I’ve been waiting all of September for FedRAMP to be released and hoping they get over the last-minute hurdles to put something out into view. Our lolcats will feel much more secure now with a squishy buddy.

• Lolcats Coming to you from the Cloud
• Lolcats and QR Codes
• Shmoocon: Less Moose, More LOLCATS
• Redundant Lolcats
• Lolcats, Capital Hill, and a Haiku

My talking schedule over the next couple of months:

October 25-27: SecTor in Toronto, talking on DDoS and a turbo talk on some of my barcode stuff.

November 8-11: AppSecDC in um… DC, talking on the internal security program for a cloud vendor.

And coming to you, if you give me a call.  =)

• Where is Rybolov?
• DojoCon DDoS Video
• Metricon 5 Wrapup
• The “Off The Record” Track
• Massively Scaled Security Solutions for Massively Scaled IT

Today our IKANHAZFIZMA lolcats come to you from “Teh Cloud”.  Even though here at The Guerilla-CISO we’re far from being an enterprise solution, we’ve been living in the cloud for 6 months.  Our setup is a Cloud Server from Mosso which is owned by Rackspace.  Now with GSA’s cloud application store open for business, the government world is rushing headlong into cloud computing.

The part where I pitch for Hoff:  Chris Hoff has some awesome ideas on security and cloud computing, check out his blog and presentations.

• FedRAMP Released “Real Soon Now”, Lolcats Happy
• LOLCATS Take on MS08-67
• Lolcats and QR Codes
• Lolcats Protect the End Users
• IKANHAZFIZMA and Transparency

Post summary: We’re not ready yet culturally.

What spurred this blog post into being is this announcement from ServerVault and Apptis about a Federal Computing Cloud.  I think it’s a pretty ballsy move, and I’ll be watching to see if it works out.

Disclaimer being that at one time I managed security for something similar in a managed services world, only it was built by account with everything being a one-off.  And yeah, we didn’t start our organization the right way, so we had a ton of legacy concepts that we could never shake off, more than anything else about our commercial background and ways of doing things.

Current Theory on Cloud Computing photo by cote.

The way you make money in the managed services world is on standardization and economy-of-scale.  To us mere mortals, it means the following:

• Standardized OS builds
• Shared services where it makes sense
• Shared services as the option of choice
• Split your people’s time between clients
• Up-charge for non-standard configurations
• Refuse one-off configurations on a case-by-case basis

The last 2 were our downfall.  Always eager to please our clients, our senior leadership would agree to whatever one-offs that they felt were necessary for client relationship purposes but without regard to the increased costs and inefficiency when it came time to implement.

Now for those of you out in the non-Government world, let me bring you to the conundrum of the managed services world:  shared services only works in limited amounts.  Yes, you can manage your infrastructure better than the Government does, but they’ll still not like most of it because culturally, they expect a custom-built solution that they own.  Yes, it’s as simple as managing the client’s expectations of ownership v/s their cost savings, and I don’t think we’re over that hurdle yet.

And this is the reason: when it comes to security and cloud computing, the problem is that you’re only as technically literate as your auditors are.  If they don’t understand what the solution is and what the controls are around it, you do not have a viable solution for the public sector.

A “long time ago” (9000 years at least), I created the 2 golden rules for shared infrastructure:

• One customer cannot see another customer.
• One customer cannot affect another customer’s level of service.

And the side-rules for shared infrastructure in the public sector:

• We have a huge set of common controls that you get the documentation to.  It will have my name on it, but you don’t have to spend the money to get it done.
• It’s to my benefit to provide you with transparency in how my cloud operates because otherwise, my solution is invalidated by the auditors.
• Come to us to design a solution, it’s cheaper for you that way.  I know how to do it effectively and more cheaply because it’s my business to know the economics of my cloud.
• You have to give up control in some ways in order to get cost savings.
• There is a line beyond which you cannot change or view because of the 2 golden rules.  The only exception is that I tell you how it’s made, but you can’t see any of the data that goes into my infrastructure.
• If I let you audit my infrastructure, you’ll want to make changes, which can’t happen because of the 2 golden rules.
• I’ll be very careful where I put your data because if your mission data spills into my infrastructure, I put myself at extreme risk.

So, are ServerVault and Apptis able to win in their cloud computing venture?  Honestly, I don’t know.  I do think that when somebody finally figures out how to do cloud computing with the Federal Government, it will pay off nicely.

I think Apptis might be spreading themselves fairly thin at this point, rumor has it they were having some problems last year.  I think ServerVault is in their comfort space and didn’t have to do too much for this service offering.

I can’t help but think that there’s something missing in all of this, and that something is a partnering with the a sponsoring agency on a Line of Business.  FEA comes to mind.

• NIST Cloud Conference Recap
• Reinventing FedRAMP
• Categories of Security Controls in Outsourcing
• Database Activity Monitoring for the Government
• Security Assessments as Fraud, Waste, and Abuse