Rational Survivability

Here is some of the recent coverage from the last couple of months or so on topics relevant to content on my blog, presentations and speaking engagements.  No particular order or priority and I haven’t kept a good record, unfortunately.

Important Stuff I’m Working On:

• Cloud Security Alliance
• CloudAudit/A6
• Common Assurance Metrics

Press/Technology & Security eZines/Website/Blog Coverage/Meaningful Links:

• How Cloud Service Brokers Enable the Cloud Marketplace – Connecting SOA to the Cloud
• Incite 2/17/2010 – Open Your Mind – Securosis
• Fun Reading on Security and Compliance #23 – Security Warrior Blog
• From private clouds to solar panels: more control and uniqueness, but are they worth it? – Data Center Dialog
• Want to build a private cloud? – SearchCloudComputing
• What’s The Difference Between Security And Trust In The Cloud? – CSC Trusted Cloud Services
• In The Era Of Mashups, MashSSL Could Be A Savior – CloudAve
• Cloud Computing, A Primer – The Internet Protocol Forum
• On the many limitations of (network) virtual appliances – Virtualization.info
• Incite 1/27/2010: Depending on the Kids – Securosis
• Can regulators keep up with Cloud Computing? – CloudAve
• The network performance within the cloud, an hidden enemy – Reflections of the Void
• The Cloud Computing Compliance Conundrum – Data Center Knowledge
• Is over-capacity inevitable in cloud computing? – virtualization.info
• Cloud Overbooking – Part 1 – Virtually Insane
• Infrastructure 2.0: Squishy Name for a Squishy Concept – f5 DevCentral
• Top 10 Web Hacking Techniques of 2009 – Jeremiah Grossman
• On Virtualization, Clouds and Meta Orchestration – SeekingAlpha
• Forecast for 2010: The Coming Cloud ‘Catastrophe’ – BusinessWeek
• The Daily Incite – 12/28/09 – Meyer’s Choice – Security Incite
• Virtualization, Cloud Computing, And Next-Generation Security – InformationWeek/DarkReading
• My Thoughts After CloudCamp Boston 2009 – Fubardness is Contagious

Recent Speaking Engagements/Confirmed to  speak at the following upcoming events:

• Govt Solutions Forum Feb 1-2 (panel |n DC)
• Govt Solutions Forum Feb 24 D.C.
• ESAF, San Francisco, March 1
• Cloud Security Alliance Summit, San Francisco, March 1
• RSA Security Conference March 1-5 San Francisco
• Microsoft Bluehat Buenos Aires, Argentina – March 16-19th
• ISSA General Assembly, Belgium
• Infosec.be, Belgium
• Codegate, South Korea, April 7-8
• SOURCE Boston, April 21-23
• Shot the Sherrif – Brazil – May 17th
• Gluecon , Denver, May 26/27
• FIRST, Miami, FL,  June 13-18
• SANS DC – August 19th-20th

Conferences I am tentatively attending, trying to attend and/or working on logistics for speaking:

• InterOp April 25-29 Vegas
• Cisco Live – June 27th – July 1st Vegas
• Blackhat 2010 – July 24-29 Vegas
• Defcon
• Notacon

Oh, let us not forget these top honors (buahahaha!)

• Top 10 Sexy InfoSec Geeks (link)
• The ThreatPost “All Decade Interview Team” (link)
• ‘Cloud Hero’ and ‘Best Cloud Presentation’ – 2009 Cloudies Awards (link), and
• 2010 RSA Social Security Bloggers Award nomination (link) 😉

[I often get a bunch of guff as to why I make these lists: ego, horn-tooting, self-aggrandizement. I wish I thought I were that important. 😉 The real reason is that it helps me keep track of useful stuff focused not only on my participation, but that of the rest of the blogosphere.]

/Hoff

Here is some of the recent coverage from the last month or so on topics relevant to content on my blog, presentations and speaking engagements.  No particular order or priority and I haven’t kept a good record, unfortunately.

Press/Technology & Security eZines/Website/Blog Coverage/Meaningful Links:

• Threatpost – Coverage of my SecTor 2009 Cloud Security Keynote
• Can We Secure the Cloud? Can We Afford Not To? – Microsoft TechNet/Bluehat Blog
• Another Day, Another Data Loss – Gordon Haff, C|Net
• Cloud Security Raises Unanswered Security Questions – Grant Buckler, itbusiness.ca
• Of Cloud Computing & Virtualization – Oman Sultan, Cisco
• Infrastructure 2.0: Young Turks at SRI – Greg Ness
• Cloud Security – Time To Smoke Another One? – Bill Brenner, Computerworld
• Security Threats to virtual environments less theoretical, more practical – Michael Mimoso, TechTarget
• Security Showdown: Cloud Computing vs. On-Premise IT – Dana Gardner
• A6 Promises A Way To Check Up On Public Cloud Security – Tim Greene, Network World
• Cloud rEvolution: Laying the Foundation – CSC Leading Edge Forum (PDF)

Podcasts/Webcasts/Video:

• Silver Bullet Podcast – Cigital’s Gary McGraw and I chat about Cloud security
• CNET Reporter’s Roundtable – Rafe Needleman and the “Danger of Cloud Computing”
• Threapost Digital Underground – Dennis Fisher and I chat about security, disruptive innovation and Cloud security

Recent Speaking Engagements/Confirmed to  speak at the following upcoming events:

• Enterprise Architecture Conference, D.C.
• Intel Security Summit 2009, Hillsboro OR
• SecTor 2009, Toronto CA
• EMC Innovation Forum, Franklin MA
• NY Technology Forum, NY, NY
• Microsoft Bluehat v9, Redmond WA
• Office of the Comptroller & Currency, San Antonio TX
• Intercloud Working Group, GooglePlex CA 😉
• CSC Leading Edge Forum, VA
• DojoCon, VA

I also forgot to thank Eric Siebert for putting together the VMware Top 20 blog list and putting me on it as well as the fact that Rational Survivability made the Datamation 2009 Top 200 Tech Blogs list.

/Hoff

Geva and James were kind (foolish?) enough to invite me onto their Overcast podcast today:

Here is some of the recent coverage from the last couple of months on topics relevant to content on my blog, presentations and speaking engagements.  No particular order or priority.

Press/Technology & Security eZines:

• Byte & Switch: Securing data wherever it travels
• CSO Online: Hoff – Commode Computing
• Computerworld & CSO Online:  Four questions on Google App Security 
• Dark Reading: Crossing the streams virtually 
• SearchSecurity: PCI needs to address virtualization, experts say
• CSO Online: The myth of Cloud Computing 
• CSO Online: Chris Hoff – On Virtualization and Cloud Computing 
• Computerworld: How can you secure a buzzword? 
• CSO: Security Predictions – What happens next? 
• ITWorld Canada: Security admins offer their risk management pitch

Website/Blog Coverage/Meaningful Links:

• Server Zone: Cloud Ontology – to boldly go where ITIL, Grid and SOA have gone before
• Virtualization.info: Top virtualization blogs of 2008 
• VMware-land: Top 10 Virtualization blogs 
• ebizQ: Naming the part of the cloud
• IT Management & Cloud Blog: And the 2009 Cloudie Award goes to…  
• C|Net Wisdom Of the Clouds: Two ontologies shed light on Cloud Computing 
• SeekingAlpha: Peak IT – The network industry's core challenge
• System Advancements at the Monastery: Recent Cloud Postings
• Meedabyte: Be open to winds of change 
• ZDNet: Will EDoS be the next DDoS?
• Data Center Knowledge: Cloudy Day: CloudSwitch, AWS Torrents, eDoS
• SoftSecurity.com: Will EDoS be the next DDoS?
• The GridPlace.com: In Cloud Computing, a good network gives you control
• RiskAnalys.is: Penetration testing not dead, probably just pining for the fjord
• SYS-CON: How difficult is securing Cloud platforms? Services in a Cloud Computing Environment 
• Data Center Networks (Cisco): Services in a Cloud Computing Environment
• Data Center Links: January Cloud Report
• Symantec Forums: How we win at securing customers in a virtual world
• VMBlog: The Future of virtualization
• Prism: Security – A casualty in the Sovereighnity vs Efficiency tradeoff
• Securosis: How the Cloud destroys everythng I love (about Web App Security)
• CloudAve: Cloud Computing Risks – EDoS
• Elastic Vapor: Cloud attack: Economic denial of sustainability (EDoS)
• Tripwire: Regulations need to get unreal
• Blog Of Trust: Be an IF-MAP Innovator
• DevCentral: The Context-Aware Cloud 
• Law.com: Old habits persist in virtual security 
• Brian Madden: What does Microsoft Azure have to do with us?
• Securosis: Everything old is new again in the fog of the cloud
• Securosis: Cloud Security macro layers
• Telematique: Clouds, the criminal element & V12N to the rescue
• Network Security Blog: PCI Compliance – get it in writing!
• Citrix Community Blog: Hoff is still confused 
• ZDNet: Security will suffer in the financial crisis

I should note that many of my cloud computing writing is being republished over at the SYSCON Cloud Computing Journal with a self-branded mini-site: ChristoferHoff.Sys-Con.com

Podcasts/Webcasts/Video:

• Network Security Podcast Episode 131: Co-hosted with Rich Mogull
• Briefings Direct: Improved insights and analysis from systems logs reduce complexity risks from virtualization
• Virtualization.com: Video interview with Simon Crosby, Citrix CTO (not in it, mentioned) 
• Cisco Data Center Blog: Data Center 3.0 anniversary note & new products video

I am confirmed to  speak at the following upcoming events:

• Source Boston  - Boston, MA – March 11-13
• TechTarget Threat Management Decisions Summit – New York, NY – March 26
• Americas Growth Capital InfoSec Conference (keynote) – San Francisco, CA, April 20
• RSA 2009 (multiple sessions) – San Francisco, CA, April 21-24
• Virtualization Congress – Las Vegas, NV, May 4-7
• (there are others being sorted at the moment) 

I should/will be attending the following events:

• Shmoocon
• Cloud Computing Expo   

/Hoff

Here is some of the recent press coverage on topics relevant to content on my blog:

• Information Week: Virtualization Has A Security Blind Spot
• Information Week: Securing Virtualization, or is that Virtualizing Security?
• Network World: Black Hat speakers expose virtualization, OS security gaps (**NOTE: Please see here, VERY important)
• Network World/Computerworld: Black Hat spotlights virtualization, DNS issues (**NOTE: Please see here, VERY important)
• SearchSecurity (Australia): Could securing virtualised environments destroy ROI?
• SearchSecurity: Initial virtualization costs could outweigh benefits
• Computer Zeitung: Today’s Security Products Aren’t Ready For Virtualised Data Centres
• Wall Street Journal: Hackers On the Move
• Baseline: Managing Mobility In the Enterprise
• ITWorld: Pros and Cons of VMware’s New Security Guide

Podcasts/Webcasts/Video:

• Network Security Podcast: Defcon Wrap-up (*naughty language)
• Security Wire Weekly: Virtual Security Apocalypse
• DarkReading: Four Horsemen Interview after my talk at Blackhat
• SearchSecurity "Still Nameless Podcast": Rich Mogull and associated nonsense (I wasn’t on it, just in it 😉

I am confirmed to  speak at the following upcoming events:

• Forrester’s Security Forum, Boston MA, September 4-5
• [Private] Portland, Oregon, September 8-11
• [Private], Utah, October 1-2
• Day-Con II, Dayton, Ohio, October 10-12
• RSA Europe, London UK, October 27-29
• TechTarget Information Security Decisions, Chicago IL, November 5

I will be attending the following events:

• VMworld 2008, Las Vegas NV, September 14-18

/Hoff

Based upon feedback from attendees at Blackhat, my talk, "The Four Horsemen of the
Virtualization Security Apocalypse," went over well and I really had a lot of
fun delivering it. It’s had a TON of coverage.

Despite the positive feedback from folks, it seems the foreboding narrative of the apocalypse has carried over into the real world due to a rather unfortunate journalistic misinterpretation of the facts.

It’s only fair to state that I have been critical in the past of others in our line of work who have complained of their inability to control the output of their direct interviews with the press and analysts as misquotes and misunderstandings arise.

Perhaps this is a little karmic payback for my outspokenness, as after my talk at Blackhat, I have now enjoyed the fruits of journalistic distortion firsthand.  It’s important to note that this was not the result of a direct interview, but rather the inaccurate reporting of a reporter sitting in the audience of my talk.  I was never contacted with questions or asked for clarification or review.

Many of the points I made in my presentation were reflected upon poorly and my perspective butchered, but one specific item is causing me some serious grief in a professional capacity.  It cast a rather crappy pall on the rest of my Blackhat and Defcon experience (more on that later.)

One of the "Four Horsemen" which represents a critical issue in virtualization security is that of the hidden costs involved in virtualizing security.  The point I made, and the language I used to consistently describe it multiple times appears below:


To be perfectly clear, what I obviously said was that "virtualizing security will not save you money, it will cost you more."

What Ellen Messmer reported in her Network World article was that I said "Virtualization will not save you money, it will cost you more.”

Now, this may not seem like much of a difference, but it’s a profoundly impacting dissimilarity.

It’s a dangerous rephrase that has now caused significant pain for me that I’m going to have to deal with once I return from vacation.  It’s been picked up and re-printed/adapted so many times without validation that I can’t keep count any longer.

You see, I work as the security architect for the division of a company who is maniacally focused on designing, deploying and supporting heavily-virtualized realtime infrastructure for our customers.  One of the (obvious) value propositions of virtualization/RTI is cost savings/reduction/avoidance which I specifically referenced during my presentation as a well-established fact and reasonable motivation for virtualization.

You can probably imagine the surprise of folks when they read Ellen’s article which is written in a way that directly contradicts our corporate messaging and the value proposition offered to our clients.  It reflects rather poorly on me and my company.

And just to be clear, my scorn was not directed at the "network industry" or the "virtualization industry" as reported in the article; the context of my entire talk was the security industry, a point sorely missed.

This article reads like the output result of a bad game of "telephone."

I intend to contact Ellen Messmer and ask for a retraction as well as corrections of multiple other mistakes in the article, but as we all know, there’s no real retraction on the Internet.  All I can offer is my presentation, the video recording of it and the recollection of the 500+ others that were in the audience when I presented (including numerous other reporters.) 

The only other thing left to do is to sheepishly admit that despite the fact that this was not an interview that I or anyone else could control or influence for correctness, Joanna Rutkowska was essentially correct in her assertion during our last debate that you cannot control the press, despite best efforts. 

Even though I’ve never had a problem of this degree in the almost 15 years of doing this sort of thing, I humbly submit to her on that point.

/Hoff

Here are some of the recent press coverage on topics relevant to content on my blog:

• Information Week: Virtualization Has A Security Blind Spot
• Forbes: How To Protect A Company’s Data
• InfoWorld: Defending Security In A Weak Economy
• InfoWorld: Security Futurists Shun Perimeter, Anti-Virus Systems
• CIO: Real Risks Inside Every Virtual Box
• Information Security Magazine: 5 Virtualization Do’s and Don’ts
• SeekingAlpha.com: The Year Of VirtSec So Far
• Virtualization.com: Who Own’s Virtualization Security (Hoff vs. Citrix Debate)
• CSO: How IT Security Pros Blow Off Steam

Podcasts/Webcasts:

• Jericho Forum: Security Roundtable (Available Now)
• Virtualization Security Hits Center Stage: TBA
• Ziff-Davis Virtual Tradeshow: Delivering On the Vision of Business-Driven IT

I am confirmed to  speak at the following upcoming events:

• IBM Global Innovation Outlook, Chicago, June 9-10
• Financial Services Information Security Decisions, NY,  June 19-20
• Blackhat, Las Vegas, August 2-7
• Defcon, Las Vegas, August 8-10
• IT Security World, San Francisco, September 15-17
• Day-Con II, Dayton, Ohio, October 10-12

/Hoff

Hey y’all.  Here’s some of my upcoming planned speaking engagements.  If you’re in town or going to any of the conferences, look me up:

• SourceBoston: Boston MA, March 12th, 2008*
• SecureWorld Expo: Boston MA, March 26th, 2008
• RSA Security 08: San Francisco CA, April 7-11
• Troopers08: Munich, Germany, April 23-24, 2008
• Financial Information Security Decisions, NY NY, June 19-20th
• IT Security World: San Francisco CA, September 15-17*

Hope to see you there.  I’m sure there will be others between April and June.

* Rich Mogull and I will be co-presenting at these events.

As it goes in football, so it goes in life…

I delivered the closing presentation of the InfoWorld Executive Virtualization Forum in San Francisco on Monday.  The title of my presentation, which I will upload soon, was "
  Addressing Security Concerns in Virtual Environments."

The conference was a good mix of panels and presentations giving some excellent perspective to senior-level managers and executives on virtualization and its impact.

The night before was obviously the Super Bowl and InfoWorld hosted a get-together complete with beer, snacks and a big screen for us to watch the Big Game.  Most of the InfoWorld staff are out of the MA area, so except for a few Giants fans, it was a room packed with Pats fanatics. 

Ultimately, sad, depressed, and shocked Pats fanatics…

So the next day after having to listen to the fantastic keynote from David Reilly, Head of Technology Infrastructure Services, Credit Suisse — an Irishman who grew up in England and now lives in New York — bleat on about "his beloved Giants," I thought it only appropriate that I take one last stab at regaining my pride.

So, when it was my turn to speak, I slipped a borrowed Randy Moss jersey over my silk shirt and took the stage to stares of bewilderment and confusion.

I explained my costume and expressed my disappointment with the team’s performance in one fell swoop:

You may be wondering why I’m up here presenting in my beloved Patriot’s uniform.  Well, this *is* a security presentation, so I thought I could give you no more spectacular illustration of what happens when you fail to execute on a defensive strategy than this (pointing to the jersey.)

Further, I find it completely amusing and apropos to be standing here in a virtualization conference talking about security *last* in the order of things because that’s exactly the problem I want to talk about…

The crowd seemed to enjoy those couple of opening shots and the rest went quite well — I try to make stabs at involving the audience.  I always gauge the success of a show by how many people come up and talk to me at the podium and afterwards.  By all accounts, it rocked since I spent the next 45 minutes talking to the 30+ folks that engaged me between the podium and the beer stand.

Adrian Lane was kind enough to blog about my performance here…

I very much enjoyed the conversation that ensued with some really interesting people.

Looking forward to the next one in NY in the November timeframe.

Hope to see you there.

/Hoff