Personal Cloud Security: A Theme of this Blog

I now have a role right in the middle of the burgeoning personal cloud ecosystem with Respect Network, where I'm a Principal Consultant and Security Architect. For readers that haven't heard much about personal cloud yet, please check this out along with another post I did called Defining Personal Cloud: An Analyst's Perspective.

I provided the following copy to Respect Network for our announcement of my joining them as a consultant, and for your convenience, I'm re-posting it here.

"We believe the personal cloud ecosystem is essential to correct problems with existing online commerce and make way for better business models in a fully interconnected world. Without it, tensions will only increase between individual convenience, privacy and security. Long proclaimed, the death of passwords never arrived but the world of big personal data mines did. Repeated data spills of our personal information help fuel a wave of cybercrime; through breach after breach of personal databases we’re exposed not just to unwanted advertising, spam, SPIM and SPIT but also to identify fraud and worse.

Regulatory efforts to correct online commerce problems have been only partially effective. All too often they fail to curb the Facebooks and Googles of the world, but succeed all too well in adding complexity for ordinary consumers and businesses. That’s because regulation alone can’t correct a business problem when the problem is that the business model itself must evolve.

Fortunately, throughout human history dysfunctional situations dis-serving society don’t last, instead the pendulum swings in a new direction. Personal clouds have emerged as an alternative to privacy-erosive patterns. By pushing powerful security and privacy technology down to the individual level, personal cloud software and personal cloud networks will offer the long-awaited convenience and privacy not as trade offs against one another but as two mutually-reinforcing goods.

Think of a personal cloud as “your PC in the cloud” where your data is securely backed up, locked with your cryptographic key and only released with your permission to services that respect your wishes about privacy, sharing and community. This must be the new model of online interaction. While at first it may seem counter-intuitive, most online businesses will in fact benefit from easier regulatory compliance and improved relationships as they switch to a model that respects and empowers customers. Another huge benefit is the opportunity to establish a customer-centric architecture through personal clouds enabling individuals to thrive amidst their own “Internet of things,” or mobile, automotive and household devices. The imperative for a smarter, interconnected world will be the forcing function for personal clouds.

Respect Network is a pioneer at the center of what one of our partners calls the “control shift” to individuals and the businesses that serve them better. We’re working to enable the personal cloud ecosystem. Already we have more than 25 partner organizations joining in to build the world’s first personal cloud network. As the network launches and grows, increasing numbers of individuals and businesses will join us – not only to relieve themselves of privacy issues and regulatory risks – but also to open new markets in what’s called “The Intention Economy.” Through this business model, masses of new customers will express their wants or intentions to providers who can then compete to deliver product to actual known demand and have less need for advertising guesswork.

Personal cloud ecosystems like Respect Network’s will establish the virtuous circle enabling free customers and privacy-respecting businesses to achieve unparalleled network effects through trust frameworks no less transformational to Internet commerce than credit card networks were to finance. Established earlier in the decade where it won the 2011 European Identity Conference Privacy Award, the Respect Network Trust Framework codifies standard terms that all providers in a personal cloud network agree on. The terms ensure customers their privacy will be respected. They also ensure businesses that the convenient Respect.Connect personal login backed by reputation systems will have commercial-grade integrity.

Open standards for personal login, smart messaging and signalling, semantic data discovery and access control in a highly distributed environment are the technical pillars of the personal cloud ecosystem. We and our partners will implement them using the latest OpenID Connect, OAUTH, Extensible Data Interchange (XDI) and other specifications. Only through uncompromising openness and interoperability can the industry interconnect billions of people and trillions of things.

As Respect Network executes on our personal cloud vision, we must make our partners successful, and enable more partners. We want to help organizations map the personal cloud vision to their own use cases and develop business and technology strategies and architectures to put them among the first movers in their industry sectors – or make them efficient fast followers – depending on the business case. Leading or following, phased adoption of security and privacy business model, standards and architectures that enable personal cloud is imperative."

Living and breathing in the personal cloud space, we have strong consulting expertise. With myself and the rest of our consulting team and partners, we stand ready to help organizations achieve their business and technology objectives.

The Constitution and the Cloud

Thank you Holder! In May, the Attorney General went on record as the White House’s highest ranking official to support requiring a probable-cause warrant to officially obtain e-mail and other content stored in the cloud. Hopefully this will begin a decade-overdue process of updating the machinery of law enforcement to be in tune with the U.S. Constitution. 

I've wanted to write "The Constitution and the Cloud" for some time as anxiety grows over the prospect of panoptical surveillance from:

• Government: Cameras, email wiretapping, national security letters and obsolete legal frameworks on privacy leave citizens over-overexposed to official overreach.
• Commercial: Track, track, track and into the big corporate data mines we go..
• People: Smile, you're on Google Glass or thousands of candid cameras! At last week's Internet Identity Workshop, folks were wearing buttons with QR codes expressing their legal terms and conditions for as yet indifferent  paparazzi.)

There's even a word for extreme surveillance now, it's panopticism. How we adapt to this as a society  is a question for another post. Today its the government's in our literacy lens. And that zooms down two trains of thought.

Patriot Act (and similar legislation worldwide) are the origin of some concern. First,  the Act's notion of arbitrary surveillance has made it the poster child for the counter-movement toward data protectionism internationally. It has the U.S. - with an otherwise very promising cloud computing industry - squarely in the wrathful gaze of privacy advocates to the detriment of the country's international exports. It's only fair to say - per the referenced legal paper below - that the U.S. government is not alone in passing legislation enabling government surveillance of electronic communications. But, on the other hand, the U.S. has lagged behind other countries in instituting comprehensive privacy protections. But isn't it reasonable to suppose that - had the Founding Fathers known about e-mail and cloud data storage - they would wanted them protected by the same due process as anything else that contains one's valuable property or personal effects?

The Attorney General's support is but one step in the tortuous process of updating the legal and regulatory framework to keep pace with technology. When the Electronic Communications Privacy Act (ECPA) was passed in 1986, Congress essentially held that citizens had no expectation of protection for email stored with a service provider for more than 180 days. That may have been true then, but in the age of Gmail and Dropbox is no longer so. But change is slow to come. Despite the growing illogic of ECPA in a free society, Holder's Justice Department opposed change until now, and Holder's conversion only comes after multiple reversals in the independent judiciary system, such as a 2011 Federal Appeals court ruling requiring warrants. Powerful forces in the Congress continue to oppose limits, however logical and principled, on law enforcement or the national security establishment. The Obama Administration is not unanimous on the issue; in addition to the expected desired by some law enforcement and intelligence agencies to protect their prerogatives, the Internal Revenue Service (IRS) released documents in April 2013 supporting a position that the agency could read citizen's emails without a warrant. Even the Security and Exchange Commission (SEC) believes that long-overdue amendments to the ECPA would impair its ability to protect investors.

In conclusion, its important for principled citizens to continue pushing for change. In a future blog post I'll explore some of the forms change might or should take. While the interests that oppose change have some legitimate concerns, protecting obsolete and illogical laws that go against the spirit of the Constitution is not the way to address them. 

REFERENCES

Cops Should Get Warrants to Read your Email Attorney General Says: Original article inspiring this post
Electronic Communications Privacy Act and Patriot Act: Legislative background

Chronicle of Data Protection: Hogan Lovells study comparing Patriot Act and similar national legislation in Europe: 

For Continuity

During security-architecture.blogspot.com’s hiatus I was active here at the Gartner Blog Network where some of my favorite posts include:

• Playing chess with APTs
• Nowhere Man
• For Those in Glass Houses
• Collective Defense or Collective Dissent?
• We’re Right, We’re Free, We’ll Fight, You’ll See
• Proposing an International Cyberweapons Control Protocol
• The end of confidentiality?
• Golden Quill Award (2011)
• Restricted Zones
• Cyber-Conflict – A Suggestion
• Cyberwar – What Hath we Wrought?
• Definition of Cyberwar: No Results Found
• When CIOs Need a Foreign Policy
• The Number of the Beast
• The End of Identity Silos
• Crowdsourcing Malware Analysis: An Opportunity to Raise our Collective Intelligence and Improve Cyberdefense?
• Dangerous Times: Shared Intelligence Plays a Vital Role

These posts concentrate heavily on the topics of the threat landscape, cyberwar and security information sharing. I’ll continue covering these topics under the theme of community-based defense.

Going further back in time, some of my vintage posts here at security-architect here at security-architect and at our Burton Group security blog were:

• Beyond the Tipping Point: Responding to Operation Aurora
• To Cloud Computing Vendors: Stop Practicing Security By Obscurity
• Cloud Computing: Who is in Control?
• Still Can’t Win The Core Wars: A Report From Black Hat
• RSA Panel Covers Log Standards: The Least Sexy Part Of Security
• Thrown to the Wolves
• Science Fiction And Technology Innovation
• Worst Practices For Network Security In “24″ Melodrama (Part 2)

So much for some history that perhaps mainly my great-great-great grandchildren will appreciate in the future! I apologize for the lack of links; it was a tools problem. I promise that the next posts will be all about the now. And I hope I don’t have to keep moving my blog.

Dan Blum's Security Architect Blog is Back - in 2013

After a long hiatus blogging at the Gartner Blog Network I'm back. Wondered at first whether to change the blog platform, change the theme, or - what the heck - just start blogging! The only thing I'm still sure of is that I like the name - Secure Architect. For those of you who don't know me, that's still what I do.

I'll do a post soon on "continuity" that links back to some of my favorite articles from the past, but for now I'm looking forward. Here's what's happening. I've:

• Left Gartner after 15 years as an analyst starting with Burton Group in 1998.
• Returned to my roots as an industry consultant, that is, a hybrid analyst / consultant. 
• Taken a role consulting with Respect Network. If you haven't heard of this company, check it out. My  first blog post with them is an analyst's perspective on personal clouds.
• Also an independent consulting practice. 

The new security architect blog will loosely cover the following themes:

• Security architecture for enterprises or cloud service providers
• Personal cloud security - an emerging space I'm so excited about
• Protection starts at home - security tips for individuals
• Establishing community-based defenses - my hobby horse while working at Gartner
• Freelancing - security tips for independent writers and consultants

I'll kick each of these off with their own post - very soon!

"Security Architect" posting moved

Dear Readers,

With Gartner acquiring Burton Group, I've had to move the blog posts.

They are now at the Gartner Blog Network.

Best regards,
Dan

The Tangled Mess (Part 2)

Is cloud computing the answer to the tangled mess of IT that I wrote about in September?

Certainly the current enthusiasm for cloud comes in part from business units on the rebound from IT departments with tangled messes, unreasonable costs, and lengthy delays. Cloud, they hope, will cut their IT costs while making them ever so more agile.

And so it might, for green field applications. Cloud computing – as delivered through innovations such as virtualization – can work wonders. But it can’t take a tangled mess of existing legacy systems and bad designs, move them to a cloud computing service, and expect them to get better. A straight migration is not always the answer.

Suppose business units just moved green field applications to the cloud that have no dependencies on legacy IT? While green field applications exist, the business IT landscape is not green, but brown. Applications must integrate with other applications, share data, meet compliance mandates.

Benjamin Franklin once said that the definition of insanity is doing the same thing over and over again but expecting to get different results. So it is with expecting cloud computing to accomplish miracles; IT is littered with the corpses of “next big things” that failed to do that.

Instead of naively or insanely hoping that cloud computing is the quick fix for the tangled mess, we need to think of IT strategically. In an upcoming post, we’ll see whether the use of service-oriented principles in building cloud and “terrestrial IT” applications may offer a path forward.

More cloud mischief as Amazon users get dinged for spam

So many things about this news that Spamhaus has blacklisted or policy-blocked the entire Amazon Elastic Computing (EC2) service is worrisome

• Attackers are wreaking havoc in at least two IaaS environments (yes, Rackspace too)
• Amazon and the users with their virtual machines seem unable to stop the malware from spreading within the multi-tenant environment
• Legitimate users whose VMs are not compromised in effect suffer a denial of service, getting blacklisted or graylisted along with the real spammers
• Once Amazon smooths all this over, in its typical “security by obscurity” fashion the company is unlikely to come clean with customers about the full scope of the vulnerability

While waiting for a fix, users can bounce mail through an authenticated SMTP relay such as the enterprise mail server. Not an ideal situation, but at least a workaround.

Cloud vendors of Amazon’s ilk need to provide filtering services that AMI users can opt into. Receiving an alert that some of your email is being blocked as spam might be occasionally inconvenient if it was a false positive, but should at least as often function as a species of intrusion detection. More than likely Amazon could even charge for it.