Archive for June, 2009

What The Hell Was I Thinking?…Help Me Remember & Win $25

June 28th, 2009 22 comments

This might seem just a tad bizarre, but I could really use your help.

I Built this diagram about a year ago.  I *think* I remember what the hell it was I was trying to visualize, but for the life of me…I can’t recall.

Seems a little odd to be asking you lot, but you’re pretty darn good at interpreting my madness.  Care to give it a whirl?  Give me the best explanation for my diagram below and win $25.  I’m good for it.  Ask the people who have won my whacky challenges before…payable via PayPal.




Categories: Jackassery Tags:

Cloud Maturity: Just Like the iPhone, There’s An App For That…

June 27th, 2009 4 comments

iphoneknitI was brainstorming a couple of Cloud things with Doug Neal and Mark Masterson the other day and whilst grappling for an appropriately delicious analog for Cloud Computing, my 5-year old approached me and asked to play the “burping beer game (iBeer)” on my iPhone.  Aha!

Whilst I have often grouped Cloud Computing with the consumerization of IT (and the iPhone as it’s most visible example) together in concert in my disruptive innovation presentations, I never really thought of them as metaphors for one another.

When you think of it, it’s really a perfect visual.

The iPhone is a fantastic platform that transforms using technology that has been around for quite a while into a more useful experience.  The iPhone converges many technologies and capabilities under a single umbrella and changes the way in which people interact with their data and other people.

In some cases we have proprietary functions and capabilities which are locked into the provider and platform.  We pay for this forced allegiance, but we tolerate it as necessary.  We also see the inventiveness and innovation of people for whom brute forcing their way into openness with jailbreaks is a reasonable alternative.

There’s lots of ankle biting as vendors and providers clamor to bring the familiar trademarks of the iPhone to their own platforms.  There are marketplaces being built around these platforms to open up new opportunities for collaboration, applications and experiences with the, gasp!, phones.

It’s true.  The iPhone is, at its heart, a phone, and we’ve had mobile phones forever.  Some complain that the iPhone is nothing more than a smartly packaged combination of technology we’ve already had for ages and that thanks to Moore’s law, we’re able to cram more and more stuff into smaller and smaller spaces.  That logic therefore dictates that the iPhone is the mini-me “mainframe” of mobility. 😉 And millions buy it still.  It’s like technology timesharing as the phone, Internet and mobility capabilities all compete for a timeshared swath of space in my pocket.

Yes, that’s right.  The iPhone is simply timesharing of functions on a phone. <snort>

To the detractors’ point, however, for all the innovation and exciting capabilities the iPhone brings, it has and continues to suffer from some seriously goofy limitations that in other platforms would be game stoppers, but people settle anyway, waiting for the technology to catch up and dealing with the implications as they become important (or not.)

The best example?  Cut and paste.  I had freaking cut & paste in my Newton 15 years ago.  The lack of C&P made certain things unusable on the iPhone let alone inconvenient and even insecure (having to copy and write-down complex passwords since I stored them in 1password, for example.)

However, I’ve purchased each revision of the iPhone as it came out and have been incrementally giddy with each new hardware/software combinaton, especially with the 3.0 software upgrade which finally gave me my beloved cut and paste 😉  The reality is that there are probably better solutions for my needs, but none that are so damned convenient and sexy to use.

The thing I love about my iPhone is that it’s not a piece of technology I think about but rather, it’s the way I interact with it to get what I want done.  It has its quirks, but it works…for millions of people.  Add in iTunes, the community of music/video/application artists/developers and the ecosystem that surrounds it, and voila…Cloud.

The point here is that Cloud is very much like the iPhone.  As Sir James (Urquhart) says “Cloud isn’t a technology, it’s an operational model.”  Just like the iPhone.

Cloud is still relatively immature and it doesn’t have all the things I want or need yet (and probably never will) but it will get to the point where its maturity and the inclusion of capabilities (such as better security, interoperability, more openness, etc.) will smooth its adoption even further and I won’t feel like we’re settling anymore…until the next version shows up on shelves.

But don’t worry, there’s an app for that.


Incomplete Thought – Cloudanatomy: Infrastructure, Metastructure & Infostructure

June 19th, 2009 6 comments

I wanted to be able to take the work I did in developing a visual model to expose the component Cloud SPI layers into their requisite parts from an IT perspective and make it even easier to understand.

Specifically, my goal was to produce another visual and some terminology that would allow me to take it up a level so I might describe Cloud to someone who has a grasp on familiar IT terminology, but do so in a visual way.

Cloudifornication-Cloudanatomy.030I came up with extending the notion of infrastructure as a foundation and layering what I call metastructure and infostructure layers atop.

You can see how I define “metastructure” and “infostructure” in the diagram definitions to the left.

Essentially Infrastructure is comprised of all the compute, network and storage moving parts that we identify as infrastructure today.

Metastructure* is the protocols and mechanisms that provide the interface between the infrastructure layer and the applications and information above it.

Infostructure is the applications and information/content as well as the service definitions that depend upon the other substrates.

Cloudifornication-Cloudanatomy.031These groupings really align well and simplify how I talk about various elements of Cloud.

Specifically, these three layers line up remarkably well with the S, P, I layer demarcation points that I outlined in my Cloud Model (see the extensive discussion here) built before that I use in my Frogs presentation that has met with good reception thus far.

I can drill down as needed, but if I want to summarize from a security perspective where/what I am talking about, I now have three handy and easily understood set of macro-definitions to help me.

What do you think?  I know we’re all pretty buzzworded out these days, but this really seems to resonate with folks up and down the stack I have presented it to.

Update 6/21: Reuven Cohen posted a nice follow-up to this blog on his in regards to his “metaverse” concept.


* I first mentioned the concept of “metastructure” in a post back in Februrary in another Incomplete Thought titled “Incomplete Thought: What Should Come First…Cloud Portability or Interoperability

See You At Structure09 and Cisco Live!

June 18th, 2009 No comments

I managed to squeak out some additional time at the end of my first docking with the Mothership in San Jose next week such that I can attend Cisco Live!/Networkers the week after.  I’ll be at Live! up to closing on 7/1.

It will be a great opportunity to meet a bunch of Cisco folks, partners and customers…not to mention reunite with my best friend from high school whom I have not seen/heard from in twenty years 😉

If you’re going to be there, let’s either organize a tweet-up (@beaker) or a blog-down…

Contact information is in the right-hand galley, down toward the bottom.


Categories: Cisco Tags:

Incomplete Thought: The Opportunity For Desktop As a Service – The Client Cloud?

June 16th, 2009 8 comments

Please excuse me if I’m late to the party bringing this up…

We talk a lot about the utility of Public Clouds to enable the cost-effective and scalable implementation of “server” functionality, whether that’s SaaS, PaaS, or IaaS model, the concept is pretty well understood: use someone else’s infratructure to host your applications and information.

As it relates to the desktop/client side of Cloud, we normally think about hosting the desktop/client capabilities as a function of Private Cloud capabilities; behind the firewall.  Whether we’re talking about terminal service-like capabilities and VDI, it seems to me people continue to think of this as a predominantly “internal” opportunity.

I don’t think people are talking enough about the client side of Cloud and desktop as a service (DaaS) and what this means:

If the physical access methods continue to get skinnier (smart phones, thin clients, client hypervisors, virtual machines, etc.) is there an opportunity for providers of Infrastructure as a Service to host desktop instances outside a corporate firewall?  If I can take advantage of all of the evolving technology in the space and couple it with the same sorts of policy advancements, networking and VPN functionality to connect me to IaaS server resources running in Private or Public Clouds, isn’t that a huge opportunity for further cost savings, distributed availability and potentially better security?

There are companies such as Desktone looking to do this very thing in a way to offset the costs of VDI and further the efforts of consolidation.  It makes a lot of sense for lots of reasons and despite my lack of hands-on exposure to the technology, it sure looks like we have the technical capability to do this today.   Dana Gardner wrote about this back in 2007 and it’s as valid a set of points then as it is now — albeit with a much bigger uptake in Cloud:

The stars and planets finally appear to be aligning in a way that makes utility-oriented delivery of a full slate of client-side computing and resources an alternative worth serious consideration. As more organizations are set up as service bureaus — due to such  IT industry developments as ITIL and shared services — the advent of off the wire everything seems more likely in many more places

I could totally see how Amazon could offer the same sorts of workstation utility as they do for server instances.

Will DaaS be the next frontier of consolidation in the enterprise?

If you’re considering hosting your service instances elsewhere, why not your desktops?  Citrix and VMware (as examples) seem to think you might…


Cloud Computing Security: (Orchestral) Maneuvers In the Dark?

June 14th, 2009 8 comments

OMDLast week Kevin L. Jackson wrote an insightful article titled: Cloud Computing: The Dawn of Maneuver Warfare in IT Security.  I enjoyed Kevin’s piece but struggled with how I might respond: cheerleader or pundit.  I tried for a bit of both while I found witty references to OMD.*

Kevin’s essay is an interesting — if not hope-filled — glimpse into what IT Security could be as enabled by Cloud Computing and virtualization, were one to be able to suspend disbelief due to the realities of hefty dependencies on archaic protocols, broken trust models and huge gaps in technology and operational culture.  Readers of my blog will certainly recognize this from “The Four Horsemen of the Virtualization Security Apocalypse” and “The Frogs Who Desired a King: A Virtualization and Cloud Computing Security Fable

To the converse, I’ve certainly also done my fair share of trying to change the world both by thought and action in the stance of “cheerleader”; I’ve been involved in everything from massive sensornet deployments to developing AI/Neural Networking based security technologies, so I think I’ve got a fair idea of what the balance looks like.  The salty pragmatist often triumphs, however…

Kevin’s article represents a futurist’s view, which is in no way a bad thing, but I fear it is too far disconnected from the realities of security and operational maturity outside of the navel:

The lead topic of every information technology (IT) conversation today is cloud computing. The key point within each of those conversations is inevitably cloud computing security.  Although this trend is understandable, the sad part is that these conversations will tend to focus on all the standard security pros, cons and requirements. While protecting data from corruption, loss, unauthorized access, etc. are all still required characteristics of any IT infrastructure, cloud computing changes the game in a much more profound way.

Certainly Cloud is a game changer, but just because the rules change does not mean the players do.  We haven’t solved those issues as they pertain to non-virtualized or Cloud infrastructure, so while sad, it’s a crushing truth we have to address.  Further, to get from “here” to “there,” we do need to focus on these issues because that is how we are measured today; most of us don’t get to start from scratch.

To that point, check out “Incomplete Thought: Cloud Security IS Host-Based…At The Moment” for why this gap exists in the first place.

I should make it clear that this does not mean I necessarily disagree with the exploration of Kevin’s future state, in fact I’ve written about it in various forms several times, but it’s important to separate what Cloud will deliver from a security perspective in the short term from the potential of what it can possibly deliver in the long term; this applies to both the cultural and technical perspectives.

I think the most significant challenges I had in reading Kevin’s article revolved around three things:

  1. Mixing tenses in some key spots seemed to imply that out of the box today, Cloud Computing can deliver on the promises Kevin is describing now.  Given the audience, this can lead to unachievable expectations
  2. The disconnect between the public, private and military sectors with an over-reliance on military analogies as a model representing an ideal state of security operations and strategy can be startling
  3. Unrealistic portrayals of where we are with the maturity of Cloud/virtualization mobility, portability, interoperability and security capabilities

In the short term, there are certainly incremental improvements will occur with respect to security thanks to the “lubricant-like” functionality provided by virtualization and Cloud.

These “improvements” however represent gains mostly in automation of manual processes and a resultant increase in efficiency rather than a dramatic improvement in survivability or security given what we have to work with today.

The lack of heterogeneous closed-loop autonomics, governance and orchestration in conjunction with the fact that a huge amount of infrastructure and applications are not virtualization- or Cloud-ready means this picture a vision, not a mission.

Kevin juxtaposes the last few decades of static, Maginot Line IT/Information Security “defense-in-depth” strategy with the unpredictable and “agile, hostile and mobile” notions of military warfighter maneuvers to compare and contrast what he suggests Cloud will deliver with an enlightened state of security capabilities:

Until now, IT security has been akin to early 20th century warfare.  After surveying and carefully cataloging all possible threats, the line of business (LOB) manager and IT professional would debate and eventually settle on appropriate and proportional risk mitigation strategies. The resulting IT security infrastructures and procedures typically reflected a “defense in depth” strategy, eerily reminiscent of the French WWII Maginot line . Although new threats led to updated capabilities, the strategy of extending and enhancing the protective barrier remained. Often describe as an “arms race”, the IT security landscape has settled into ever escalating levels of sophisticated attack versus defense techniques and technologies. Current debate around cloud computing security has seemed to continue without the realization that there is a fundamental change now occurring. Although technologically, cloud computing represents an evolution, strategically it represents the introduction of maneuver warfare into the IT security dictionary.

The concepts of attrition warfare and maneuver warfare dominate strategic options within the military. In attrition warfare, masses of men and material are moved against enemy strongpoints, with the emphasis on the destruction of the enemy’s physical assets. Maneuver warfare, on the other hand, advocates that strategic movement can bring about the defeat of an opposing force more efficiently than by simply contacting and destroying enemy forces until they can no longer fight.

The US Marine Corps concept of maneuver is a “warfighting philosophy that seeks to shatter the enemy’s cohesion through a variety of rapid, focused, and unexpected actions which create a turbulent and rapidly deteriorating situation with which the enemy cannot cope.”   It is important to note, however, that neither is used in isolation.  Balanced strategies combine attrition and maneuver techniques in order to be successful on the battlefield.

The reality is that outside of the military, “shock and awe” doesn’t really work when you’re mostly limited to “compliance and three analysts with a firewall.”  Check out “Security & the Cloud — What Does That Even Mean?

Here’s where the reality distortion fields trumps the rainbows and unicorns:

With cloud computing, IT security can now use maneuver concepts for enhance defense. By leveraging virtualization, high speed wide area networks and broad industry standardization, new and enhanced security strategies can now be implemented. Defensive options can now include the virtual repositioning of entire datacenters. Through “cloudbursting”, additional compute and storage resources can also be brought to bear in a defensive, forensic or counter-offensive manner. The IT team can now actively “fight through an attack” and not just observe an intrusion, merely hoping that the in-place defenses are deep enough. The military analogy continues in that maneuver concepts must be combined with “defense in depth” techniques into holistic IT security strategies.

Allow me to suggest that “fight[ing] through an attack” by simply redirecting/re-positioning the $victim isn’t really an effective definition of an “active countermeasure” anymore than waiting the attack out because there’s no offense, only defense.  There is no elimination of threat.  I’ve written about that a bit: Incomplete Thought: Offensive Computing – The Empire Strikes BackThinning the Herd & Chlorinating the Malware Gene Pool… and Everybody Wing Chun Tonight & “ISPs Providing Defense By Engaging In Offensive Computing” For $100, Alex. Mobility does not imply security.

To wit:

A theoretical example of how maneuver IT security strategies could be use would be in responding to a  denial of service attack launched on DISA datacenter hosted DoD applications. After picking up a grossly abnormal spike in inbound traffic, targeted applications could be immediately transferred to virtual machines hosted in another datacenter. Router automation would immediately re-route operational network links to the new location (IT defense by maneuver). Forensic and counter-cyber attack applications, normally dormant and hosted by a commercial infrastructure-as-a-service (IaaS) provider (a cloudburst), are immediately launched, collecting information on the attack and sequentially blocking zombie machines. The rapid counter would allow for the immediate, and automated, detection and elimination of the attack source.

To pick on this specific example, even given the relatively mature anti-DDoS capabilities we have today without virtualization or Cloud, simply moving resources around in response to an attack does nothing if the assets are bound to the same IP addresses and hostnames. Fundamentally, the static underpinnings holding the infrastructure together hinder this lofty goal.  You can Cloudburst till the cows come home, but the attacks will simply follow.  You transfer all those assets to a new virtual datacenter and for the most part, the bad traffic goes with it. Distributed intelligence can certainly reduce the pain, but with distributed botnets whose node counts can number in the millions, you’re not going to provide for the “…elimination of the attack source.”

With these large scale botnets as an example, the excess capacity and mobility of the $victim could even have unintended worse ramifications such as what I wrote about here: Economic Denial Of Sustainability (EDoS)

In closing, we’ve got two parallel paths of advancing technology: the autonomics of the datacenter and the evolution of security.  I’ll wager we’ll certainly see improvements in the former that are well out-of-phase and timing with the latter, not the least of which is due to what Kevin closed with:

This revolution, of course, doesn’t come without its challenges.  This is truly a cultural shift. Cloud computing provides choice, and in the context of active defense strategies, these choices must be made in real-time.  While the cloud computing advantages of self-service, automation, visibility and rapid provisioning can enable maneuver security strategies, successful implementation requires cooperation and collaboration across multiple entities, both within and without.
The cloud computing era is also the dawning of a new day in IT security.  In the not to distant future, network and IT security training will include both static and active IT security techniques. Maneuver warfare in IT security is here to stay.

It’s absolutely a cultural issue, but we must strive to be realistic about where we are with Cloud and security technology and capabilities as aligned.  As someone who’s spent the last 15 years in IT/Security, I can say that this is NOT the “…dawning of a new day in IT security,” rather it’s still dark out and will be for quite some time.  There is indeed opportunity to utilize Cloud and virtualization to react better, faster and more efficiently, but let’s not pretend we’re treating the problem when what we’re doing is making the symptoms less noticeable.

I am absolutely bullish on Cloud, but not Cloud Security as it stands, at least not until we make headway toward fundamentally fixing the foundational problems we have that allow the problems to occur in the first place.


* I thought that out of all of OMD’s tracks, the most apropos titles to match to this blog post would be “Pandora’s Box,” “Dreaming,” or “The New Stone Age” 😉  Thanks for the motivation, @csoandy

Hey, Uh, Someone Just Powered Off Our Firewall Virtual Appliance…

June 11th, 2009 11 comments

onoffswitchI’ve covered this before in more complex terms, but I thought I’d reintroduce the topic due to a very relevant discussion I just had recently (*cough cough*)

So here’s an interesting scenario in virtualized and/or Cloud environments that make use of virtual appliances to provide security capabilities*:

Since virtual appliances (VAs) are just virtual machines (VMs) what happens when a SysAdmin spins down or moves one that happens to be your shiny new firewall protecting your production VMs behind it, accidentally or maliciously?  Brings new meaning to the phrase “failing closed.”

Without getting into the vagaries of vendor specific mobility-enabled/enabling technologies, one of the issues with VMs/VAs is that there’s not really a good way of designating one as being “more important” or functionally differentiated such as “security” or “critical application” that would otherwise ensure a higher priority for service availability (read: don’t spin this down unless…) or provide a topological dependency hierarchy in virtualized network constructs.

Unlike physical environments where system administrators (servers) are segregated from access to network and security appliances, this isn’t the case in virtual environments. In Cloud environments (especially public, multi-tenant) where we are often reliant only upon virtual security capabilities since we have no option for physical alternatives, this is an interesting corner case.

We’ve talked a lot about visibility, audit and policy management in virtual environments and this is a poignant example.


*Despite the silly notion that the Google dudes tried to suggest I equated virtualization with Cloud as one-in-the-same, I don’t.

Dear Mr. Schneier, I Was A Jackass & I’m Sorry…

June 10th, 2009 6 comments
Humble Pie

Humble Pie

This is a particularly difficult blog to write.  As humble as I try to be, I think I might have believed my own marketing for a while there.  I feel badly.

Ever since I wrote this piece titled “Dear Mr. Schneier, If Cloud Is Nothing New, Why Are You Talking So Much About It?” I’ve been churning on it.  I couldn’t put my finger on why I felt, well, guilty.

So here’s the rub: I added some petty color in that post that was rude and disrespectful to Bruce. Nothing major, but unnecessary.  Time to own it.

When I wrote it at 1:30am out of frustration with Bruce’s comments it seemed funny at the time.

Then I re-read it the next morning and thought to myself, “that was a bit pointed for no particular reason.”

I let it slide because I don’t make a habit of editing posts once they’re up and normally, it’s just part of the shtick.  I also figured he’d never read it anyway.

Then Bruce emailed me, and what he said, despite my own rationalization, really kicked me in the butt for days:

I linked to it from my blog post.  I did so because it was interesting, but almost didn’t because it was rude.  Honestly, your points are good enough to stand on their own.



I apologized poorly in email and annotated the post to say I was a dick, but that’s not enough because if what Bruce said is true — that my points are good enough to stand on their own — then I owe him the respect of removing the things that don’t need to be there — and shouldn’t have been in the first place.

So I’m going to do that.

You might think I’m overreacting or you might disagree with my actions as a betrayal of my supposed personality.  Doesn’t matter.  I should do better.

Thanks for the humility reminder, Bruce.

I still don’t agree with you, but I respect your right to an opinion.  Sorry for the snark.


Categories: Jackassery Tags:

Mark Masterson’s Brilliant Cloud Security Presentation

June 10th, 2009 3 comments

Have you ever seen a presentation or listened to a talk and thought “Wow. That person just clearly and brilliantly summarized all the things I wanted to say in a way I never could?”

I just had that experience.

I am working with Mark on a project and was sent a link to check out some of his musings.  One of them was titled “Risk and Security in the Enterprise Cloud.

It is, quite possibly, one of the best security presentations on Cloud I’ve seen.  It’s a fantastic merge of theoretical myth busting, information systems survivability, security models and Cloud.

Basically, it’s my entire blog of three years wrapped up into 120 slides presented in my favorite minimalist style.  Wow.  Humbling.

It’s freaking brilliant.

Please read it.


Apparently In The Government You Can Have Your Cloud & Eat It, Too…

June 9th, 2009 2 comments

I’m sure more details will emerge, but as written in Information Week, this story is just bizarre:

Less than a month and a half after coming out as federal cloud CTO, Patrick Stingley has returned to his role as CTO of the Bureau of Land Management*, with the General Services Administration saying the creation of the new role came too early. “It just wasn’t the right time to have any formalized roles and responsibilities because this is still kind of in the analysis stage,” GSA CIO Casey Coleman said in an interview today. “Once it becomes an ongoing initiative, it might be a suitable time to look at roles such as a federal cloud CTO, but it’s just a little premature.”

Cloud computing is a major initiative of federal CIO Vivek Kundra, and its importance was even outlined in an addendum to the president’s 2010 budget last month. Kundra introduced Google Apps to city employees in his former role as CTO of Washington, D.C., and has said that he believes cloud computing could be one way to cut the federal IT budget.

So Cloud Computing, despite all we hear about the Government’s demands for such services as a critical national initiative is “…still kind of in the analysis stage” and isn’t at the “…right time to have any formalized roles and responsibilities”?


While Stingley is no longer the formal federal cloud CTO, he has by no means turned his attention away from cloud computing. As of last Thursday, he was still scheduled to give a presentation titled “Development Of A Federal Cloud Computing Infrastructure” at the Geospatial Service-Oriented Architecture Best Practices Workshop on Tuesday morning, though as CTO of the BLM, not as a representative of the GSA.

The GSA isn’t by any means taking its foot off the accelerator with cloud computing. However, Coleman wants to make sure it’s done in the right way. “As we formalize the cloud computing initiative, we will have a program office, we will have a governance model,” she said.

Despite the elimination — for now — of the federal cloud CTO role, Coleman said that it’s “fair to say” that the GSA will be taking a central role in pushing the Obama administration’s cloud computing initiative, noting that the GSA should be a “center of gravity” for federal government IT.

Perhaps this was simply lost in GovSpeak translation, but something does not compute here.  I’m very much for correcting missteps early, but what an absolutely confusing message to send: Cloud is uber-important, we’re moving full-steam ahead, but nobody — or at least not the GSA — is steering the ship?

What could go wrong?

Whether it was decided that the GSA was not the appropriate office to lead/govern the Federal Cloud efforts, they are amongst the most innovative:

The GSA is experimenting with cloud computing for its own internal use. For example, federal information Web site is hosted via Terremark’s Enterprise Cloud infrastructure as a service product, which charges by capacity used. When it was time for renegotiation of its old hosting contract, the GSA opened the contract to bidders and ended up saving between 80% and 90% with Terremark on a multiyear contract worth up to $135 million.

It’s also possible that under the Obama administration, the GSA might begin playing more of a shared-services role in IT, as it does in building management. However, Coleman is coy about whether that’s likely to happen, saying only that it would depend on the goals of the administration and the incoming GSA administrator. Stingley is reported to have been thinking about how the GSA might build out a federal cloud that agencies could easily tap into.

There’s a back-story here…


* Aha!  I figured it out. See the problem is that you can’t appoint the CTO from something called the Bureau of LAND Management and expect them to be able to manage CLOUDS!  Silly me!