Wednesday, August 22, 2012

10 ways to say, "Welcome to Hell!"

It's the Dog Days of Summer. Journalists in every discipline are scrambling for new headlines to garner readership. Cosmo is done with the how-to-look-good-in-your-swimsuit-in-just-21-days articles—although they still manage to have the word "sex" on almost every cover—and they're now doing everything from sex surveys to the 10 reasons men cheat (could it be that men attracted to Cosmo readers are prone to cheating?). The tech press is torn between the 10 rumored features of the new iPhone 5 and the iPad, with the big "list-of-10"security story being CIO's "10 Ways to Easy Public Cloud Security Concerns" (see story here). Welcome to Hell. Paraphrasing Dante's Divine Comedy, "Abandon hope all ye who enter here." Abandon hope all ye who take seriously any of the above lists of complete and utter tripe. As to CIO's article on easing your concerns about cloud security, let me convert their "10 Ways" into appropriate Hell Welcome Mats:

  1. Select the Right Apps for the Public Cloud. Right. This means selecting only apps that require absolutely no security. Welcome to Hell.
  2. Evaluate and Add Security, If Necessary. If  the world expert in IP security and mission-critical systems, Network Solutions, can't keep their infrastructure up and immune from attacks, what chance does the average IT schmoe have (see my story here)? Welcome to Hell.
  3. Identify and Use the Right Third-Party Auditing Services. Translated, you can't do #2 above, so maybe you'll feel better outsourcing responsibility for your inevitable doom. Welcome to Hell.
  4. Add Authentication Layers. This wonderful advice begins: "Most CSPs provide good authentication services…" I added the color to the word "good." Hey, don't you want "perfect" or "unbreakable" authentication? To hell with "good" authentication. Welcome to Hell.
  5. Consider How Additional Security Will Affect Integration. Translated: "Your peformance will go to hell, your users will be irate with all the hoops you make them jump through, and you'll still get cracked on a daily basis by the Chinese." Welcome to Hell.
  6. Put Security at the Forefront of Your SLA.  "SLA" means Service Level Agreement. A realistic SLA should contain the following: "Security is a joke, because US law makes it impossible for us to attack the attackers. So if you trust your mission critical applications to us, you'd better have a jim-cracking-dandy insurance policy, because you will most definitely have to use it." Welcome to Hell.
  7. Insist on Transparent Security Processes. That way, you can see time-lapse photographs as the crap storm wipes you off the planet. Welcome to Hell.
  8. Streamline Logging and Monitoring. "Comparing one CSP's logging and monitoring practices with another before you sign a SLA may reveal subtle differences in the security that's provided." Sure. Like you know dittley squat about logging practices. Welcome to Hell.
  9. Add Encryption. Then, "…only the customer and the third party know the key…" And how long do you think it will take a clever phisher to worm the key out of one or the other of you? Welcome to Hell.
  10. Spread Risk with Multiple, Redundant CSPs. I'll bet the Iranians got their biggest laugh out of this one. Shamoon, Flame, Duqu, Stuxnet, Gauss, et al. All you need is one to work, and all your systems will be compromised. Welcome to Hell.
The solution is at Forget playing defense. Make a public example out of anyone stupid enough to so much as probe your system. Give them a proper sendoff…to Hell.

No comments:

Post a Comment

Implementation suggestions for THE MORGAN DOCTRINE are most welcome. What are the "Got'chas!"? What questions would some future Cyber Privateering Czar have to answer about this in a Senate confirmation hearing?