Schneier on Security

FWIW, Gmail supports POP/IMAP. Pretty easy to get all your email out.

Interesting discussion. (However, I would recommend changing how you're seated, since it's a bit awkward for you to both be making no eye contact with each other when you're conversing.)

and Ranum's credibility is from what? he coded a firewall and has an ego.

'has been'.

Cloud computing is just a buzzphrase for outsourcing virtual machine support and sharing computing resources. Nothing new here.

As pointed out, you have to trust the provider... otherwise you have to choose to stay in house.

This goes points us to the never-ending cycle of where the best skills lie. Should we expect that our in house staff are incompetent and that the larger organisations have all the best skills to provide us secure and robust environments? Who should we trust the most?

I'd suggest that it depends on the economic cycle. In times of boom, the larger organisations will attract the best skills by paying higher, however as demand increases for more workers, they are forced to recruit anyone with a heartbeat. In times of bust, the skills will recede back to the smaller organisations.

By staying flexible and portable you can deal with both cases. I don't buy in to the fear that Amazon or whoever is going to hold your data hostage. As part of your business continuity management, it should be determined how access to your data (backups, etc) will be obtained in the event that you need to build-out your infrastructure in-house or elsewhere.

So just like your internal IT staff, you should trust these providers to do their jobs. You should also have controls in place for mitigation so that your business can continue in any reasonably possible scenario and you can recover lost revenue and reputation funds if they f* up.

is there a text/html version somewhere I can send off as a link or quote from in an email (with attribution of course)? This video said all the things I've said at $DAYJOB in a certain internal discussion, but it also has more things and they're said more pithily :-)

Hey, isn't Marcus Ranum that guy from the Terminator Salvation movie? Don't trust him Bruce! I think he might be a cyborg!

I used to work for Marcus. He's definitely not a moron. In fact, these two discussions are only nominally "head-to-head". Sounds like Mr. Schneider and Mr. Ranum are actually in agreement on key points.

And I misspelled Mr. Schneier's name. So sorry.

Government security and government budgets are the same problem. Ooops we screwed up, this means you have to give up more money. Yes, we do reward failure. I agree with Ranum, we need to change the reward in order to change the outcome.

Great clip but not a faceoff. Two people arguing the same side. Under-mentions the frequency of in-house fail.

@gregg dourgaira "Under-mentions the frequency of in-house fail."

So how much worse when you transfer your critical data to someone else's house?

The problems we've seen on applying security to the cloud is partly everyone's been saying it's new! WOW! and we're like, how! In what Way! So, like, we're a little confused.

Our biggest tactical problem has been to establish a system boundary and data flows. Most cloud vendors (at least to non-Gov't people and orgs) only promise to present your data when asked. They don't committ to a specific set of physical hardware, data instances, and geographic locations.

Unless things have changed and I didn't get a memo these are elements necessary to complete a risk assessment and plan for security and contingencies.

@BF Skinner
Here's the memo: it's safer to fly from Minneapolis to LAX than to drive there yourself.

The airline doesn't commit to physical hardware or specific pilots or route. We don't get a complete risk assessment or plan for security and contingencies.

We just know you're more likely to crash falling asleep through Omaha than anything the airline might encounter.

To be fair it seems your post addresses a much higher level problem than mine which is about what most organizations and in particular SMEs face.

The 'faceoff' didn't address the elephant in the room, self-host fail.

@ gregg dourgarian

Oh THAT memo. Sure THAT memo I got. I mean who DiDNT get that memo. I stopped driving through Omaha for that reason...Oh heck I stopped driving through Oklahoma.
No loss. GREAT risk reduction.

Must have been a meeting I missed.

The case (my case), as you acknowledge) is slightly different in that the risk is born individually by passengers and collectively by airline agents, insurance agents and government regulators. A single breach of data is of lower impact to an individual than it's host organization/providers.

The provisioning of the services to individuals/small orgs may not have been explicitly defined but both Bruce and Rumun did start talking to it when he said that give a company your data they OWN your data. Leave a cloud contract and who keeps a copy of your data?

This all needs diagramming! Where's my white board! Why doesn't UML let me describe these abstraction differences. ARrrggh