Passwords are like underwear. You shouldn’t leave them out where people can see them. You should change them regularly. And you shouldn’t loan them out to strangers.

It’s funny when I see articles around security that focus on how Anti-Virus is the key to computer security. I know that yes, the risks from malware and virus-laden attachments are a pain in the butt for security professionals, and even regular computer users, but is A/V really the key to computer security? If you ask me, it’s really about education and process than anything. Continue reading

Outside of a dog, a book is man’s best friend. Inside of a dog, it’s too dark to read.

It may come as no surprise that I read a lot about cloud and security. I mean A LOT. My Twitter feeds are rammed with representation from all things cloud. As Martha Stewart would say, “It’s a good thing.”. So when I’m not doing my day job, I’m busy writing this daily blog, writing for another awesome Canadian blog,, some vendor sites, and writing whitepapers for various conferences, doing research with the Cloud Security Alliance and the like. I do this so that I can help educate the market, particularly the Canadian market, on cloud. Continue reading

If we knew what it was we were doing, it would not be called research, would it?

I had an interesting discussion yesterday about cloud and platforms and what the market is seeing, and I started thinking back to the OpenStack movement and the whole idea about open source clouds. The question is is open source cloud something to consider when transitioning your business to a cloud or virtualized model? Continue reading

Hokey religions and ancient weapons are no substitute for a good blaster at your side, kid.

I’ve been knee deep in enterprise cloud work lately, so I thought I would take a bit of a break and focus on a neat little home cloud solution that I stumbled upon from one of my favorite gear companies, D-Link. I never really thought about D-Link and cloud, but yesterday I came across their new cloud services offering and I thought it was pretty cool.

So we all know D-Link as being responsible for our favorite modems and routers. Oh, and my favorite device of all, Boxee Box. But they recently released a neat device called their Cloud Router, which is really the basis for a bunch of neat cloud solutions for those of us who take our home network a little too seriously.

D-Link has been focusing lately on creating a home network cloud for consumers which allow them to access all their content with either 3G/4G or 802.11. This means you can access not just files but cameras at any time from anywhere. But it also has some neat intrusion detection tools and can show you web history of any devices. Oh, and did I mention it does motion control triggers and you can set recording schedules?

What I like is basically the router acts as a cloud gateway, and you can connect any storage device to it. This is not the first time we have seen the personal cloud movement (Dropbox, iCloud etc come to mind), but it’s really cool that we are seeing companies like D-Link step in the game, especially since they’ve already done a great job with media.

May the Odds be Ever in Your Favor.

It’s been awhile since I’ve written about security, but last week I came across a really great (but frightening) example of how security is affected with virtual environments. An organization who was running a virtual environment suddenly lost access to their entire infrastructure. It wasn’t a result of a badly configured virtual environment, it was arguably one of the first examples that I have come across of an attack against a virtual environment. I don’t know if it was intentional, but it’s a very interesting story of just how the threat landscape is adapting.

Essentially what happened was that the Windows server their virtual environment was running on had suffered a malware infection. The worst thing was that it was a known exploit, but hadn’t been patched. What the exploit did was cause the server to hit the network stack with enough traffic to cause a DDoS attack against the management console. This brought not just everything down, but rendered the environment unavailable.

Can you imagine if this type of vulnerability happens in production environment, such as in a financial or e-commerce organization? Aside from the financial ramifications of not being available to customers, but if you couldn’t recover any of your data? This type of attack could theoretically cause irreparable damage to a company.

I know the whole concept of securing virtual environments is a new thing. I work with several research groups within the Cloud Security Alliance so I am aware of just how little information there is out there as it relates to best practices. But when a real-world example of how these types of attacks are starting to affect virtual environments, it makes it clear just how important these conversations are.

Now I am not sure what happened to the organization who was the unfortunate victim of the attack. I hope that the fact that they figured out it was a network issue means that once the vulnerability is patched the VMs can be restarted. But I doubt that this is a rare and isolated example, which means that it is officially time for security and infrastructure folks to step up their game.

Danger Will Robinson! Danger!

Yesterday the latest security report from Verizon was released, with some much-expected statistics around hacktivism and security breaches. As it relates to cloud, the statistics are already hinting about where organizations need to focus.

Some of the key points are that internal breaches have been reduced significantly (hopefully through corporate security education), and physical attacks account for around 10% of all breached records.

But the really staggering statistic is around breaches themselves. 97% of them were avoidable had simple security measures been in place. 97 percent! 96% of the victims were required to comply with PCI DSS guidelines but sadly didn’t meet the requirements.

So what all this mean as it relates to cloud? It means that if breaches are still happening and that if requiring compliance to PCI isn’t stopping it, cloud isn’t going to help. As organizations start pushing content to the cloud, security will be even more important as hacktivists are scanning all web-facing content for potential victims. There is no longer a “we’re not big/important enough to be a victim” excuse. Cloud is going to make everything more available, and make security trickier to manage.

So what can organizations do to help reduce this risk? First thing is to make sure that you know where your data is. If you don’t know what you have, you don’t know what to protect.

Second, look for weaknesses in your security posture. There are so many great tools out there to help identify these, such as Qualys etc.

Third, if you have anything facing the web, invest in security. Web Application Firewalls (WAF), Cloud DDoS, and perimeter security tools. If you don’t have the internal expertise to manage these controls, look to service providers to manage it for you.

You can also look at migrating your important data to a cloud provider who meets the compliance requirements applicable to your organization. This saves you the headache of going through all the rigor of audits and remediation. Outsourcing is a great resource for this, and very cost effective for mid/small organizations who just want to focus on their business.

In 5 years I am sure this type of report is going to shift dramatically towards cloud attacks and mobile technology attacks. The best thing organizations can do is to use these as a guide to secure their environment, or reach out to someone who can offer security as a service.

To read the full report, visit

Heya, Tom’, it’s Bob from the office down the hall. Good to see you, buddy; how’ve you been? Things have been alright for me except that I’m a zombie now. I really wish you’d let us in.

In keeping up with cloud and all things related, I read a great article yesterday about how BYOD is driving unified communications (UC). As someone who uses a voip phone, and a cloud-hosted phone (on top of the smart phone), the ability to consolidate all my various phone numbers into a single source that can follow me around is a huge benefit. And companies are seeing this too, making it a critical element of business transformation. Continue reading