In this article the Department of Defense is claiming that they have a cloud that is more secure and reliable than Google's offering. That may well be true, we saw just recently how a denial-of-service attack crippled Bitbucket's cloud service which is hosted (or was at least) by Amazon. But there are a couple of observations I have about this:
1. They aren't actually running any production applications on this cloud yet. Note: "Since its launch a year ago, RACE has been available for test and development of new applications, but not for operations." It's not that hard to make a platform that is fast and reliable for testing and development. Tell us how fast and reliable it is when it's being used by thousands of users.
2. This is a private cloud. It's a lot easier to make your cloud secure when you're hosting your own cloud, effectively "in-house". It's not open to the public. You're not sharing server space with "Bob's SaaS app". Nobody else accesses those servers except for DoD users.
My concerns with cloud computing are largely addressed if the company hosts their own internal cloud. That gives them control over their own data, they don't have to be concerned about where their data is being hosted or what happens to their data in the event the hosting company fails or decides to make unfavorable changes.
It should come as no great surprise that Google doesn't match up favorably (allegedly) with an internal DoD cloud.
More details are coming out about security issues in the iPhone devices. Now, to be fair, I'm confident that there are at least some security issues in just about any device. The focus right now is on the iPhone because the device has become so popular and because knowledge-workers in particular are so strongly attracted to these devices.
As a general rule if a student or a mail clerk gets their iPhone hacked the data stored on it is probably of limited value to the attacker. On the other hand if an attorney, CPA or other executive gets theirs hacked it may well contain important, confidential and valuable information to their companies and or clients.
Of the vulnerabilities detailed in this article I think the one about choosing a numeric password is especially pertinent. It's common for folks to choose a 4-digit PIN, and to use one that is familiar. How many of you have a PIN for your device that is the same as your PIN for your bank account? If an attacker gets ahold of your phone and discovers the PIN what else have they learned?
For the device to reveal to the attacker that the passcode is, in fact, a 4-digit numeric is a great example of placing customer convenience and slick interface over security - a problem that drew a lot of ire for Microsoft in the 90s and earlier in this decade. Maybe it's time for Apple to learn the same lessons - that if you want to have security you can't make unlocking something so convenient that it's easy for unauthorized persons to do.
As tropical depression Felicia passes among the Hawaiian Islands now is a good time to be making final checks of your storm preparedness at the office. Here are a few tips for you:
1. Check your backups. Make sure you have good, current backups of your data. Not just servers, be aware for any key data that might exist on client workstations (and once the storm passes look for ways to centralize that data). Make sure you have at least one good, off-site, backup. The off-site backup would ideally be in a bank vault, safe-deposit box or other secured site, but in a pinch you could even just take it home.
The important thing is that it be somewhat climate controlled and secure against theft or weather.
2. Check your power protection. Servers and mission critical workstations should be plugged into battery backup (UPS) systems. All other important electronic equipment (printers, copiers, TVs, etc.) should be at least plugged into a QUALITY surge protector.
Please note that not every "multi-outlet strip" is a surge protector. A lot of the "multi-outlet" strips you might buy at WalMart or Home Depot are merely multi-outlet strips with little or no surge protection capability.
We recommend American Power Conversion products for both battery backups and surge protection. You can find APC products at Best Buy and most good electronics retailers, along with online at many sites.
3. Look up your insurance policies for business and home. Make sure you have the name and number of your insurance agent and the and policy number programmed into your mobile phone (or at least written on a card you can keep in your wallet) just in case you need them.
If you need any assistance with your systems during or after the storm, please feel free to get in touch with us at 808-782-6306. Hopefully we won't have to help you with disaster recovery, but if that's what you're facing, we're here to help.
Microsoft has announced that they are going to be moving the infrastructure for its Azure cloud computing center from Washington to San Antonio, Texas for financial/tax reasons. One of the technological advantages of computing in the cloud is that your data and applications can physically reside just about anywhere.
That's all well and good when that anywhere is Texas, or Iowa or Michigan. But what happens if it becomes financially advantageous for them to host your data somewhere else. Like Thailand, or the Ukraine or China? You may suddenly find...or worse, be totally unaware of...that your data is physically located in a country that is unstable or unfriendly. What are the laws in that jurisdiction about electronic discovery or privacy? If the hosting company doesn't pay its taxes in that country might the government there decide to seize the servers (and your data)?
If that data is your kid's soccer schedule that's fine. If it's your company's confidential work product that could be a problem.
John Simek from Sensei Enterprises has written a good post on the security (or lack thereof) of the iPhone 3GS. Yes, it includes encryption but that encryption is so readily bypassed that it's virtually useless.
Yes, it has a remote wipe capability but that capability is so easily defeated that it's almost useless. TIP: If you lose an iPhone and need to wipe it you'd better do it QUICKLY.
The iPhone question (should we or shouldn't we?) is starting to remind me of the Cloud Computing question. People get so excited about the cute games and features, entranced by the suggested cost savings or this or that bullet point from the marketing website that they gloss right over the shortcomings. They don't even consider significant security and privacy issues because they're just so entranced by the shiny things.
By the way, Network Solutions apparently suffered a data breach which may have compromised more than a half-million credit card numbers. And yes, they were already PCI compliant.
Still anxious to trust your confidential company data to the "Cloud" or an iPhone?