especially with the wealth of guidance and tools available?  Here’s my opinion on one reason why and it can be best illustrated by an anecdote from my Vancouver weekend. Here’s what happened …

“My Friend Would Like Soft Tofu, Not Fried, and No BBQ Pork …”

After going out Saturday night, my friends and I headed over to a tucked-away 24 hour Chinese food joint to get a late-night snack.  There I was trying to order a customized dish for a non-Asian friend and was having no luck. I would try to order in Cantonese and our waitress would respond, “sorry I no speak (Cantonese)”.  Then I tried in English, same result: “sorry, I no speak (English).”  Our waitress spoke a different Asian language (not to mention my Cantonese is less than perfect) so beyond shaking and nodding our heads and simple hand gestures, we just could not communicate effectively with each other. A friend who could communicate with our waitress stepped in, our orders were taken and we got the food we wanted.

“Sorry, I No Speak (Security)”

If it hadn’t been for my other friend who could speak the language that the waitress taking our order understood, it would have been unrealistic to expect her to bring the food that we wanted, you know the soft tofu, not fried and no BBQ pork. I might have been lucky and got exactly what I wanted, but that would have been rare.

I think the same goes for security, especially in application security. If we’re asking developers to create more secure software, build more secure Web sites, but we’re not speaking in the language that they (developers) understand, it’s unlikely we’ll get what we want (i.e., more secure software). 

When I think about security guidance training for instance, most training that I’ve seen is heavy on the attack information and light on the secure development information (i.e., the stuff that developers understand, and perhaps care about). And if I really think about, most of the time the presenter isn’t a developer themselves! The same goes for tools.  With the exception of code scanners, most of the ‘secure development tools’ available are really watered-down attack tools that.  Cross-site scripting and SQL injection scanners?  Socket fuzzing tools?  All great tools, but are these really the best tools to help developers?  Are they really focused towards developers and better, will they really use them? To be honest, I do know of a handful of developers that actually do use the security guidance and tools available to them, but I suspect if we want to see wider more in-depth adoption we need a slight perspective shift.

 –Kevin