Home > Cloud Computing, Cloud Security > Mark Masterson’s Brilliant Cloud Security Presentation

Mark Masterson’s Brilliant Cloud Security Presentation

Have you ever seen a presentation or listened to a talk and thought “Wow. That person just clearly and brilliantly summarized all the things I wanted to say in a way I never could?”

I just had that experience.

I am working with Mark on a project and was sent a link to check out some of his musings.  One of them was titled “Risk and Security in the Enterprise Cloud.

It is, quite possibly, one of the best security presentations on Cloud I’ve seen.  It’s a fantastic merge of theoretical myth busting, information systems survivability, security models and Cloud.

Basically, it’s my entire blog of three years wrapped up into 120 slides presented in my favorite minimalist style.  Wow.  Humbling.

It’s freaking brilliant.

Please read it.


  1. Andreas
    June 10th, 2009 at 06:34 | #1

    This is a great preso indeed. It's interesting how we are moving from a definition of "secure" as a binary variable (like pregnant) to healthy which is really a scalar. A lot of the zombie/botnet stuff is also not as malignant (lower lethality) as stuff in the past. You don't get a BSOD or a corrupted boot block, because after all if the infection kills you then the botnet doesnt make any more money from spamming. See nature: ebola is a crappy virus – it's too lethal for its own good. Flu is the model: exploit and propagate, every season for millenia, without killing too many hosts. This is what the zombies are looking like. In fact, it is amusing to note that today's AV puts a much less subtle load on your CPU that the malware it's chasing!

    I live with thousands of relatively harmless, symbiotic organisms in my body. If any of them got too strong they would harm me but at low levels I can ignore them. Is that going to be the go-forward model of computer health? Tolerate the mild ones?

  2. June 10th, 2009 at 06:53 | #2

    Hi Hoff,

    Take more credit for your work! I didn't see anything special in that presentation. The whole "safe = healthy" idea is hardly novel. Any comparisons to nature fall short because our adversaries are far more intelligent than those in the wild.

    One other thought: my reaction to the so-called "Healthy" cloud showing multiple data repositories was this — now I can exploit vulnerabilities or exposures in any one of those three clouds in order to get the same data. Go ahead, add more clouds — the probability of me find a V or E in the infrastructure as a whole just keeps increasing.

    By the way, my criticism of the presentation doesn't mean I think 1990s approaches to security are appropriate for the cloud!

  3. June 10th, 2009 at 11:54 | #3

    My favorite part was "hard problems like federated identity can not be solved with Russellian techniques", federation is likely to be one of the biggest opportunities and threats in the cloud, largely because of naming. Which brings up this:

    "There are only two hard things in Computer Science: cache invalidation and naming things." -Phil Karlton

    Also, reminds me of something I remember Dan Geer saying once he got security figured out he would move onto something hard like naming.

    And finally,

    "You can't complete authorization in someone else's namespace" -me

    But federation has been reasonably working well for the last 200 years or so, and so I would not worry too much.

  1. June 12th, 2009 at 14:05 | #1