Security Archive

Considering Compliance When Adopting Public Cloud Services

John.Weigelt

Published: June 16, 2011Posted in: CIO Toolbox, Cloud, General, Policy, Privacy, Security

Cloud computing processes and technologies offer organizations the opportunity to transform their approach to IT services delivery and ultimately transforming their overall services delivery. While several characteristics fundamental to cloud computing are relatively novel to these solutions (e.g. elasticity, transparent scalability, usage based billing) there are some aspects of cloud services, especially in procurement, that organizations will be familiar with. Many organizations are using public cloud services for their service delivery. While the path each has taken to implement cloud services has been different, there are some activities that they have commonly performed:

1. Select a candidate service (capability) that will provided – While many CIOs have included “moving towards cloud services” in their strategies, actual implementation of these services requires that CIOs and their service delivery leaders go well beyond the concept and take a detailed look at what services and information holdings they plan to host in the cloud. For existing services, organizations should take the time to examine how their user community is actually using the services over and above to the official purpose of the system in question. This will help identify any unexpected categories of information that need to be supported. Organizations should also take the time to think about and almost predict how their community may find alternate uses of new services that they are looking to deploy in the cloud. This will help avoid any unintended consequences.

2. Assess the compliance obligations for the service (PCI, FOIPPA, PHIPPA, SOX etc.) – The output from the first step should be a clear understanding of the services and information that will be transitioned to the cloud. Since all services are governed by legislation, policy or standards, it is essential that a fulsome analysis of the compliance obligations be carried out by a compliance team composed of a partnership between the service owner, legal and IT organizations. It is often the case that several compliance regimes will apply to an individual service.

3. Take a realistic look at how the organization conducts business today (Mobile devices, Internet presence, partner connections, POTs, social network use etc.) – While any change in how an organization delivers its services provides an opportunity for improvement and to address gaps that have arisen over time, a balance must be struck not to over-engineer the solution. Instead of taking a blank slate approach to delivering services via the cloud, successful deployments have taken a look at the current service delivery environment and examined the differences that the cloud services introduces. This approach effectively addresses arguments for security, privacy, availability etc. that deal with absolutes.

4. Conduct a preliminary Privacy Impact Assessment (PIA) and Threat Risk Assessment (TRA) – Now that a clearer understanding of the services has been developed; there is an opportunity to conduct preliminary TRA and PIA. These assessments identify the information assets, the threats to those assets, the safeguards required and provide an insight into the remaining risks that need to be addressed before the services are deployed. These preliminary reports go beyond technology based recommendations and will help identify policy, process, people and publication safeguards/controls for the services. Should the organization determine that the remaining risk of their planned deployment is too high, there is an opportunity to go back and revisit the approach and add additional safeguards. Organizations can also look to hybrid models where the sensitive information remains on premise and a less sensitive portion of the service is migrated to the cloud.

5. Pilot the service – The very nature of cloud services provide a great way to deliver new. Because you only pay for what you use, organizations can quickly and cost effectively get access to cloud services so that they can investigate how they could work with their plans. These pilots/prototypes can be done at the same time that the policy/compliance work is being done.

6. Assess the potential risk delta in moving to new cloud model. – The preliminary PIA and TRA provide the foundation for the business assessment for the adoption of cloud services. It should consider the current operational environment and the planned cloud end state. It is essential that the risk be considered in the context of the current ways that the services are performed since starting from a blank sheet or ideal world scenarios can introduce scope creep explosion which will extend far beyond the project in question.

7. Conduct a detailed review of the Service Level Agreement, including a mapping to current service levels. – The Service Level Agreement is the cornerstone safeguard for effective outsourced service provision since it describes the expectations and obligations of both the service provider and consumer. Several organizations have made the case for cloud services to their senior management based upon the service enhancements over their existing service delivery capabilities (e.g. availability, capacity, discoverability). Organizations should take the time to fully describe their service expectations and avoid sending poorly understood services to cloud providers. A sure recipe for failure is where a poorly understood service is tossed into the cloud since both parties won’t know what’s expected leading to discontent.

8. Build out the business case. – Successful deployment of any full service ultimately relies on a solid business case. While cloud services do have the potential for organic, bottom up growth because of usage based billing, fully sustainable solutions are supported by solid business cases. The biggest challenge experienced with business cases is accurately capturing the current total cost of ownership. Organizations generally underestimate the current costs because it is often difficult to get full access to the various direct and indirect costs associated with a service.

9. Decide and manage the risk – Ultimately the decision to maintain status quo, adjust a service or deliver a new service comes down to a risk management decision. All of the activities described above help develop the evidence for the line of business leader to make an informed risk decision.

Canadian organizations are beginning to take advantage of cloud services for their service delivery initiatives. Those that have been successful in deploying have generally performed these high level steps to tease out and address the risks and opportunities associated with their move to the cloud.

Fun with Numbers?

John.Weigelt

Published: January 14, 2011Posted in: General, Open Government, Security

I was at a workshop recently where the group was reviewing survey results. We were all a little surprised when some of the findings were not entirely as we expected. We had the good fortune to have a comprehensive understanding of the size of the survey audience, a little insight into their general demographics and the formality of the survey. As a result of this background, we were able to establish a “Blink” context behind the results and carry on with our work. This was great for our session, but it left me wondering, in these days of open data, what would happen if these statistics were reused without the context? It also reminded me of how important it is to consider the context behind information gathering, especially as organizations turn to online consultations to develop a deeper understanding of their environments.

Perhaps it’s because of my recent reading list of Risk, How to Lie with Statistics and the Skeptic that I have started taking a second look at statistics, or maybe it was from my kid’s favourite beverage that promised 100% flavor! Regardless of where it was from, it remains essential that we continue to maintain the context behind the numbers we are given and take an additional moment or two to look behind the data to determine how we are to interpret it. Outside of the policy challenges associated with opening data to the web, I feel that maintaining and sharing the context behind that data remains one of the most significant challenges to the open data movement. I don’t have any quick answers for sharing the context just yet, only the recommendation that we don’t through the baby out with the bathwater by taking an either/or approach to open data or traditional information sharing and include both the finalized reports as well as the data that support them.

We can, however, keep a close eye on how we gather information for our online consultations and collaboration. Let’s make sure that we at least cover off the basics for gathering opinions so that we can reliably use the data we have collected. Some of the pitfalls are:

Astroturfing – Online opinion polling must implement safeguards to protect against, often, automated input to a particular question or survey. I tend to emphasize the automated aspect to distinguish between this type of polling box stuffing and that which is more flash mob related.

Freeping – Survey and polling in today’s social media rich world must keep a keen eye on activities that would seek to skew the data by inciting individuals (often non stakeholders) to provide a biased input. Individual and community based call to action can be accompanied by Astroturfing.

Human behavior – I am surprised that many surveys and questionnaires don’t adequately consider how people will interact with the survey or don’t consider how they pose the questions.

- Interface – While there is a large body of research on the impact that user interfaces have on surveys (e.g. Cognitive Ergonomics), it seems that many survey and social interaction activities do not adequately consider these impacts. One recent consultation process placed the community provided suggestions with the most positive votes on the splash page for the initiative. Unfortunately, it allowed visitors to vote for those suggestions from the splash page without going through the other suggestions. Ultimately, this resulted in the early lead suggestions getting the lion share of the votes where the others received few if any since users generally did not take the time to dive deeper into the feedback repository.

- Demographics – In the absence of a widely available and reliable way to know exactly who we are talking with online, there is uncertainty as to the segment of the population that is providing input to online surveys. We must all ensure that we don’t jump to any conclusions about which community is providing the input.

- Leading Questions / Implicit Assumptions – I continue to be amazed at the number of surveys and questionnaires that employ leading questions or implicit assumptions. We can all recall when we first encountered a question like “Do you feel good after kicking your pet? (Y or N).” Of course we can see the assumption loud and clear in this question because we would never harm our pets, but in many other cases it’s not as readily apparent. Sometimes this hiding guiding of responses doesn’t appear in a single question, but is the result of opinion shaping through the narrative established by a number of questions.

Tenuous Extrapolation – Let’s face it. We’d all like to get everyone’s opinion or experience on a particular subject, but that is almost impossible for most practical surveys. So we have to deal with a subset and make some assumptions. These assumptions don’t always make it through to the results of the findings. Furthermore, these assumptions might not adequately address the full range of possible choices/outcomes. ( Nassim Taleb provides a comprehensive critique on the frailty of models and assumptions). I’ve seen “national level” conclusions draw from survey communities of less than 1/1000 of the population compounded by taking the maximum possible outcome from a questions (e.g. did you spend between $100 and $1000 (Y or N)). With these multiple order of magnitude ranges and the potential errors that can be introduced, we owe it all to ourselves and the community to extrapolate with care and to analyze carefully when reviewing conclusions.

Floating Foundations – In some cases surveys and questionnaires seek to establish a context behind the outreach by introducing the subject with a sort of call to action or background story. Unfortunately, perhaps fueled by our hyper connected world, there have been cases where misinformation takes the place of solidly researched data. Dan Gardner highlights one of these floating foundational numbers in Chapter 3 of his book “Risk.” There are many more floating foundation numbers that we need to be wary of.

As we collect and publish more open data, it is essential that we consider the potential pitfalls that might arise and be able to address them in both the collection and ultimate interpretation of the results.

Ten Cloud Computing Myths

John.Weigelt

Published: November 4, 2010Posted in: Cloud, Privacy, Security

I’ve had the opportunity to talk to many people about cloud computing at a number of conferences across Canada. I have to say that there is considerable enthusiasm about the potential of the cloud and the many opportunities that it unlocks. Unfortunately there is a lot of uncertainty that accompanies this enthusiasm and perhaps rightly so given some of the game changing approaches that accompany the familiar. Where there is uncertainty, there are well-meaning groups and individuals who, perhaps resistant to change, paint fairly negative pictures of the cloud. I’ve collected this list of top ten myths that I have heard perpetuated at conferences and provided my thoughts on why these are indeed myths.

All cloud is on the Internet

Perhaps one of the most common myths is that for organizations to use cloud services they must use consumer oriented services available on web. It certainly doesn’t help that those companies with an internet-only service delivery model continue to push the message very hard.

In reality, cloud technologies and cloud services are available in a variety of formats: on the internet, on private networks and even within your own organizational boundaries. Many organizations are getting started with cloud technologies by building out their own “private cloud” services on their own internal networks. Even hosted cloud service providers often provide options where their services are provided over private networks to their customers. These non-internet dependent cloud services are especially important where internet connectivity may be intermittent or non-existent.

2. All cloud services are the same

Another common myth being perpetuated is the grouping of all forms of cloud services under a common umbrella and broadly applying the characteristics of one type of service to another completely different class of service. Perhaps the most common association is where consumer oriented cloud services are equated with enterprise grade cloud business services. I’ve seen music marketplaces lumped in with business collaboration sites, social networking with infrastructure services.

Not only is this broad brush approach unhelpful, it really (no, really, really) discredits any valid points made about the considerations needed for each category or class of cloud services. While admittedly the shorthand “Cloud” services has been applied across a wide variety of technologies in different ways by a variety of providers the broad-brush approach would be like describing, perhaps, the characteristics of a motorcycle (e.g. You can get wet when it rains) across all vehicles. Certainly the characteristic applies to some vehicles (bicycles, convertibles, pogo sticks) but not to others. The same is the case in cloud services. Cloud services vary considerably not only from how people consume the service (Infrastructure, Platform, Software as a service), from the business function of the service (search, database, collaboration), the business model (subscription, advertisement, licensed), from a service model (private, hosted and public) and more. Some cloud services oblige its users assemble their own functionality, where others are pre-packaged. As you look at any assessment on cloud services, be sure to explore a little further to make sure that you appreciate how that assessment applies to your particular business situation and use of cloud technologies.

3. You cannot mix and match cloud services

Modern organizations use a variety of best of class tools to address their business requirements. For some reason, a misperception that the move to the cloud is an all or nothing proposition, either from a bundling perspective or from a business application delivery perspective. This misinterpretation can hinder the adoption of cloud technologies by organizations as they look to move to these services.

Flexibility is one of the fundamental advantages of the cloud. Cloud services provide flexibility to use just what you require, when you require it. This flexibility extends into new programming models where developers have the flexibility to separate data and compute, leveraging the best locations for their operations. The interoperability built into cloud services also provides flexibility to organizations allowing reuse of internal systems, such as identity management, with external cloud services. As organizations make their move into the cloud they often adopt one or two services while keeping connections to their existing internal services.

4. Cloud Providers just toss the data into their data centers

Some presentations I’ve attended would lead you to believe that cloud service providers manage their data like an episode of the TLC’s Hoarders TV series, where data simply piles up and becomes lost.

Compliance audits, certifications, service level agreements, availability and reliability assertions all oblige enterprise grade cloud service providers to know where their customer’s data resides.

5. Cloud providers just shovel over data in response to lawful access requests

One myth that instills concern in people is the suggestion of a half hazard approach to responding to lawful access requests. Perhaps this misperception is coupled with the previous myth since naysayers could conclude that if organizations don’t know where the data is, they would simply hand over an arbitrary collection and let law enforcement sort through it.

Really? This is perhaps the stuff of movies. Enterprise grade cloud providers have considerable experience in responding to lawful access requests and strive to provide exactly the specific information being sought. And because close control is maintained over the data, cloud providers can separate only the information requested from the other data.

6. Operators casually browse the data sets in their custody

I get the impression that some people think of a data centre operator’s job as a boring day, spent in front of a relatively blank screen perhaps playing solitaire. The reason that this comes through is because of false assertion that cloud operators casually browse customer data sets.

Well, if you have a single operator and a single server it could be a rather long day. But the business of cloud computing is a business of scale. To be successful, cloud service providers need to be able to operate their computing resources at a massive scale http://tinyurl.com/2622zqt. One example of this scale is in the coverage model of operators to servers. In world class enterprise data centers the ratio of operators to servers is around 1-140. For cloud service providers that ratio jumps by an order of magnitude. I think that you can all appreciate that in today’s economic reality, enterprises can ill afford to have employees that just sit around, so one could expect that the data center operators have gainful work expected of them throughout the day. Simply put, the operators are kept busy enough maintaining the high operational availability of the cloud services that they provide that they simply would not have the time to browse the data sets. And even if they did, there are a number of internal safeguards that have been implemented to prevent this sort of misuse.

7. Law enforcement browses the cloud at service provider’s locations

Much like the aforementioned myth, a number of individuals make assertions that every use of the cloud is automatically accessed by law enforcement. There is no mention of differentiation of services, no mention of safeguards applied by consumers, no mention of the need for warrants, just a presumption of almost casual access.

Let’s take a closer look at the reality. Yes, law enforcement agencies worldwide have procedures that they can use to obtain data from cloud services providers as part of an investigation. At this year’s Federal Privacy Commissioner’s consultation on the Cloud, David Fraser highlighted the equivalences between Canadian and US lawful access procedures. Input to the Trilateral Committee on Cross Border Data flows noted that the possibility of US law enforcement using their access to obtain Canadian data is “vanishingly small”. Perhaps it’s simply “System 1” getting the best of the pundits.

8. The cloud exposes your data to incidental access

Perhaps it’s from the olden days when the high tech crime investigators literally used yellow tape, chalk lines and computer confiscation to start their investigation, but there is a myth that investigations of cloud services providers begins with wholesale confiscation of hardware.

Cloud services have been around for many years, many for well over 10 years. Both law enforcement and cloud services providers have worked together to build effective processes to provide the data required for investigation support. These processes emphasize close cooperation to provide only the data required and respect the privacy and SLAs of other customers.

9. It’s against the law in Canada to use international Cloud services

There is a common misunderstanding that there are a large number of Canadian laws that prevent the transfer of data outside of Canada extending across different business sectors both public sector and private sector.

Let me start off with a disclaimer that I am not a lawyer, so all organizations should seek competent legal advice about the compliance requirements that their organization must abide by. That said I have been deeply involved with the deployment of broad consumer cloud services in Canada, assisted Industry Canada and the Federal Privacy Commissioner in their consultations on cloud security and privacy and helped deploy cloud based services in provinces, municipalities and private sector. There is one Canadian jurisdiction with a prohibition on the storage of a specific category of data outside of Canada. The British Columbia Freedom of Information Privacy Protection Act prohibits storage or access of personal information in its custody or under its control outside of Canada. Note that this is a subset of the information held by governments in BC and doesn’t apply to the information that private sector uses for their own services. I’ve highlighted a few of the organizations that have provided advice and guidance on considerations and safeguards for use of the cloud in a previous blog post.

10. The Cloud will displace all other technologies

Rounding out the group is the myth that everything will move to the cloud and that all other technologies will be replaced. Some suggest that mainframe computers will magically disappear, local servers and internal corporate networks will vanish, and that all applications will reside in the cloud leaving local devices a shadow of their current self; supporting perhaps no more than a browser.

If we were to look at the stepwise shifts in technology in the past, for example the rise of the PC, client server computing, the advent of the web, the adoption of services oriented architecture we see how the technological shifts were additive to the existing technologies. While some workloads moved away from the previous paradigm, after an adoption period equilibrium was reached where the old and the new coexisted. Looking broadly at the cloud technologies, we see that one of the key principles behind the cloud is ubiquitous network connectivity. As cell phone users we recognize quite well the connectivity dead zones that can exist for universal coverage (ever tried to take a call from the ice rink) Certainly as we look at the broad expanse of Canada we can see that while tremendous progress is being made, there are still some regions without broadband access. Consumers and businesses need to be able to use their computing resources even when connections are not available. Apps that are only available via the web might not be the ideal solution for individuals that find themselves beyond a connection from time to time. A more realistic scenario is where your devices will be able to work regardless of location and connect when available or convenient to synchronize.

As organizations explore the opportunities of cloud computing it is critically important that they look beyond the myths and begin to focus on the specifics on the which services they are looking to use, for which data in which way.

11- Critical Infrastructure Protection

John.Weigelt

Published: May 28, 2010Posted in: Digital Economy, Policy, Security

I had the privilege of being invited to the press conference where the Honorable Vic Toews, Minister of Public Safety, announced the Canadian National Strategy and Action Plan for Critical Infrastructure. The Honorable Minister was joined representatives from across Canada in making this important announcement. It was cool that the event was held at the Ottawa Hydro operations center and I must admit that I watched one or two of the tens of screens as they displayed what was happening on the electrical grid in real time (sorry, flashing screens have always caught my attention). It was especially cool given that just yesterday I blogged about Energy and how this digitally enabled industry is an important part of the Digital Economy. You can see one or two of the screens (one with a weather map) behind Minister Toews in the clip from the CBC .

One thing that stood out in today’s announcement was the Federal, Provincial and Municipal coordination and cooperation that went into the strategy development. There was also clear evidence of coordination and cooperation with industry. This cooperation will be essential moving forward, especially since much of Canada’s Critical Infrastructure is operated by private sector organizations. This cooperation amongst a relative small community is where Canada has an advantage which can be leveraged in the Digital Economy.

We often overlook the sheer size of our country, our distributed population and our rich infrastructures. When we think a little bit about the long distances that our infrastructures must span, we quickly see how big the jobs could be to make sure that these infrastructures remain safe and available. It could almost seem an impossible task, unless we had great people safeguarding these vital assets and great people willing to share information, cooperate and to build out even more resiliency in Canada’s infrastructures. Because of this relatively small community, it’s often easier to connect with the right experts, reach decisions faster and as a result be more agile to pivot to pursue new directions if required. Our smaller community also fosters the establishment of relationships of trust between individual stakeholders, because in addition to the ever present policy and legal frameworks, CIP stakeholders interact on a person to person basis. Being able to work with the same people over a period of time builds the confidence often required in time of crisis.

I know you’re thinking that the addressable market for CIP expertise is probably pretty small and that there are only select customers that would be interested in these services. And I guess you’re probably right. If we were to think for a minute of the broader economic impact of a strong CIP program we can quickly find a strong compelling economic reason for ensuring a reliable and resilient infrastructure.

Consider for a moment our relatively “flat world”, where businesses and their employees can locate anywhere to contribute to the economy. If you were looking to move outside of Canada (not that you would, but humour me) what would you think about? Probably a nice place to live. Well what would Nice mean? A lovely region, a safe community, clean drinking water, electricity, Internet access, smooth flowing traffic (sorry Toronto ) , easy access to health-care, and perhaps, as Richard Florida suggests, other creative people. Businesses do the same. They seek out locations with reliable access to green power sources, water, smart employees, transportation routes to ship their goods and strong financial systems to support their growth. Assurance in Canada’s Critical Infrastructures contributes to the spikiness that attracts business and individuals alike to our great country.

So while you may have breezed over today’s announcement as only applying to a small number of Canadians, I invite you to take another look and reconsider how important a reliable, trusted and resilient critical infrastructure is to Canada’s Digital Economy.

Storm Clouds?

John.Weigelt

Published: April 29, 2010Posted in: CIO Toolbox, Security

If you were asked about the link between technology and the weather what would you say? You might first think about constant change or perhaps areas of high pressure. (Hopefully you won’t mention bad similes as well.) The excitement surrounding the latest era of computing has cemented the connection between technology and the weather. This latest era is familiarly called Cloud computing as shorthand. Unfortunately, the shorthand terminology creates challenges for business and individuals alike as they look to gain a better understanding of what it means to make use of the many advantages of this new computing paradigm.

If we lay back, hands behind our head in a grassy field and look up at the sky, we may see any number of different types of clouds. A quick search reveals a long list of meteorological phenomena, including: cirrocumulus, cirrus, cirrostratus, altostratus, altocumulus, cumulus humilis, cumulus mediocris, stratocumulus, nimbostatus, stratus, cumulonimbus, cumulus congestus, pyrocumulus, noctilucent. For most of these clouds we could remain comfortable on the grass, but if we see a select few (e.g. cumulonimbus: thunderstorm clouds) we would probably seek extra protection. The same can actually be said of cloud services technologies. There are a wide variety of cloud services and several options for how these services can be provided. Cloud services are often characterized as infrastructure as a service, platform as a service and software as a service and are available in a continuum from a fully private cloud through hosted cloud to a fully commercial cloud offering. Each of these varieties of cloud service has its own considerations for protection and imposes different obligations on the organizations that leverage them.

The most significant barrier for organizations looking to harness cloud computing is uncertainty. Organizations are uncertain about the cloud’s impact to their business or uncertain about how the cloud will impact their status quo. This uncertainty impedes an organization’s efforts to build up the confidence to make use of cloud services. So like pilots planning their route from take-off to landing carefully review the specific types of clouds that they may encounter along the way, IT and business leaders must become skilled on the variety of cloud technology options that are available to them as they plan their projects. A comprehensive understanding of the cloud offering that matches their business will help provide a focus on the actual risks to the business and not those derived from the unfortunate generalizations frequently found today. So as you and your organization explore the vast potential of cloud computing, be sure to take a little extra time to identify the specific cloud options applicable to your business. A little bit of up front effort will go a long way to crisply identify the detailed risks and compensating safeguards to help avoid a turbulent ride.