Cloud Security Standards for the rest of us

Couple of weeks ago I presented a session about Cloud Security Standards in the yearly ComputerWorld / KornerStone Cloud Security Forum, and one question kept popping up in the event was – “Why Cloud Computing ?”. That puzzled me a bit as I thought all of us aware of the benefits of Cloud Computing – services on demand, pay as you go, and improve development agility etc. etc. So I answered the question with another question :

Screen Shot 2014-02-16 at 9.28.29 pm

Yes, why not ? As you may expect, the typical answers from the floor were “Poor Security !” and “Concerns in Data Privacy !” … Those are concerns, I agree, but those are not facts. Instead I believe the first few things the business users and CTO / CIOs shall consider are some other psychological barriers.

Screen Shot 2014-02-16 at 9.28.33 pm

Those barriers are very real, because once you performed a proper risk assessment of deploying Cloud into your business, and also tackle those barriers, you will find security and data privacy are not major concerns; but more on something the company and the IT team shall handle and tackle professionally.

Screen Shot 2014-02-16 at 9.29.00 pm

And what I meant by handling professionally is before jumping to the conclusion that Cloud Computing is not secure, first ask yourself questions like when and where to use Cloud; outline the Service Level Objective you need; review the people skill set, process and change management maturity; and then lastly look for technical solutions.

Screen Shot 2014-02-16 at 9.29.08 pm

With all that said, one will still question how one can make sure the cloud services (IaaS, PaaS and SaaS) are secure. And that’s I think where Cloud Security Standards can help. It’s not a secret that we have dozens of Cloud Security Standards in the market, and in fact, all of them are important and relevant.

Screen Shot 2014-02-16 at 9.29.22 pm

With so many standards and guidelines, it is rather difficult to tell, whether a Cloud Services Provider (CSP) is already conform to certain standard(s), if you are now shopping for CSPs. Or hard to convince the customers that your company is conforming to certain standard(s), if you are one CSP. The only way I think, is thru Certification.

Screen Shot 2014-02-16 at 9.29.33 pmI believe with proper certification process, regular review and listings of all certified CSPs, customers can easily find the best CSP they want. With the same token, CSPs can easily prove to their potential customers that they are doing a good job.

So Cloud Security Standards may be not easy to define, complicated to comply with; but with certification process, it is easier to make whole things more fruitful to the standardisation bodies, the CSPs and the Cloud Computing customers.

 

Joni Mitchell and Cloud Computing

It may sound very strange, I mean, how can Joni Mitchell, the Canadian musician, song writer and painter remotely relate to Cloud Computing ? Yes, it’s that strange.

I am not exactly a big fan of Joni Mitchell, but I do love her song “Both Sides Now” a lot. Interestingly, this song is the last one in side B of the album “Clouds” (what a coincidence), released in May 1st, 1969. Yes, it’s almost 45 years ago but the other day when I was preparing a conference keynote about cloud computing, I started iTunes and the first song it played was “Both Sides Now”. Then I found out the relationship …

Let’s check out the lyrics of that beautiful song:

Bows and flows of angel hair
And ice cream castles in the air
And feather canyons everywhere
I’ve looked at clouds that way

As you can see, these four lines kinda described the many shapes of Cloud and Cloud Computing – IaaS, PaaS, SaaS, Public Cloud, Private Cloud, Hybrid and Community Cloud. Then the next four lines:

But now they only block the sun
They rain and snow on everyone
So many things I would have done
But clouds got in my way

That basically apply to all traditional IT teams, Cloud Computing is now impacting their everyday works. Internal users now can bypass IT team to subscribe to various cloud based services, development team can now set up development environments in the cloud in minutes without purchasing any new servers, and one system administrator can manage dozens of servers in the virtualised environment with ease, in effect only small engineering team is needed.

Lastly, the third paragraph:

I’ve looked at clouds from both sides now
From up and down, and still somehow
It’s cloud illusions I recall
I really don’t know clouds at all

Yes, clouds are all just illusions, if one takes Cloud Computing seriously – perform proper risk assessment (check out CSA Cloud Control Matrix), evaluate cloud solutions and cloud services providers systematically. Most important of all, even you host your applications in the cloud, you’re not transferred the security risk to the cloud. Instead, you are still responsible for the security of your IT systems.

Cloud Computing is real, it is not an illusion. [Both sides now – Video]

Joni-Mitchell

Olympus OM-D E-M1 in Las Vegas

Even though it’s not my the first time in Vegas, but it’s the very first time to have a chance to visit the museums in Vega – yes, I am not a guy to spend any money in the slot machines. Right after the AWS Re:Invent, I took a cab from the Palazzo Hotel to the Neon Museum. It costed me US$ 20 but well worth the money as it’s really hot to walk miles along the Strip to the museum. In Neon Museum you will find lots of old casino and hotel signs. Thru the guided tour, you will know more about the history of the sin city and those neon sign boards.

Then after that, a casual 15 minutes’ walk will lead you to the Mob Museum. If you are a fan of mafia, organised crime and law enforcements, don’t miss it – all the mob stories are explained in great details with excellent photos, audio and visual effects. Then just opposite the Mob Museum, it’s the Fremont Street Experience – don’t miss the show every evening. So after all, it’s really a good way to spend an afternoon in Vegas, if you don’t like gaming like me, and don’t mind some walks.

But of course, the most important thing is I took my OM-D E-M1 to this short trip and here are the pictures …

Timeline of (my) Olympus cameras

Everyone knows me as an Olympus fan, not because I shoot lots of beautiful photos with Olympus cameras but the fact that I bought many Olympus cameras (Digital SLR and Mirrorless) since they launched the revolutionary E-1 camera in year 2003.

Ten years ago, there was really no original digital SLR (DSLR) camera design in the industry as most of them were just a rehash of the film SLR cameras. On the other hand, Olympus’ E-1 was really a ground breaking DSLR as Olympus designed the camera from ground up with many many new and digital photography specific features. So in the last 10 years, I bought eight (!) DSLR and Mirrorless cameras from Olympus and they are – E-1, E-300, E-510, E-P1, E-5, E-P3, E-M5 and the latest E-M1.

I reckon the best way to illustrate this crazy history is through the use of “timeline”. Unlike typical static WordPress timeline plug-ins, I use the interactive timeline script from timeline.knightlab.com. It lets you move along the timeline and click the image thumbnail to launch the blog post I wrote about the camera. Neat …

http://cdn.knightlab.com/libs/timeline/latest/embed/index.html?source=0AlHjesNCmKHpdDZWVnVuVTdOUXdzMkVJN1E1N25WREE&font=Bevan-PotanoSans&maptype=toner&lang=en&height=450

New Olympus OM-D E-M1

//storify.com/michaelyung/new-olympus-om-d-e-m1.js?border=false&header=false&more=false

iPad Keyboard Case – The Final Episode

Yes, it’s going to be the final episode of the “iPad Keyboard Case” as I believe I have bought way too many iPad keyboards. In addition, I believe the new iPad 5 will be thinner than iPad 4 and so it is pointless to buy any new keyboards that may or may not fit the future iPads.

So, the latest keyboard I got after months of waiting is the Belkin Ultimate Keyboard Case for iPad. Is it good ? A resounding yes. Is it much better than many others’ favorite – Logitech Ultrathin iPad Keyboard Cover ? Well well …

First of all, the new Belkin keyboard is about US$ 25 more expensive than the Logitech one (as of end August 2013). And it is heavier, thicker, with softer keys and not as sturdy as the competitor (because of the multi-angle design, see below). However, it is really good in a few other areas:

  1. It protects the back of your iPad;
  2. It is heavier than the Logitech, but still lighter than others like ZaggFolio;
  3. It supports multiple-angle viewing (watch the video below);
  4. It can fold flat to become a tablet again (Logitech and others cannot do that), and it is particularly useful when reading ebooks in public transport, without looking like an idiot;
  5. The cover is special designed to enhance the sound flow towards you, it makes the audio sounds a little bit better;
  6. It’s more stylish (I bought the white color version, to fit my black iPad).

All in all, I am happy with the new member of my iPad keyboard family, and will use it for a while … before the next keyboard comes out. And here is a video to see how the keyboard case works with multiple angle set up.

Unlearn, relearn and the AWS Summit

The American futurist Alvin Toffler once said – “The illiterates of the 21st century will not be those who cannot read and write but those who cannot learn, unlearn, and relearn”. I think it is particularly true to those of us working in the Information Technology industry, as every two three years we need to unlearn some buzzwords, and relearn some buzzwords.

However, Cloud Computing are not buzzwords. Therefore, it is important for us to unlearn the previous know-how and relearn the new new things – the new way to design, implement, test, operate and monitor Cloud based IT systems. And one of the best ways to go thru this unlearn and relearn this cycle is to attend the Amazon’s AWS Summit.

One of the key learnings of in the Summit is you can auto-scale the IT systems. In the past few years, no matter who you talked to – salesperson, developers, architects etc., they would all tell you how great it was that you could easily scale up your Cloud based IT system when the system was under heavy loadings (for example, in peak hours of sales period, or festive seasons). Seems to me all they need is to scale up, all of them are very optimistic about their businesses !!

However, the true beauty of the Cloud system is in fact the ability of scaling down, not up, the Cloud based IT system. In other words, we shall design our system that based on certain business and technical criteria, the system can scale up to cater for the extra loading, and scale down to save cost.

In other words, the Cloud system is no longer a fixed architecture, but it will grow or shrink the computing power in line with the businesses. And it will cost more when the business is good, and less when the business is slow. Finally IT becomes part of the business.

Another key learning is the product life cycle that encourages innovation and idea trial. Unlike previous IT set up, now you can implement a basic computing architecture in the cloud in minutes. And you can close down that same architecture in seconds. That flexibility helps us to test drive any idea with ease, and with low cost barrier.

Amazon proposes a life cycle of :

Idea -> MVP -> Scale -> Profitability

(where MVP stands for Minimum Viable Product)

In other words, start with your brilliant but untested idea, build a MVP with minimal computing architecture. When it is a good idea to pursuit further, scale up quickly. Then reap the profit with as little computing power you need as possible.

So, if you missed the AWS Summit 2013 Singapore, and want to unlearn quicker and relearn more … Don’t miss the next AWS re:Invent 2013.

Singapore