Rethink Desktop

Think desktop as a combination of device, OS, Apps and Profile. Users should be able to access to their desktop from anywhere. IT should include user profile, apps, desktop OS. Have one single image to manage – single image of apps & desktop, identity management, data and user experience. However, one size does not fit all.

For this first, we need to understand the user and their desired experience; not the desktop and its performance. There are different types of workers – office, guest, remote, mobile, etc.

Server-hosted desktop is some that can be considered. Its already available. The one that’s coming up is VDI (virtual desktop implementation). We can virtualize any desktop we want and make it available without purchasing any hardware. This is an opportunity to reduce management nightmare with single instance management.

The real savings with desktop virtualization, is how we manage our environment rather than on the hardware itself.

So how do we prepare for Windows 7? An opportunity to get out of PC refresh cycle. If you already have a PC, stream to it. When you think its appropriate time to move certain application to virtualized ones, then move it slowly until you could completely have a thin client at the desktop.

How about mobile workers and their need for handheld and offline access? We need to manage an environment where corporate and personal desktop co-exist. VMs helps you do that using its security controls. Everything managed from a single place which should also help accessing the environment from a non-managed PC. Hypervisor and XenClient should help in this regard.

While all these are designed, don’t forget end user experience and end-to-end delivery. User expectations are high and we need to meet them – media, collaboration, etc. Have mininmal footprint at the end user and have everything at the data center. DirectTV is a good example of that architecture.

These are some notes from a presentation by Sumit Dhawan of Citrix System.

Security Professionals With Development Background – A Rare Breed

Ramon Krikken, one of the analysts at Burton Group, while presenting on Security Program made a comment that Security Professionals with software development background is a rare breed. Not many are there who understand the SDLC in the security program.

Most of the time, you will see individuals with network engineering, auditing or management background in the security program. This is true according to Steve Katz, world’s first CISO, in his blogs – Choosing the Right Staff.

I, from my experience, can definitely relate to the same. There are times when I spend more time explaining the SDLC part of security to my peers. Some of them don’t even consider application security as a domain in the security program.

For now, I am proud to be part of the rare breed!

Security in Cloud Computing

Cloud computing creates significant security risks. Large enterprise need to be cautious about putting sensitive information into cloud computing. We need to understand who is in control of the data once it is put out in to the cloud. IDC survey suggests 74% of security issues are significant. Who is going to pay for the DoS attacks. There is a lack of transparency and accountability about security among cloud vendors which lowers trust in them.

We need to be cautious about PII and privacy regulations especially that of Canada before subscribing to cloud services. Due to other consumers using the same cloud, there could be violation of contractual agreement. Salesforce.com is not accountable for security and Amazon web services does not have SAS 70 Type 2 certification. We need to consider the outrageous terms of use of such companies before signing up. There are many incidents that involve current cloud computing environment.

Instead of comparing of current policy and standards against cloud computing, we need to measure security in terms of realistic target. Once done correctly, it could help in the long run. However, no-SLA (like that of SalesForce.com) does not help. Private clouds can support secure collaboration wit external partners. PaaS offering may help to include proactive security into SDLC.

Instead of transferring the risks, try to improve the controls and governance for cloud. We may need to rethink our existing Risk Management processes that is suitable for cloud computing. We may require third party investigators to investigate any incidents between consumer and provider.

Since activities and data move to open and untrusted networks, we may need to rethink our existing security technologies. Key technologies include data center consolidation, server and storage virtualization, application rationalization and web based computing such as SOA.

Key enablers are enterprise key management, identity and policy services, strong authentication and federated identity.

Understand your gaps, where applicable obtain risk acceptance from business unit leaders and put security “hook” into appropriate processes so that it is under the radar of the business. Take small steps into the public cloud with low risk applications. Its better to build internal clouds so that data is in control within the business. Demand the vendor for more transparency and define better audit assessment criteria. Choose vendors who support industry standards rather than using their own cooked ones.

The topic was presented by Dan Blum of Security Risk Management at Burton Group. He recommends reading artifacts of Cloud Security Alliance.