Introducing Physical Security Cloud Services

By Shayne P. Bates CCSK, CPP, CHS-V, DABCHS

Source: The Great Conversation Blog,

Introduction

Without question, we are highly dependent on computing technology to be effective security practitioners. Without it, even with reduced capacity, our effectiveness to manage enterprise risk is significantly impacted. Therefore, doesn’t it make sense to explore how we can optimize our effectiveness as security practitioners through the use of technology?

What does cloud computing mean to the business of physical security, what are the opportunities, and why should I pay attention?

A Generational Change is Underway (again)

The generational change in computing that occurred when technology transformed from mainframes to PCs and servers had enormous economic implications: most mainframes were rendered a relic of a bygone era due to their need to be optimized for efficiency because of their high cost. Mainframes were quickly replaced by distributed storage and compute, which was optimized for agility due to the low cost. The explosion of networking and bandwidth helped fuel a whole new era in which inexpensive operating systems were licensed perpetually, replacing the legacy model of high upfront costs for hardware and software.

High cost necessitates efficiency and low cost enables agility. We are constantly reminded of this principal as we discard our gadgets in favor of new ones that are smarter, cheaper and faster. Gone is the notion of repair when tempted by the economics and promise of something better and almost immediate.

Today, we are seeing the explosive scale-out of large data centers with commodity hardware, which is an order of magnitude better in efficiency and agility.

Speed and Cost are Great Partners

Add to this the reality that organizations do not require every application to be custom. Ask your team this: for those applications that are custom, can we justify the high cost of ownership and managing it ourselves? Why? In many cases, if confidentiality, Integrity and availability are satisfactorily addressed, applications that are hosted in data centers, and delivered by high speed networks to commodity devices, become very appealing for reasons of agility and economics. Share this cost on a large scale across many customers globally, and a potent tool is delivered to enable the third generational change in computing: The Cloud.

It’s in the Math: Capex V Opex

There is one important cloud principle worth understanding: economy of scale . Why commit precious capital to own something when you can pay less to use it for a period of time while it meets your needs, and then hand it back, or move it elsewhere when you are done? This principle is popular for many services we consume today, such as rental cars and utility services like phone, gas and electric; rather than having to acquire and manage your own.

The basic doctrine of project management teaches us that “there is good, fast and cheap: pick any two” (performance, time and cost), or at least decide the balance you desire. Add scope to the equation and one way of viewing cloud economics is a balance of these four items.

The Cloud: Way More Than Just Cost Savings

Putting aside the economics for a moment , ask “what can I do with a security cloud that I cannot with our system today?” The answer is many new things – complementary with the economic benefits, to enable the emergence of a new stream of security services. The five key characteristics of the cloud are:

• On Demand Self Service – what automated services could we deliver for customers to serve themselves without the wait (and bill them for it)?
• Resource Pooling – what is the impact of pooling and dynamically assigning resources to serve multiple consumers?
• Measured Service – how can we leverage the benefits of monitoring, optimizing, controlling and reporting resource use transparently?
• Broad network Access – what new capabilities could we deliver over the network to standard mechanisms and appliances?
• Rapid Elasticity – what could we do with virtually unlimited computing power for a period of time that we determine?

 Security Convergence Has a Child

Much discussion occurred around the convergent nature of information and physical security, and it’s still occurring. Suffice to say, the security cloud can be viewed as a product of the two. For the adequate provision of physical security cloud services (PSCS), a symbiosis occurs between physical and information security for effective enterprise security risk management (ESRM) to serve the needs of the business. Cloud is one of the best examples of a tightly coupled partnership between physical and IT security.

Conclusion

Physical security technologies and services will be rapidly redefined as innovators understand how to leverage the agility, low cost and unlimited compute of the cloud, at a fraction of the cost, using cloud scaled resources. What was unthinkable a few short years ago is becoming reality as new tools emerge to reduce the risk of harm, and secure assets and reputations.

Understanding Risk Management Approaches in the Cloud Computing Service Model

Source: International Security Buyers Guide, November 2010.

Abstract

There is not yet widespread understanding about the 3 service model options of cloud computing (Software, Platform, Infrastructure). This article outlines these options and examines the end user approach to managing risk relevant to each service model.

To quantify the degree of risk, it is essential to first understand the choices that exist within the framework of the “Cloud”. The approach to managing risk will vary, depending on choice.  

Note: this overview is generic and does not describe all of the permutations and approaches, but provides an outline based on existing technology, knowledge and experience.

How Much Risk is in the Cloud?

There is a lot of talk about whether using the cloud is a risky proposition. An essential step to gauging risk is to understand the service and deployment models, the characteristics, and how these apply to the services or applications to be placed in the cloud. 

What is the Cloud?

The National Institute of Standards and Technology (NIST) provides an excellent definition of Cloud Computing found at http://csrc.nist.gov/groups/SNS/cloud-computing/

To simplify the framework, think of the cloud as a “3-4-5 model”, namely:

3 service models, (Software, Platform, Infrastructure “SPI”)

4 deployment models, (Private, Community, Public and Hybrid)

5 characteristics, (Broad Access, Rapid Elasticity, Measured Service, On Demand Self Service, Resource Pooling)

Questions to Consider

The framework allows you to consider 3 broad types of questions:

• How much technical participation (direct engineering control) do I require?

• Which type of cloud will I use?

• What quantifiable benefits will the cloud characteristics deliver?

Cloud Service Models – “SPI”

This article focuses on “3” in the 3-4-5 framework; the 3 Cloud Service Models, and the differing approaches to managing risk. The approach depends on the degree of technical participation that the end user is responsible for, or has under their direct control. 

The cloud service model is often referred to as the “SPI model” for Software, Platform and Infrastructure (for definitions see the NIST description). Depending on requirements and risk posture – some of which may be dictated by compliance or regulation, choices are available about the amount of “hands-on” control a user organization might decide to have when deciding to use or move an application in or to the cloud.

The three types of service models are:

• SaaS - Software = Turnkey Solution (e.g. Salesforce.com)

The most integrated but least extensible. Characteristics: Turnkey – software, platform and infrastructure are all managed for you. Functionality and system security is built in; “as-is”

• PaaS - Platform = “BYO Application” (e.g. Google App Engine)

Generally restricted to using the application or development environment/s specified by the provider. More extensible than SaaS. Built-in capabilities are less complete, but more flexibility exists to layer in additional security. 

The consumer does not manage or control the underlying cloud infrastructure including network, servers, operating systems, or storage, but has control over the deployed applications and possibly the application hosting environment configurations.

• IaaS - Infrastructure = “BYO operating systems and applications” (e.g. Amazon Web Services (AWS)

Users do not manage or control the underlying cloud infrastructure, but have control over operating systems, storage, deployed applications, and possibly limited control of select networking components (e.g. host firewalls).

Approach to Risk in SPI Model

Each of the 3 service models has a slightly different approach to mitigating risk. These approaches are detailed in the Cloud Security Alliance guidance document available found at http://www.cloudsecurityalliance.org/ 

In Figure One above., the “all inclusive” nature of SaaS means that risk is most effectively controlled by contract terms, and few engineering choices exist because a standardized application, platform and infrastructure is shared across a large base of users.

In the case of PaaS, risk may be mitigated by a combination of contract terms and technical engineering choices and controls. This is because the user is responsible for much of the application environment and some security features can be built in to mitigate risk.

With IaaS, a combination of contract terms and technical engineering choices and controls is still relevant, but there is much more emphasis and choice about technical security infrastructure as the user has control and responsibility for much of the operating environment.

 Summary & Conclusions

• For SaaS, the primary risk control mechanism is contract terms, whereas PaaS and IaaS require a combination of technical engineering controls as well as contract terms to effectively manage risk.

• The lower down the SPI model the chosen service exists, the more control and customization available. The trade-off is more responsibility for security and management. 

• The nature and types of specialty skill-sets required to assess and manage risk will vary depending on the service model chosen. 

• Decisions need to be made about whether security controls can be outsourced to a provider, or maintained under the control of the user organization or an independent third party. 

• To meet regulatory and compliance requirements, in every case organizational policies require careful review and consideration must be given to whether the choice of a particular model is valid.

• Irrespective of the appeal that any given technical approach may have, the business implications require alignment with an organizations overall Enterprise Security Risk Management program.

Cloud is not a “one-size-fits-all” proposition, and service model options provide choices, depending on needs. For each service model, there are differently balanced options to mitigating risk; primarily the proportions of contractual and engineering resources, which may require more direct participation in technology risk decisions by the user. 

Cloud Computing Pervades ASIS Atmosphere

Source: Ronnie Rittenberry, Network Centric Security
October 14, 2010

One of the hottest topics in the security industry this year -- and therefore one of the most pervasive subjects at ASIS -- is cloud computing.

But, aside from being a preeminently emerging business platform and a ubiquitous part of modern culture, what is it?

Benjamin Butchko, CPP, president and CEO of Butchko Security Solutions, and Shayne Bates, CPP, vice president of Strategic Partnerships for Brivo Systems LLC, offered an enthusiastic primer on the topic Wednesday in their intermediate-level education session “Cloud Computing & Software as a Service: An Overview for Security Professionals,” a presentation based on a white paper they co-authored with the same title, which is available on the ASIS website at https://www.asisonline.org/councils/documents/CloudComputingFinal.pdf.

Early on in that 51-page study, the authors provide these three sentences by way of a definition: “As the security and reliability of the Internet and the services offered over it matures, there is a movement toward shared services. Some of the shared services are manifested in technology offerings that have such characteristics as fast implementation, reduced operational expense, and a multi-tenant model sharing common computing resources. The common terminology for this is Cloud Computing. . . .”

In the Oct. 13 presentation, Butchko, who also is chairman of the ASIS Physical Security Council, made the concept even simpler, saying, “If you’ve ever used Gmail or Google Analytics or TurboTax online, you’ve used cloud technology.” Such are popular and mainstream examples of ways cloud technology is being deployed.

“It’s an on-demand service,” added Bates, who also is chairman of the Cloud Computing Workgroup and author of the “Cloud 9” blog. “You can subscribe and enjoy the service with a few clicks. . . . If you’ve got Internet access and a Web browser, you’ve generally got enablement. The application is online; all you do is log on and use it. You’re not investing in infrastructure; you’re leveraging what you already have.”

Butchko added: “The ‘cloud’ in this context is where the information resides, where it’s processed. It’s not sitting on your computer. You’re effectively renting the ability to use an application. From the user’s perspective, you’re just seeing the application. Security is taken care of for you.”

Broadening the scope, Bates and Butchko noted that for many security professionals, the technology enables their companies to outsource applications such as video surveillance, video management, access, and control without the burden of buying and maintaining software and equipment -- and without giving up either control or access. Infinitely scalable and flexible, the technology allows for “rapid elasticity” (business expansion or contraction), depending on whether companies need to add to or decrease the size of their network, as is often the case in merger/acquisition situations, in a cost-effective way in terms of critical infrastructure.

Bates called this the “ET Phone Home” philosophy: “It enables you to have centralized resources without having to deploy resources all over the planet.”

The presenters said that one of the major issues at play with cloud computing is the reality that all participants’ data becomes intermingled with every other person’s data being hosted in that outsourced application.

When a company opts to deal itself with the maintenance and storage issues of, for example, video storage, that information is primarily located in its own system, and there is a natural boundary that provides privacy protection.

Within the cloud, in some scenarios, privacy issues may need to be resolved. On the other hand, as part of the emergence of the technology, new security capabilities designed for the protection of critical information already have been created, and more will evolve as the technology continues to dominate -- so much so that it is not difficult to envision a near future in which businesses outsource their IT function altogether. The centralized place where that information is outsourced to is “the cloud.”

Careers Need Aspiration.

Source: Info Security Magazine, the publication of (ISC)2, September 2010.

Introduction

If you work and network with leaders who have nurtured your growth, then you aspire to greater things and likely provide support to others. Solid leadership highlights the difference between showing up each day for a job and participating in a career.

Change is constant. To remain relevant, a conscious, constant commitment to ongoing education is required to maintain competence. So, get an attitude! Take responsibility for your education and use every opportunity available, whether in your own time or not—personal days, vacation, and online education are all options.

Gaining a recognized certification will differentiate you. Look to leaders you respect and ask for their help – most are willing to share their skills and your network will blossom.

We are challenged with “always on” technology, in ways we have not previously considered. Security professionals have a special responsibility to be effective educators about choices, to operate ethically, and within the scope of the law.

Understand why the technology you work with exists, and what it means. How do such insights affect us in the context of our careers and our interactions within the industry?

Try this exercise: Write a response to, “What is it you do for a job?”

You can answer in several ways and here is an example of how much impact different responses have:

“I work for xyz company and do security audits”

I’m a career security professional who works with a great team at xyz company to make our enterprise safer for our customers and company. We do this by identifying and managing security risks.

The second response is much more interesting. Go a step further: be more specific. Identify specific data points and use them in your elevator pitch. “In the last year, we averted 1700 attacks, saving our customers and xyz approximately $200 Million.

Security professionals who explain in simple, effective terms, the business value of our profession, are better regarded, and elevate our profession. Our role as educators and story-tellers is vital.

The rate of change for technology is accelerating. Almost all technical innovations have security issues; not just the technology, but the way they are configured, the ways that people use (and abuse) them, and the unintended consequences.

Globally-connected cloud networks contain applications that manage millions of identities for access to physical and virtual devices. Unified access and trust models are emerging. The line is blurred between physical and logical security, creating new opportunities for much needed competencies. IT and Physical Security are no longer separate fields; each is required for the other to function effectively on a continuing basis.

We are reliant on appropriate, effective security to protect the lives and well being of people, assets, and information. Understanding the subtleties related to securing systems with both physical and virtual elements adds great value to an organization’s security posture.

We each aspire to different goals, competencies, and positions. To what do you aspire? Your future starts now.

Shayne Bates.

Assessing Risk in the Cloud

Source: Security Buyer Magazine

Introduction

The global adoption of Cloud Computing and Software-as-a-Service (SaaS) is increasing in intensity, forcing businesses that want to remain competitive to evaluate how SaaS can be put to work for them. To complete such a measured analysis, enterprises must carefully consider the relevant risks alongside SaaS’s many benefits .

Users Moving Sensitive Applications to the Cloud

I recently blogged a case study describing how a large county in the US moved several sensitive applications to the cloud and the decision-making process involved. (“Real World Risk Management and the Business Value of SaaS” (http://www.cyber-crime.biz)

For this county, both data and applications are hosted offsite and include patient care, human resources, crime reporting, credit card compliance and security team services. One of the conclusions we reached with them is how when distributing their applications and data among several independent vendors, the risk associated with catastrophic failure of all applications at once was significantly lower when compared to the failure of their own single data center.

What’s My Real Level of Security?

The other key point from this case study is the often real divide between required levels of security and an organization’s actual security posture. Our recommendation: the county’s actual security could be significantly improved when contracting a third party who is committed to a higher standard of security.

Evaluating Risk

In the case discussed above, this county organization was reaping substantial, measureable benefits from moving to the cloud. But is that where it ends? How does an organization determine what their risks are when evaluating whether to move physical security and business applications to the cloud?

ASIS International (www.asisonline.org), the Cloud Security Alliance (www.cloudsecurityalliance.org) and The European Network and Information Security Agency (http://www.enisa.europa.eu) provide valuable answers to this question. ENISA’s document titled, “Benefits, risks and recommendations for information security” is a useful guideline to help evaluate risk likelihood and impact. Some 35 policy and organizational risks are covered.

Technical Risks

To gain a more comprehensive understanding of these risks, one should read the full report. One quarter of the identified risks are significant, and those are listed briefly as follows:

• Loss of Governance (lessened security controls affecting confidentiality, integrity and availability, and subsequent compliance challenges)
• Compliance Challenges (Lack of evidence that compliance challenges will be met and the identifying the need for an independent audit)
• Changes of Jurisdiction (Unpredictable or autocratic legal frameworks in other jurisdictions may place data at risk of disclosure)
• Data Protection (Lawful handling, collection & storage of data)
• Network Management (Congestion, mis-connection & non-optimal use)
• Isolation Failure (separation of multiple tenants storage, memory & routing)
• Malicious Insider (system administrators, auditors and managed security service providers)
• Management Interface Compromise (Manipulation & availability of infrastructure)
• Insecure or ineffective deletion of data (Several scenarios whereby customer resources are maliciously used resulting in an economic impact)

Evaluation and Process Risks

In addition to the technical risks outlined above, several other factors should be considered when evaluating and developing a business case to manage risk that might impact the project. Those factors include:

• Business Case

Evaluate and document the financial and organizational benefits.

• Risk Appetite

Decide your organization’s risk appetite. Which risks are non-negotiable? (e.g. mandatory compliance)

Meet with business unit heads and discuss, in business terms, the risks and their position relative to business benefit.

• Good Advice

Ensure that you receive competent counsel. Don’t assume that all IT and security staff will be conversant with the risks process for cloud technology.

Review certifications of technical staff: For example the Cloud Security Alliance recently announced the world’s first user certification for cloud security knowledge (CCSK), available from September 2010.

Utilize the tools provided by CSA and ENISA

• Evaluate Potential Cloud Vendors

Can you measure the quality?

Do they have their own audits, which conform to a standard, and will they share control measures and audit results?

Are their staff subject to background checks?

Who has access to your data and where will it reside?

What is the degree of “fit” with your written performance and security requirements?

Does a service level agreement adequately describe what is being delivered?

Some cloud vendors are willing participants in describing their assurance process, see article by Brivo System’s John Sczygiel at http://blog.brivo.com/bid/40112/Do-You-Trust-Your-Cloud

• Contract

Your bargaining power may be limited depending on the size and duration of your requirements, and whether the application is a custom or a commercial SaaS offering.

What are you getting?

Is the service adequately described or does it leave room for assumptions?

Are there any special requirements (e.g. – availability of system log report documentation, required to meet a compliance requirement).

Document the risks and who is responsible for specific performance requirements, especially if the impact on the enterprise could be significant.

Notification and Remedies

Consider the escalation process if things do go wrong.

What is your recourse to seek performance?

If there is the potential for legal action, what form will it take and in which jurisdiction will it occur?

Ensure exit clauses cover ownership and extraction of your data. For sophisticated applications, the format you receive data in should be thought through in advance.

In Conclusion: Balance

There are many ways to manage risk. The key word is manage; meaning, to make informed, conscious decisions about the value received, compared to what is presently being attained.

The business benefits of SaaS and Cloud solutions can be maximized by forming a project team of appropriately skilled staff and/or consultants with knowledge of the source material outlined above. Utilizing this team to engage the relevant business stakeholders in a meaningful risk decision-making process prepares the organization for a relevant, targeted evaluation of vendors. In so doing, you will successfully achieve accurate specifics about the service offering and the business benefits received.

- Shayne Bates

Real World Risk Management and the Business Value of SaaS

Source: http://blog.brivo.com/bid/39552/Real-World-Risk-Management-and-the-Business-Value-of-SaaS

This week, Brivo hosted an Executive Roundtable to better understand customer considerations when they choose to use the cloud to host business applications. A select group of participants, representing a broad mix of DC-area IT and physical security consultants, who consult with various federal and commercial clients attended.

SaaS Case Study

We met with decision makers from Montgomery County (MD), government, Brivo’s home county, who shared their reasons for moving a large portion of their departments’ business applications to SaaS.

What Type of Applications?

Some of Montgomery County’s SaaS applications include:

• Electronic patient care
• Human resources (for hiring and reviews)
• Crime reporting
• PCI (Credit card)
• Security team services

Scrutiny

It was interesting to hear about the reality of decision making around risk and compliance when using a technology strategy as a lever to achieve business goals.

Cloud technologies that offer different ways to support business and serve customers invariably receive close scrutiny, especially the application list above, because large amounts of personal data must be protected while complying with a wide array of important privacy and compliance laws.

The Montgomery County case study fueled much conversation, particularly in regard to mechanisms to protect sensitive customer data and the associated risks in doing so.

Business Reasons for SaaS

Technololgy and cost are not the only reasons to use SaaS. In Montgomery County’s case, a mix of business, financial, and security reasons drove their decision to outsource applications to a SaaS provider:

• Lower total cost of ownership
• Speed of implementation
• Reduction or elimination of capital expenditure
• Shared risk by the provider
• Disaster recovery and high availability
• Equal, or better attainable security

Raising the Bar on Security

Smart practitioners who understand and identify real-world enterprise risk know that there is frequently a gap between prescribed levels of security and the actual security posture. So how does a county close gaps during a time of budget pressures and declining tax revenues without sacrificing institutional knowledge?

Superior Performance for the Dollar

SaaS technology offered Montgomery County a way to better mitigate risk while significantly reducing capital expenses. Maintenance fees previously paid from the operating budget now fund SaaS subscriptions for applications that deliver modern IT-related services to the county and better meet the expectations of businesses and residents. In addition, the SaaS solutions freed the County’s security staff from managing hardware and applications to focus on providing better services to their internal and external constituents.

Which currency will you trade with in the Cloud? (Full Version)

Source: http://securitymole.wordpress.com/2010/07/13/cloud-computing-which-currency-will-you-trade-with-in-the-cloud/

When you want to gain access to a system and the use of a security credential is required, do you rummage through a spreadsheet of passwords, or fumble for one of several keys like a traditional jailer? For manufacturers, there are many choices on implementation of security during design. For example, will the security credential be contained on tangible media – such as an identity smartcard. Or will it be purely electronic, as most banks use for online banking today.

Although there have been many articles written about the volume of passwords in use and the security mechanisms the average person now relies on, how do you know whether such safeguards are trustworthy, let alone whether this information is kept private but readily available? (For manufacturers looking to increase ROI: some organizations expend over 50% of their technical support resources in password management for users!)

Most vendors of technology today do not offer a choice of security mechanisms. This is because, among other things, there is still a lack of real support for the adoption of standards. This is beginning to change and we’ll discuss more about this in future editions.

For now, imagine that you can have your own individually-chosen identity credential, one that you trust, possibly pay for, and can keep a record of its use to access multiple sites and services.

Imagine using this security credential for email, banking, and physical security devices. Would life be simpler? Although most online vendors today issue users their own identities, often a simple password attached to an email address, we all know the limited security that such rudimentary tools offer, and why this proposition has little appeal if it is known to be insecure.

Think of an identity like a currency. Unless the currency has ongoing strength and its value is effectively defended against counterfeiting and other problems, it will at some point become useless. That’s the problem many banks have today: their currencies (card numbers and passwords) become useless quickly because they cannot defend their value and identities are easily assumed by others. Additionally, the overheads associated with the cost of “currency” management and replacement are indirectly passed on to the cardholder.

Some may argue that currencies fluctuate, as do privileges on well-managed systems, but the core idea here is around sustained value and a recognizable standard that many can adopt.

If online identities are like currencies today, then almost every cloud provider is a nation and can create its own currency when it issues usernames and passwords. So how can we trade these thousands of currencies and still be assured that each other’s currencies are not counterfeit, or worthless?

Once you grasp the concept, there are several possibilities—unified groups of currencies (like the Euro) that can be regulated and defended is a contender. Also, we have the notion of validating currencies and other financial instruments that may be traded, while discarding those that cannot.

Whether you favor the free market , regulation, or a combination of both, all of these approaches work. Presently unfolding debate on the financial sector, around a mix of sound regulations for the free market, pay homage to these ideas.

In the US, the Federal Government, the worlds largest user of a unique and secure identity currency (known as the FIPS card), is assembling a strategy around where and how its identity currency can be traded to enable commerce in the cloud.

The Federal Government’s position, found at www.idmanagement.gov, is this: “…the goal is a consolidated approach for all government-wide identity, credential and access management activities to ensure alignment, clarity, and interoperability.”

It is a clear message that demonstrates strong leadership: “Here is our currency, it’s secure, we will defend it, and we are looking for trading partners”. Who wants to ignore an opportunity like that?

This approach demonstrates that the Federal Government is seeking input from those who recognize the value of an enterprise identity management system.

See cloud vendor Brivo Systems’ White Paper "SaaS and the Efficient Realization of FICAM Goals" here (abbreviated URL). Brivo’s physical security framework can be implemented to allow use of the Federal Smartcard, and can also check its validity against an online cache to ensure that the card has not been revoked.

Contenders supporting the approach to authenticate using an external source include, but are not limited to OpenID and OASIS with it’s Security Assertion Markup Language (SAML).

OpenID participant companies include AOL, BBC, Facebook, Google, IBM, Microsoft, MySpace, Orange, PayPal, VeriSign, LiveJournal, Yandex, Ustream and Yahoo!

The SAML idea has been around since 2001 so it’s not new, and the single most important issue that SAML is trying to solve is the Web Browser Single Sign-On (SSO) problem. The focus is to overcome the proliferation of non-interoperable proprietary technologies and assumes that the user has enrolled with at least one identity provider.

What will identity, credentialing and access management look like in the future? Is the overall cost of issuing a credential that is less than optimal and proprietary really sustainable? Can growth and efficiency of online commerce be maintained without impeding growth?

The identity train is coming, if you don’t feel the tracks shaking, you soon will.

Published in the International Security Buyers Guide June 2010

Which currency will you trade with in the Cloud? (Abbreviated)

When you want to access a system, which identity is acceptable to use? Can you bring your own from elsewhere? Most online vendors today issue users their own identities – a simple password attached to their email address. I don’t have to elaborate on the weak security that such rudimentary tools offer.

Think of an identity as being like a currency. Unless the currency has ongoing strength and can have its value defended against counterfeiting and other problems, it will, at some point become useless. That’s the problem that many banks have today – their currencies (card numbers and passwords) become useless quickly – because they cannot defend their value, and identities are easily assumed by others. Additionally, all of the overheads associated with the cost of management and replacement, are indirectly passed on to the cardholder.

If online identities are like currencies, every cloud provider is a nation and can create it’s own currency. So how can these thousands of currencies trade together and be assured that each other’s currencies are not counterfeit, or worthless?

Once you grasp the concept, there are several possibilities; the idea of unified groups of currencies (like the Euro) that can be regulated and defended is a contender. As is the notion of validating currencies and other financial instruments that may be traded, while discarding those that cannot.

Whether you favor the free market, or regulation, either approach works. Presently unfolding events for the financial sector, around a mix of sound regulations in the free market pay homage to these ideas.

The Federal Government, the worlds largest user of a unique and secure identity currency (called a FIPS card) is assembling a strategy around where and how it’s identity currency can be traded to enable commerce in the cloud.

What will identity, credentialing and access management look like in the future? Will tens of thousands of unique password systems power commerce without tangling the growth ?

The Federal Government quote, found at www.idmanagement.gov is this: “the goal is a consolidated approach for all government-wide identity, credential and access management activities to ensure alignment, clarity, and interoperability.”

It is a clear message that demonstrates strong leadership: “here is our currency, it’s secure, we will defend it, and we are looking for trading partners. Who wants to ignore an opportunity like that?

The good news is that cloud computing is well suited as an enabler of good security. See Brivo Systems paper "SaaS and the Efficient Realization of FICAM Goals" here (abbreviated URL)

The identity train is coming, if you don’t feel the tracks shaking, you soon will.

Cloud Computing and Software as a Service - An Overview for Security Professionals

Late last year, the IT & Physical Security Councils of ASIS International formed a joint working group to study Software as a Service and produce a white paper, with a focus on physical and electronic security. The white paper is now available online.

Here is an excerpt from the introduction:

"The traditional electronic security industry, whose origins are rooted in the burglar alarm, is now moving very rapidly toward more complex networked systems and information management. Much discussion has occurred about the role of IT and physical security and the need to work closely together to manage and deliver efficient and risk appropriate security systems for the benefit of organizations. Much of this discussion has occurred around the developing framework for enterprise security risk management and convergence."

Link: Cloud Computing and Software as a Service. An Overview for Security Professionals

Source: ASIS International

Can Security Management Applications Become On-Demand Business Systems?

Source: http://securitymole.wordpress.com/2010/05/14/can-security-management-applications-become-on-demand-business-systems/

What security decision makers should

know about Software as a Service.

Shared infrastructure is already commonplace

We live in a converging world where voice, telephony, business applications, and security traffic now move up and down the same communications infrastructure within organizations. While this may come as no revelation, there was a time not long ago where the very notion of using a shared resource to move security traffic was met with many objections from IT and Security personnel alike. Issues related to bandwidth, availability, and service are all items that have required discussion, definition, and consensus for organizations to unite systems and deliver solutions to meet the many technical needs of an enterprise security system.

Sharing an organization’s infrastructure is not free

While some organizations are convinced that owning and controlling their entire IT infrastructure and the applications is the most efficient approach for their business, recent research from the Yankee Group, Gartner, and others suggests otherwise when compared to adopting a Software as a Service (SaaS) model.

Because many organizations’ security systems now have the associated servers and applications managed by IT, the cost for management is regularly apportioned, taking into account the cost of software maintenance, servers, and the personnel who maintain them, as well as the shared overhead of the infrastructure.

As IT costs continue to escalate, organizations review what is “non core,” what makes sense to outsource, and what is strategic to the business mission to buy and manage.

Raising the bar: does the dedicated expertise of SaaS translate to high availability and less risk?

For organizations considering outsourcing business applications, the savings available using SaaS are compelling, because of the scale of economy that SaaS provides to deliver best value for the budget. Expert SaaS providers with larger infrastructures now deliver not only what the corporate data center did, but with a specialty focus and greater attention to redundancy and availability.

Consider this: most organizations cannot justify the in-house implementation of the triple redundant, high availability systems that SaaS providers offer as standard, and therefore have to settle for greater risk and downtime when security applications fail.

Do capital costs really disappear with SaaS?

When organizations consider all costs associated with purchasing, maintaining, and upgrading applications, SaaS is a compelling choice because the core application, infrastructure, and maintenance are all outsourced. But who owns the actual application and the cost to purchase and regularly upgrade it?

This aspect of the total cost of ownership is worth examining. The customer owns what is most valuable to them—the data—but is not shackled with the cost of owning and maintaining the application, as is the case when self managed at a corporate data center.

Therefore, the overall cost of ownership is significantly reduced because it is shared across the entire user community, and delivered as an “on demand” subscription service. This model is like a utility service; you pay only for what you use, without owning the core infrastructure.

The flavor of SaaS is important

With mature SaaS applications, all users collectively, across many organizations, utilize the same application while enjoying separate data. Note the word mature. This is a flag for those considering SaaS. If you are offered a “separate instance,” in effect, you get a “standalone version.” In many ways, this replicates the corporate data center model and does not have the same cost benefits that a true, multi-tenant SaaS application offers. Multi-tenant design is at the heart of, and the very principle of mature SaaS software.

Compare paradigms

Table one looks at the phases of the security system lifecycle and compares company hosted to the cloud-based SaaS model. In addition to the comparison, it lists eight points to consider when comparing self-hosted to cloud-hosted SaaS.

Table One: SaaS Ownership Analysis

Source: http://tinyurl.com/2u2cdd8