April 2010 Archives

SOURCE Boston has been over for almost a week. Looking back at the event, I can only come to the conclusion that, once again, the level of the presentations exceeded my expectations. While the conference is fairly small, with only between 250 and 300 persons in attendance, the talks were of high quality and the people who attended just about all mattered. Despite the fact that several speakers were stuck in Europe as a result of the volcanic eruptions in Iceland, it was still very worth while to attend.

As the talks are posted online in a few weeks, I'll let you form your own thoughts about them and I'll make sure to publish a reminder when the do become available.

This year, I was in the fortunate position to host a panel session on Wednesday night. The panel discussion revolved around the usefulness (or lack thereof) of mentors in furthering careers in the information security field. Some very interesting comments were made during the session, and we are going to try spinning something up again next year.

Two things you never want to hear (especially on the same day):

* From an IT director to the CISO: "There is no need to involve your group in the project yet-- we have not even decided on the product!"

* (overheard) Admin: "Do you think we should tell the security officer about this?" Manager: "no, he did not get in."

Now, I could do a full writeup about how important it is to include information security officers from before the planning stage of every project, and how even the slightest sign of unusual behavior should be brought to the attention of a security person, but I will not do that. These two quotes should speak for themselves.

Today, I will present "Information Security In The Cloud" at the New York Higher Education Technology Forum. The presentation will deliver a high-level overflow of some things to keep in mind when moving to a cloud-based infrastructure.

The one point that I hope to get across is that, in order to create real value, CIOs must hold cloud service providers to at least the same levels of expectation as they hold their internal IT organization. In other words, when a CIO expects an uptime from 99.99% from the internal IT group, a cloud offering should be able to deliver the same. If a CIO expect to run an infrastructure component for $25,000 (all-inclusive), the cloud offering should be at most the same price. If the CIO expects regulatory compliance and performance monitoring from the internal groups, he should do the same from a cloud offering.

Too often, business are willing to accept a lower level of quality from cloud offering. For example, some of the cloud providers that I have worked with directly typically do NOT promise an minimum uptime, or when they do, it is at most 99.9%. Taking such of offering would often reduce the quality of the end-user service offerings.

The presentation outline is as follows:

- Introduction
- Assumptions
- Traditional information security
- Cloud Considerations
- Top Threats (based on the Cloud Security Alliance report of March, 2010)
- Recommendations
- Conclusions

After I have done the presentation, I'll post the slide deck and I may even record an on-demand version for those who are interested. Don't expect a technical talk, or one that goes in great depths: that would be unsuitable for the audience, and I only have 45 minutes (including discussion).

I have found note taking to by my way of staying at a relatively stable level of sanity.

The first key to successful note taking is that all my notes go into one (Moleskine) book (get them at your local Barnes and Noble stores). It has a hard cover and heavy paper and goes with me wherever I go. Because I have a tendency to capture complex thoughts in diagrams, my choice is the book with blank paper (no lines), but pick what suits your fancy. Each book has 240 pages, which is enough to capture between 6 months and 9 months of my notes.

Colleagues in meetings lovingly refer to it as my little black book (with the DefCon sticker on the front). Because all your notes will be in the book, you'll always have them all.

The second key to successful note taking is to find a good pen. Don't use the $.79 disposable one, but pick one that really is set to your hand. I use Parker Sonnet fountain pens with black ink and a medium-sized nib. Because the Moleskins have heavy paper, the ink doesn't bleed through the pages.

Next, note taking etiquette. Mark every meeting with the title of the meeting (e.g. CIO briefing), the date and a page number (with total page count). Even if you don't take any notes during the meeting, you'll have record of the fact that you attended.

Here are some tips that I have found useful:

Hyphenated list elements: reserved for items I need to bring to the table. For most meetings, I reserve one page ahead of time. While I do other things, I may add list items to the page reserved for that meeting before the agenda actually comes out (if there is one).

Square boxes: reserved for action items I need to follow up on. When the action item has been completed, check it off. Flipping back through the most recent pages of your book will always give you your latest action items that still needs to be addressed.

A typical note page will look something like

-------------------------------------------------------------------------------------------------------------
Managers Status Updates     04/01/2010    1/2

- update: MS OOB
- Vulnerability scan results sucked.
- Firewall is on fire most of the day
- web coding must be improved; XSS are not part of the func. requirements
- please don't hack us next week, as we'll be on vacation

sysadmins: unexpected outage of internet uplink, failover worked

[ ] get details to rule out DoS

desktop grp: antivirus keeps on triggering false positives

[ ] schedule product review and eval alternatives during summer

cio: budget requests approved

[ ] go party
-------------------------------------------------------------------------------------------------------------


Keeping the notes brief and to the point will be enough to trigger your memory, but serves as record of what happened. Labeling them with the date and the title will allow you to quickly find the meeting that you are looking for and the page numbering is just good housekeeping.

Let me know how it played out:)