Friday, October 26, 2012

Cloud Computing Dangers: Incident Detection

This posting is Part 2 of the Case Study in Cloud Computing Dangers.

At around Noon U.S. Eastern Daylight Time (EDT) on Wednesday, May 9, I forwarded a calendar invite from my corporate account to my VA address. The message included some important attachments that originated from a prime-contractor colleague. I also responded to several email messages from the same colleague, sending mail to both his corporate and his VA accounts. Everything that seemed to have worked fine a few minutes prior was about to blow up in my face.

A Case Study in Cloud Computing Dangers

"A cloud computing approach could save 50 to 67 percent of the lifecycle cost for a 1,000-server deployment." Kevin Jackson - Forbes.

It's not hard to understand why business executives are completely intoxicated by cloud computing.  For the uninitiated, cloud computing essentially allows organizations to outsource just about any IT processing to a third party. If you need new servers, then you can just go to Amazon to quickly and cheaply procure new server capacity that's available immediately. Sick of managing your internal email system? Go to Microsoft to get Exchange email, calendaring, instant messaging, and SharePoint with the click of a button. Want to gain access to enterprise-class back office accounting and support system? Check out Google Apps for Business and all of the add-ons that it makes available. An organization can get instant satisfaction by moving to the cloud while paying a small fraction of what it would cost to procure the equipment, software, and people to do it all internally.

Sounds great, right?  Look closer and you may not be so convinced.

Wednesday, October 3, 2012

Mozilla Persona: Future of Authentication?

While doing research for a new analysis of modern authentication last week, I discovered that Mozilla had released the beta distribution of Persona, a new authentication system Mozilla describes as "an easy way to sign in to a website." I become so enamored with Persona that I figured that it deserved a quick posting rather than get buried into an analytical perspective that will not look too favorably on modern authentication mechanisms. Consider yourself teased.

This posting introduces Persona as an authentication mechanism, discusses the advantages that organizations and individuals could gain from using Persona, and some of the new vulnerabilities that they should consider before using Persona.

Monday, September 24, 2012

Why I Love and Hate Apple Maps in iOS 6

Apple surprised me with its Maps update in iOS 6. It wasn't just that it represents one of the few missteps that Apple makes but that Apple violated several tenets of its very well-honed brand foundation and reputation.

The debacle that is Apple Maps is epic with failures in three key areas: usability, data, and business decision-making. This posting expands on each of those areas.

Friday, August 24, 2012

Are Mobile Carriers Killing Business Security?

Mobile service providers, including Verizon Wireless, AT&T, and Sprint, know something about your smartphone that you don't.  What is this little nugget of information?  Service providers have no problem with selling you a supercomputer (a.k.a. smartphone) that they have no intention to protect.  It's not that they make it a secret or that the information isn't readily available, it's just that they know that you don't care, and they're right.  That's killing the ability for organizations to protect themselves.

Thursday, August 9, 2012

The Problem with Google's Two-Factor Authentication

The media has rightly gone crazy over what what technology writer Mat Honan wrote in Wired called "My Epic Hacking." If you haven't read about what happened to Mat, then I urge you to check out the article and then try to calm down for a few minutes before moving on.

In a business that focuses on quick solutions to big problems, many bloggers and writers have focused on this one statement that Mat makes in his article:

"Had I used two-factor authentication for my Google account, it’s possible that none of this would have happened…"

I don't doubt for a second that Mat is correct.  Google's innovative application of stronger authentication is a great resource and one that I began using just about a month ago after I found some kid in Houston constantly trying to access my Gmail account thinking that it was his.  (I'll rant about that some other time.)  But, don't think for a second that Mat's statement points to a solution.  It's not.

Monday, August 6, 2012

Defect Acceptance

Cybersecurity has been a hot topic for over a decade and only seems to be getting hotter.  When I meet new folks and mention being "in" information security, I cringe when I hear the standard response, "Oh, that's a really hot field.  I bet that there are a lot of opportunities for someone like you."  Well, yes and no.

Wednesday, July 11, 2012

Vampiric Security - Dead and Still Kicking

In my posting How Hacker Targets Become Victims on the InfusionPoints blog site, I implied a little secret about the information security industry regarding the tools that we've come to believe are absolutely necessary. They are not as effective as you typically think they are. In fact, many are slowly sucking us dry without providing much valued in return.

An Adventure in Cloud Security

I recently registered for a website hosted by a government agency that handles some of the most sensitive personal information available within U.S. Government. While the site is only a simple scheduling system, imagine my dismay when I received an email confirming my registration that included both my username in password in the email body. That email demonstrates that, despite all of the reported attention to security over the past several years, especially within the Federal Government, we are failing to build an effective information security culture.

Tackling the Untrustworthy Internet

Imagine that each of us would need a tank to safely drive on the road. We would be well protected from any obstacles that could come our way, but at the expense of speed, agility, and cost. We could also blow each other up, forcing us to buy bigger and better tanks all of the time to retain a consistent state of security. That's the kind of environment that companies face when using the Internet. Rather than being able to invest in economical transport, each has to regularly procure stronger individual protection to defend themselves. What went wrong?

Introduction to Michael's World of IT

I'm not a professional blogger and this isn't a forum for absolute facts. Instead, I mean for this blog to present an unfiltered view of my IT philosophy and how it has and continues to evolve over time.

Why me and why now? This blog isn't some egocentric examination of self or a venue to simply expel all of my thoughts on the world (at least I don't really intend for it to be). Rather, I think that the industry takes itself way too seriously when it comes to its mission to improve business and there are too few voices out there willing to really conduct a detailed and extended analysis of whether technology really helps. Journalists are beginning to get it but few truly get IT and information security in an intelligent way. Beyond that, I've found that there is way too much FUD (Fear, Uncertainty, and Doubt) that drives IT decision making. I hope that I can help folks in some small way to make better decisions about their IT and security procurements.