Bringing the cloud down to earth – WCC2010 Keynote by Nicholas Carr

September 21, 2010

Nicholas Carr is of course the infamous author of “IT Does Not Matter” published in the May 2003 edition of the Harvard Business Review. The paper was widely criticized heavily. I generally don’t agree with the criticism against the arguments, but feel that the title deceive.  The paper argues for IT becoming a “utility”, in the same way that electricity became a utility. So the title is equal to saying “Electricity does not matter”, clearly not the case.  What is the case, however, is that IT has lost its benefit as competitive advantage (at least for the average company) and it is more of a necessity than ever before. Read the rest of this entry »

Day 2 ISSA2010 keynotes

August 3, 2010

Today had two keynote addresses scheduled.

The first was by Andreas Schaad from SAP Research. Andreas presented “observations on security in large-scale industrial landscape”. He presented an interesting talk covering, inter alia, the area of access control and workflow, which of course were the general area of my PhD. I found the following observations particularly interesting:

  • There exist a big communication gap between business process experts and security experts. He demonstrated some work done on the graphical representation of access control policies.
  • He suggested that access control policies should be dependent on the state of the business objects. I don’t think this is a new idea, but it does not seem to be done in industrial systems yet. Personally I think this might be related to the administration detail and the gap mentioned in the previous bullet.
  • While rule engines exist, many access control policy is still hidden deep in code.
  • He presented some results regarding the caching of access control decisions as to speed up performance. In this case caching is historic and predictive, i.e. fore-warding looking dependent on the business process.

One of the areas currently investigated by his group is to bring more context into the access control decision. This could for example be location information from a mobile device.
My conclusion: the area of access control is still well and alive. Theory and practice is not quite aligned…

The second keynote address is professor Joachim Biskup.  His talk is entitled “Principles of Inference Control Applied to Controlled Query and Update Execution”.  He addressed the issue from a formal approach. Inference control is, in lay men’s terms, about thinking about the implications of an action.  Should therefore be an integral part of things like the granting of access control. Two techniques of inference control are static inspection and dynamic modeling. Static inspection happens at design-time, while dynamic monitoring deals with actual situations. He described some work they did in controlled query and update execution. Sounded interesting, but not quite my kettle of fish at the current moment.

Kicking off ISSA 2010 – the ninth Annual Information Security South Africa Conference

August 2, 2010

This is the 9th time that ISSA takes place. This year ISSA is co-sponsored by IFIP and the IEEE. The proceedings will be published as part of the IEEE digital library.  This no doubt increases the visibility of ISSA papers.

The first keynote speaker is Mark Politt. He comes from a very strong law enforcement perspective. His talk is entitled “Information Security in the 21st Century. In the 1940 – 1980’s life was simple. Everything belonged and were controlled by the IT department – IT lived in a glass house. Then along came the PC… This gave IT new turf in the organisation. We thought we could control the PCs!? And then came the rise of the Internet. All was about eyeballs and bandwidth.  Focus shifted to network/application from information/computer security. The threat became a very real economic threat.

So where do we stand today. Mark thinks we are better off today because we understand things better than say 5 years ago. But he qualifies his statement by saying that that is only because we were really bad five years ago… Today we need to manage the tradeoffs: cost vs tradeoff, complexity vs flexibility and ease of use.

But the coming of social networking change must specifically as far as human behavior is concerned.  The youth of today define themselves by things such as Facebook. If they’re not on Facebook it’s (for them) as good as if they don’t exist. Sadly people are mostly oblivious to information/operational/personal security. Welsch‘s Theory of Media Ecology was mentioned, one of the interesting observations that people don’t really work in groups, but rather in flocks/tribes. Generally these kinds of environments get characterised by “freedom” rather than control. We need to mediate changes in behavior.

His conclusion: information can only be hardened, not controlled. Social behaviors will have a critical impact on security, technology enables “information citizenship”. We need to make information classification, privacy enhancing technologies and security education needs to work together to ensure that we get better at securing our information assets.

The next guest speaker was Johann van der Merwe from PWC.  He says the we have exactly the same problems that we have a couple of years.  Audit report findings look exactly the same as previous years – we are caught in a “hamster wheel of a pain”. Part of the problem seems to be that we only have perceived risk, based on experience since the complexity does not allow us to understand everything.  Perceived risk is further influence by legislation and economic forces. But he sees the Information Security Organisation to operate silo-based, rather than as a business. He then described some things to do in terms of the ISACA Business Model and Value chain concepts.

After Johann, Elize van der Linde provided some information regarding the King III report and information security.  The King III report of course explicitly makes the board responsibility for information security, ensuring that IT align with performance and sustainable objectives. The board must see that they implement an IT governance framework. The risk and audit committee must assist board carrying out its IT responsibilities. She then concentrated on the “I” side of IT Governance. Information governance is a shared responsibility between business and IT. It is complex, needs a multi-year project and a roadmap to be measured against.

OK, time for tea…

I will be blogging at least the keynote speeches and maybe selected individual talks throughout the conference.