Posts Tagged ‘identity management’

Is cloud security really different than data center security?

October 30, 2009 7 comments

Almost every conversation I have had over the past year or so always comes back to security in the cloud.  Is it really secure? Or we are thinking about implementing the cloud but we are worried about security.  There are, of course, good reasons to plan a cloud security strategy. But in a sense, it is no different than planning a security strategy for your company. But it is the big scary cloud! Well, before I list the top then issues I would like to say one thing: if you think you need an entirely different security strategy for the cloud, you may not have a comprehensive security strategy to start with.  Yes, you have to make sure that you cloud provider has a sophisticated approach to security. However, what about your Internet service provider? What about the level of security within your own IT department? Can you throw stones if you live in a glass house (yes, that is a pun…sorry)?  So, before you start fretting about security in the cloud, get your own house in order.  Do you have an identity management plan? Do you ensure that one individual within the data center can’t control all of the data within a single environment to minimize risks? If you don’t have a well executed internal security plan, you aren’t ready for the cloud.  But let’s say that you have fixed that problem and you are ready to really plan your cloud security strategy. So, here five of the issues to consider. If you have others, let’s start a conversation.

security police

1. You need to start at the beginning with understanding the characteristics of your cloud provider. Is the company well funded? Is its data center designed with security at the center? Your level of scrutiny will also depend on how you are using the cloud. If you are using Infrastructure as a Service for a short term project there is less risk than if you are planning to use a cloud to store important customer data.

2. How is your cloud provider implementing security in a multi-tenant environment? How do they ensure that one customer’s data doesn’t impact another customer’s data?

3. Does your cloud provider give you the ability to monitor security of your data in the cloud? This will be important both for compliance and to keep track of your own security policies.

4. Does your cloud provider encrypt your critical data? If not, why not?

5. Does your cloud provider give you the ability to control who is allowed to access your information based on roles and authorization? Does the cloud provider support federated identity management? This is basic security best practices.

Now you are probably saying to yourself that this isn’t rocket science. These are fundamental security approaches that any data center should follow. I recommend that you take a look at a great document published by the Cloud Security Alliance that details many of the key issues surrounding security in the cloud. So, I guess my principle message is that cloud security is not different than security in any data center.  But the market does not seem to understand this because the perception is that a cloud is somehow not a data center that can be secured with regular old security. I think that we will see something interesting happen because of this perception: cloud vendors will begin to charge a premium for really good security.  In fact, this is already happening.  Vendors like Amazon and Salesforce are offering segregated implementations of their environments to customers who don’t trust their ordinary security approaches.  This will work in the short term primarily because during this early phase of the cloud there is not enough focus on security. Long term, as the market matures, cloud vendors will have to demonstrate their ability to provide a secure environment based on basic security best practices. In the meantime, cloud vendors will rake in the cash for premium secure cloud services.

How much should you trust social networking information?

December 9, 2008 9 comments

I never really thought about this question until about a month ago when I got a strange phone call from a a collection agency wanting to know when I pay my bill to a major network services provider.  Naturally, my answer was I don’t do business with that company and I don’t owe anyone any money.  My new friend persisted. Aren’t you Judith Hurwitz — yes, I replied, I am guilty as charged. Then she wanted to confirm that I was indeed the CEO of a company called Changepond Technologies.  Now this was when I stopped pleading guilty. No, I answered, I haven’t even heard of a company called Changepond and I am therefore, not their CEO.

Now, how would this my friend assume that I would be president of a company I never heard of?  She did what we all do; she did a google search and on one of the “social networking sites” called Spoke, it lists me as the CEO of Changepond.  Imagine my surprise (especially since I never got a salary).

Jobs Tab (disabled) Jobs Tab Companies Tab (disabled) Companies Tab People Tab (disabled) People Tab
Judith Hurwitz’s Professional Profile

Judith Hurwitz

Judith Hurwitz This is me

President & CEO
233 Needham Street
Newton, Ma 4037
Has this info changed?
Claim your page.

Judith Hurwitz, President Judith Hurwitz was a driving force in the distributed computing movement and was one of the first software industry analysts to recognize and write about important technology changes such as client/server computing, systems and applications management, and e-business practices. In 1992, she founded Hurwitz Group, a software research and consulting organization that quickly became an industry leader. Clients included most of the top technology firms, including IBM, Hewlett Packard, BMC, Compuware, BEA, Tivoli, Computer Associates, and Microsoft. The organization also assisted a long list of start up companies in their transition from technology idea to business product. Judith also held senior positions at Apollo Computer, John Hancock Life Insurance Company, Patricia Seybold’s Group, and International Data Corporation. Judith’s expertise is widely recognized, and she is frequently quoted in major publications. She is currently a columnist for CIO Online and has recently written articles for BioITWorld Magazine. She has authored hundreds of articles and reports, been a frequent keynote speaker at major industry events, and serves on the advisory boards of several corporations. Hurwitz holds a BA and Masters degree from Boston University.


So, this was what I saw. Needless to say, I was a little surprised. How could this happen? It is easy to understand. First, the company had a local U.S. sales office in the same building that our offices are in. In addition, because we took over the suite of offices that Changepond’s U.S. office had been in, we inherited their old phone number.
Now, you might be asking, so why is this significant.  Basically, people rely increasingly on these social networking sites to find people they want to do business with or just connect with someone you used to know.  These sites serve a valuable purpose.  However, there is a dark side based on identity management.  Many of the sites that help you find people do not have a team of researchers collecting information. Nor do they wait until everyone takes the time to fill in the information about themselves.  You really can’t blame these sites. Until there is critical mass, no one will depend on the site.  Since most of these sites sell ads in order to survive, getting to critical mass is imperative.
Therefore, we are seeing lots and lots of these social networking sites filled with inaccurate information.  Much of this is benign.  Who cases if the wrong president is listed on a social networking site?  However, what happens when that company owes money and the collection agency goes after you? What happens if the company gets a bad reputation and the market thinks that it is your responsibility?  What happens if you are looking for a new job and the personnel office does a background check and notices that you are associated with a company that you never put on your resume?
Our natural inclination is to assume that if we find information through a search, it must be accurate.  In the case I mentioned earlier, the social networking site probably used some sort of automated tool to match company addresses and phone numbers with individuals.  Not a bad methodology to get started but somewhat dangerous.
Now, getting back to my new found presidency of Changepond.  I decided to take some actions to fix the situation.  Here are the three actions I took — I’ll call them the three dead ends:
Dead end #1.   I called the company’s new U.S. headquarters and asked to speak to the person in charge. I was connected to voice mail and guess what, the lovely voice suggested that I could contact the individual by calling the phone number our group had acquired. There was no human that could come to the phone.
Dead end #2.  I sent an email to an executive of this company and told him my problem. He was shocked and promised to look into the situation immediately. I sent a follow up email and this time I got no response.
Dead end #3. I sent an email to support email for the social networking site and asked them to fix this problem.  I never did get an answer and the information is still there.
I am not telling you this story so that you will feel sorry for me.  I want to tell you this because this will become an increasingly difficult problem that will cause unanticipated problems for the social networking community.  I am sure that there are hundreds and perhaps thousands of people who are impacted by inaccurate information.  But I think it is important to put a spotlight on this issue.  We need to hold these companies accountable to the quality of the information that they make public.  If you have had similar experiences, I would like to hear from you.  Start by answering the poll: