NIST Draft Definition of Cloud Computing

Peter Mell, Project Lead for the NIST Cloud Computing group has released a Draft Working Definition of Cloud Computing:
Definition of Cloud Computing:
Cloud computing is a model for enabling convenient, on-demand network access to a shared pool of configurable computing resources (e.g., networks, servers, storage, applications, and services) that can be rapidly provisioned and released with minimal management effort or service provider interaction. This cloud model promotes availability and is composed of five essential characteristics, three delivery models, and four deployment models.
Essential Characteristics are listed as: on-demand self-service, ubiquitous network access, location independent resource pooling, rapid elasticity, and measured Service.

Delivery Models are listed as: Software as a Service (SaaS), Platform as a Service (PaaS), and Infrastructure as a Service (IaaS)

Deployment Models can be one of: private cloud, community cloud, public cloud, hybrid cloud.

Src: Cloud Computing | Computer Security Resource Center | Computer Security Division | NIST.gov
Posted by DrInfoSec on 7/10/2009 0 comments
Labels:

QOTD - RSA on Nature of Threats

It is now a common mantra in security that the nature of the threats has changed. Gone are the days of script kiddies looking for fame and notoriety; now enterprises face a very sophisticated worldwide fraud machine run by organized crime; with many players, each having their own niche. This system is very adaptable, changing tactics quickly to outwit any attempt to foil their operations. -- RSA report "Charting the Path: Enabling the 'Hyper-Extended' Enterprise in the Face of Unprecedented Risk"
Src: RSA, The Security Division of EMC
Posted by DrInfoSec on 7/08/2009 0 comments
Labels: , ,

QOTD - Garfinkel: Privacy Requires Security, Not Abstinence

When someone can wreak havoc by misappropriating your personal data, privacy is threatened far more by the lack of a reliable online identification system than it would be by the introduction of one. And it is likely that it would cost society far more money to live with poor security than to address it. -- Simson Garfinkel, associate professor at the Naval Postgraduate School in Monterey, CA
Src: Privacy Requires Security, Not Abstinence | MIT Technology Review
Posted by DrInfoSec on 7/08/2009 0 comments
Labels: , ,

Predicting Social Security Numbers from Public Data

we only used publicly available information, and ended up discovering, based on that information, that the randomness [used in assigning SSNs] is effectively so low that the entire 9 digits of an SSN can be predicted with a limited number of attempts. -- Alessandro Acquisti and Ralph Gross of Heinz College, Carnegie Mellon University.
One lesson we can draw is that what was once thought to be secure (or secure enough) is no longer (or not enough). The other lesson is that we need focus mitigating the risks created by the types of fraudulent transactions that are often based on easy-to-obtain credentials like SSNs (see Bruce Schneier's article in Forbes).

Src: Predicting Social Security Numbers from Public Data - FAQ
Posted by DrInfoSec on 7/06/2009 0 comments
Labels: , ,

QOTD on Laws & Technology

We are still living in a world where we have literally Gutenberg-era laws and businesses are using Star Wars technology... [However] New technology does not absolve an organization from its obligation to retain, produce, or manage data in any way. -- John Bace, research analyst at the Gartner Group
Src: Compliance Week: Compliance Week: Cloud Computing Vs. Internal Controls
Posted by DrInfoSec on 7/06/2009 0 comments
Labels: , , ,

QOTD - PrivacyProf on tracking PII

Most business leaders, especially in business units, and in the legal office, just assume that all storage locations for PII are known and that there is a 100% complete inventory for it somewhere. Infosec, IT and most privacy practitioners know the real deal; it is rare that PII is formally defined, and even rarer to have an inventory of all PII. Considering the ease with which PII can be copied and distributed literally thousands of times with just one press of a button, and stored in any number of mobile devices and outside storage locations, it is very hard to have a complete PII inventory. But, it must be done. And doing so will help to determine the controls and other safeguards that need to be placed around PII to keep from having it stolen, leaked or lost.
Rebecca Herold, The PrivacyProf, blogging about the news that the University of Central Missouri didn't know that two printed reports (w/ 7,000 student names, SSNs, addresses, and birthdates) were stolen from a location on campus.

I have had similar findings in many of the information security assessments that I conducted in that management was often shocked to hear about the various sources and destinations of sensitive information throughout an organization. Until an organization traces the flow of sensitive data generated and consumed, management cannot hope to have an accurate inventory that data, its location, or whether it has been properly disposed of.

[Note: emphasis is mine]

Src: Stolen Print Documents With PII Found On Crook; Otherwise UCM Would Not Have Known The Reports Were Stolen - Realtime IT Compliance
Posted by DrInfoSec on 7/02/2009 0 comments
Labels: , , , ,
Subscribe to: Posts (Atom)