Saturday, November 22, 2008
My current annoyance in the ability to ascertain the security posture is this; the management of the little system wants as few vulnerabilities as possible, obviously. So naturally, their scanning policy is tailored to the system and to the excepted risks. The certification agent has their own process for assessment, good for them. However, their process does not include updating their process for the environment.
The two processes are at odds with one another, so we are constantly chasing vulnerabilities. Different tool sets, different time lines, different policy baselines, plugin updates, the list goes on. When I try to convince that less scanning needs to happen, we in fact get more.
Most people I talk to would agree, it would be good to run as many tools as possible at your environment. I am currently frustrated by it.
There really wasn't any point to this story except that scanning with 19,000 tools is helpful as long as everyone is on the same page and can adequately communicate that page. So far, I have apparently been an ineffective communicator or my communication has been accepted and then moved aside in an effort to portray a rosier picture.
A new plan will have to take shape now. Details to follow.
Tuesday, November 18, 2008
Up until this afternoon, I didn't think that it was more than a hassle that had to be dealt with. I knew the obvious drawbacks when it came to incident handling or things like “where is my data actually stored”. I saw a presentation by Dennis Murrow of ConfigureSoft and things got really scary.
I wish I had the slide deck to make all the points, the short version of a series of questions posed to a fictional SOA/SaaS provider:
Where is my data and how are you managing it (backups, access controls, auditing, etc)?
If I choose to leave you as customer, can I get my data back and what condition will it be in?
How is the underlying hardware, hypervisor, operating systems and applications maintained and operated?
What are your policy baselines and vulnerability remediation procedures?
The list went on. To many, this is most likely old news. Judging by the way that oxygen left the room, many people seemed to be just realizing these issues. The speaker was also able to present this information in a way that didn't appear to be coming across as FUD. It just seemed like a logical progression of things to consider before ... you know ... sending your confidential, proprietary data into the ether.
After the session, many had sworn off the idea of putting their data in a cloud computing environment. There may have been a few management types that still clung to the idea that outsourced data processing and storage was a good idea.
My end takeaway is this there is no risk that anyone in their right mind can accept here, there is no assurance evidence that could make me believe that in 2008 (and probably into 2009) that cloud computing is a good idea. I could almost see that you could sell “auditor me” on virtualizing a couple servers. But the jury is still out on that one. For now, I'm with Hoff. Cloud computing needs to come along further before I can get on board, anyone considering it ... should wait until some improvements come along.
Wednesday, November 12, 2008
The idea that we can do an adequate risk assessment ... $0.
Subjecting ourselves to a fruitless process with no significant progress ... Millions
Suddenly coming to the realization that there needs to be an overhaul ... Priceless.
Tuesday, November 11, 2008
Godfadda make your travel plans to sunny National Harbor, MD. Bask in the glory of the brand new Wilson bridge (and the occasional and unfortunate bouquet of Blue Plains treatment plant).
Godfadda, please contact me at cyberhiker at gmail dot com for details.
Congratulations and I will see you there!
Saturday, November 8, 2008
Tuesday, November 4, 2008
The rules are these: The winner will need to answer a question regarding Information Assurance (probably FISMA related). The question will deal in facts, or at least my interpretation of the facts. The question will be posted Noon tomorrow (November 5th), and the first person with the correct answer will be the winner. Please leave a way for me to contact you.