Wednesday, December 28, 2011

Your Portable vCloud Director Lab

How many times have you been called upon to audit, evaluate, or comment on a new technology you've never seen? As auditors we like to experiment, touch, and learn about the technologies we're assessing. Here's a fantastic way to get up to speed on vCloud Director. You can install vCD on a laptop, carry it to a team meeting, and show off the highlights.

Giving credit to the source where I first read about this - Duncan Epping's YelllowBrick blog post found here: was sent to me by Jeramiah Dooley. Both maintain blogs I highly recommend.
" more installing Red Hat, Oracle and vCloud Director. Just download the appliance and deploy it. On top of there is a great vCloud Cloud Director Evaluators Guide which will help you to evaluate the product.
If you haven’t done anything with vCloud Director before the following articles might also be worth reading, note that these are 1.0 based articles but most of the content is still valid today.
Here is the list of resources found on the vCloud Director virtual appliance download page under Installation and Configuration. Note that these just scratch the surface of all the resources VMware offers.

Product Documentation

Technical Whitepapers

Thursday, December 15, 2011

VMware Compliance Checkers

How about something for FREE!

Some people were asking about this today and I thought I would share here.

There are hundreds of compliance tools and checkers on the market. How about these two gems from VMware? Do you have concerns with PCI and environment compliance with the Data Security Standard? How about a free tool from VMware that checks this for you? How about another free tool that checks your environment against their VMware vSphere Hardening Guidelines? Free.

Tuesday, December 13, 2011

Friday, December 9, 2011

Cloud Security and GRC: Internal Controls

Environmentally Friendly.

Here's the flow of a security presentation I sometimes use to stimulate thought and focus around controls and how they can be orchestrated, coordinated, to deliver contextually rich information security and cloud auditing relevant views of the environment.

Environmentally Relevant. 

The enormous data set produced by monitoring and management tools delivers useless information if the data isn't comprehensive of the its environment. Several years ago I worked for a Network Access Control (NAC) company. During Proof of Concept demonstrations we often found more devices on the network than the organization thought was possible. It wasn't uncommon to discover 15-20% more than a company thought they had on the network. One particular example found - not kidding - 20,000+ devices more than their estimated 40,000 devices the company thought they had worldwide. Yes, this is extreme. But it's also those experiences that drive my belief you have to know what you have before you can secure it. 

Here is how I summarize action items during discussions around this topic.

Thursday, December 8, 2011

FedRAMP is Official.

Just a quick note to let people know if they hadn't already heard about it. The SP 800-53 rebranding that produced Government Cloud 1.0 (my words), or FedRAMP, is now official.

There are some key takeaways from this that perhaps we'll go into more detail later. First, you can find out all about FedRAMP here:, and you can find the NIST Cloud landing page at Note the requirement for a third party audit from an authorized organization prior to authorized operations. See more of that here: 3PAO Information.
"Please attend the Industry Day on December 16, 2011 for additional information on the Program and the 3PAO application process. Please register for the event by COB Wednesday December 14, 2011 via the following URL:"
The main takeaway is that notice the security concepts didn't change. You still have access controls. You still have perimeter defenses. The same control standards (SP800-53) applied to today's systems were applied to this new fearsome beast called the cloud. Do the solutions and implementations change? Certainly! And the fundamentals still remain the same. Now onto the next post:).

Mapping Controls: Challenges, Opportunities, Surfing

One Man's Challenge.

Mapping controls is all the rage (pun) and today's faddish exercise. Come on. You know you want some of that. Can you think of anything more fun than trying to find all of the standards, regulations, vendor guides, best practice documents, and Christmas Cookie recipe books?? How about actually reading them?? And then creating a massive spreadsheet mapping (your best) interpretation of what (you think) might be individual controls across each of them so that you can track your compliance? And... wait for it... just as we're getting started in all of this, don't forget that every good corporate citizen is intimately familiar with the policies you've painstakingly written and tracked back to each authority document.

Is Another Man's Opportunity.

Enter the likes of the IT Unified Compliance Framework (ITUCF) (with their nice snazzy website update over the last year..). Their objective early in the game several years ago was to identify and correlate authority sources and documents from government agencies, standards bodies, and vendors. Massive undertaking. Simply massive. This is the classic case of how to put an elephant to sleep. Read one authority document at at time.

Opportunistic entrepreneurs and vendors created software tools to help manage the C in GRC. Many leverage (license) in whole or part the work of the ITUCF. Some target the entire enterprise, and others only IT. Consider the following from the well respected Michael Rasmussen of Corporate Integrity:
"The GRC software space is vast with numerous vendors.  In fact, in my market models there are over 400 GRC software providers that span 28 primary categories (with numerous sub-categories) of GRC related software.  Nine of these categories encompass components of an enterprise GRC platform (though no vendor does all nine components), 19 of the categories are focused in specific business functions/processes of GRC.  Of the 400 vendors, it is under 50 that market and present themselves in the enterprise GRC domain."
Enjoy the Wave Dude. Enjoy the Wave.

OK - So maybe it's not perfect, or you consider it biased, or have some other stigma that prevents you from enjoying the Magic Carpet Ride that is the Forrester Wave. I personally don't have the time to learn about every technology niche and vendor play. The summaries are fantastic. I've learned to filter the content and appreciate the organization. The best part? Someone else does the work, and the winner of whatever contest is showcased usually pays for your right to view the content. Why? Because they paid someone off? Or because they are thrilled with the results and want to showcase their peer praise to the world? Enjoy the Wave. It's a short ride.

And on the Short List.

The Forrester Wave™: Enterprise Governance, Risk, And Compliance Platforms, Q4 2011, led by Chris McClean, includes the following vendors: 
ARC Logics, BWise, Compliance 360, Enablon, IBM OpenPages, Mega, Methodware, MetricStream, Protiviti, RSA Archer, SAP, SAS, Thomson Reuters
The Forrester Wave™: IT Governance, Risk, And Compliance Platforms, Q4 2011, led by Chris McClean, includes the following vendors: 
Agiliance, ANXeBusiness, ControlCase, Easy2Comply, Modulo, RSA Archer, Rsam, Symantec

Please note
(1) There may be perfectly suited vendors that are NOT on this list because they address your particular market niche, pain point, or existing entrenched people/processes/technologies. 
(2) Plugging my Parent Company, EMC. RSA Archer was the only vendor listed as a Leader in both enterprise and IT GRC tools. I know the product well, know parts of the roadmap, and I really like what I see here. 
(3) Links to the Wave documents lead to RSA because of licensing. No registration required. Just click on the direct link on the right side of the landing page. 

Wednesday, December 7, 2011

Cloud Audit: Quality Services and Technical Briefs

Deliver a quality service. Keep the Customer Informed.

Have you ever taken a luxury car into the service department? The department knows you paid top dollar for that car. They want to make the experience as positive as possible. Notice how well informed you are about every detail? Notice how the service department goes to extraordinary lengths to ensure they are as non-disruptive as possible to your day. They are careful to keep you informed and set your expectations. You don't want to be there, and they know this.

One Small Secret to Great Service.

There are dozens of dirty little sales secrets you can adopt to improve the customer experience. One of my favorites is the Technical Brief. Starting a new audit? Do you receive common questions around a few topics? Would it be helpful to have informative short documents explaining what you will be doing with the systems and what tools you will use? How about the general audit process explaining what will be done, how long it typically takes, and the how the data will be used? I've written up dozens of these over the years to explain a particular technology, process, tool, system usage, etc. Each are intentionally short, about a page or two in length, with the understanding that they can ask for additional detail if needed. 

Friday, December 2, 2011

Contextual Intelligence: A DARPA Project Wicked Cool Example

VMR: Visual Media Recognition
A fantastic video analogy for explaining rich context. 

State-of-the art complex technologies handled ineffectively are ineffective. 
As a security professional, I want as much detail as possible that provides me assurance that my system's data is secure. Average auditors want enough data to validate compliance to their work papers. GREAT auditors want contextual data about the system to have assurance that data is secure, the system is operating as it should, and governance objectives (e.g. solution alignment, performance and capacity management) are met. GREAT auditors pay attention to multiple inputs during the data gathering process and correlate information in context to determine the veracity and completeness of the message.

Plain English? Push for the right controls and push for as close to centralized management and correlation of the controls into a cohesive process and system that make sense with your administrators. I spend a lot of time speaking to the organization of your information and controls because I have seen and witnessed how excellent state-of-the art complex technologies handled ineffectively are ineffective.

Now on to the Wicked Cool Project.
You probably have read stories or seen enough movies to understand the need to identify location details from a photograph or video. Maybe I watched too much Star Trek or read too many science fiction novels. This is cool!! Especially as an analogy for understanding as much about your environment as possible. This is particularly true in cloud (outsourced) environments.

There is a project from DARPA where they are "soliciting proposals for innovative research and development into creating a capability that can rapidly identify a range of information – Who, What, Where, and When– contained within a captured “noisy” photo or video image taken in theater by an adversary. The proposed research and development will investigate innovative approaches to visual image understanding, adaptation of existing techniques for novel purposes, and the integration of multiple visual processing algorithms and image datasets into a single, easy-to-use software system."

Here is the Wicked Cool Video.