Optimising Security

September 18, 2012 – 3:25 pm

Way back at university when i was studying Aeronautical Engineering, we covered one of the fundamental concepts in aircraft design; Safety.  It was summed up in an info-graphic which has stayed with me. In recent times, as I’ve moved over into IT security and up into solution architecture, I’ve been drawing on this educational background more and more. The analogous relationship between aircraft safety and IT security is safety = security.

I’ve put together a series of diagrams to illustrate how this aircraft design concept applies to IT security.

Firstly, the base concept; a cost vs security graph. The total cost to an organization being the union of two component cost categories. One, the cost of security measures implemented. Things like technology, people, processes, loss of agility, reduction in productivity. And secondly, the indirect costs due to all the security measures that have not been implemented. The lowest point in the total-cost curve is the optimum level of security that should be implemented.

But of course, things are always changing. Technology improvements, smarter people and better processes all give you more security for your $. Also, security incidents start costing you more money(too many reasons to list here).  As a result, the total cost curve will shift up and to the right.

and things are not always as well understood as you’d like.  The cost of security measures implemented is easy, but it’s not always certain how much security you’re actually getting.  The indirect costs are even less well understood, often almost not at all.  If you get the numbers wrong, and end up over the break even line, then you’re out of business or sacked.  The safer choice is err on the side of being too secure, trading off efficiency or cost effectiveness.

The takeaway is; you need good data and to know your two types of costs as well as possible.  Qualitative data is nice for understanding the concepts, but completely useless in practice.

If you aren’t moving towards finding your optimum security level, your competition most certainly is. That break-even line isn’t fixed either. It will start coming down.

UPDATE: A common mistake i see is for organizations to underestimate their indirect costs (red line). They only factor in what they know, assuming zero contribution from the unknown indirect costs.  Look for statistical data from other organizations to make an informed guess.  Preferably including companies that have both survived and failed due to catastrophic events.  Make sure the companies are comparable; industry, size, market. Be wary of vendors as a source of this info though. They are motivated to shift your security spend as far to the right as possible. That said, vendor data can be useful for the extreme/worst case.

alternative cloud magic quadrant

August 26, 2012 – 11:47 am

A Simon Wardley blog post

Do not covet your ideas

January 10, 2012 – 9:19 am

Cloud Security Alliance V3 Guidance and CCSK

December 9, 2011 – 2:15 pm

I’ll have to watch this closely. As soon as I hear about the V3 CCSK exam, i’ll need to jump right on it.

udpate from Jim Reavis;

I am sure many of you are wondering if the new version 3 of the guidance means we will have a new version of the CCSK test and what that means to existing CCSKs or those currently studying to be CCSKs. The CSA certification board that created the initial test will be providing definitive information about the plan soon, but I wanted to let you know about some things we know for sure, so you can plan appropriately.

– We do not have an exact time frame for the new test, but likely will be the middle of next year.
– Existing CCSKs will be able to take the V3 test when available at no charge.
– Existing CCSK tokens will be valid for the V3 test.
– It is possible that we may consider having a special V3 test for existing CCSKs that cover the difference.
– You should still be studying V2.1 of the guidance to prepare for the existing test.

If you have read both V2.1 and V3, you should be aware that key principles have not changed in the new guidance, but we have greater depth. From that perspective, we want to provide interested professionals assurance that you will not be penalized in any way for obtaining your CCSK now, and the effort will help you in gaining certification on an updated test. If you have questions or input, please respond to this post so we can make sure we update the website FAQ.

out of hiatus

November 29, 2011 – 10:07 am

I’ve neglected this blog for quite a while now. Various events and machinations that affected my career used up all my headspace. Things are calming down and becoming more sensible. More headspace for interesting technical architectural topics. fun!

I’ve started working on a product and service development program at eSecure. My interests and ambitions have found some nice synergies with eSecure’s business development goals.

All through my career i’ve dabbled in IT Security. However i’ve never really considered myself a “security guy”. But after landing in a security role almost accidently, i’ve come to realise that it’s really my true calling.

It comes down to the fundamental security triad; Confidentiality, Integrity and Availability. In the past in my telco jobs, it was predominantly about Availability, Integrity a close 2nd and not far behind, Confidentiality. Now i’m dealing with all three in roughly even amounts.

Certificate of Cloud Security Knowledge (CCSK)

September 4, 2010 – 1:17 am

The issues and opportunities of cloud computing gained considerable notice in 2008 within the information security community. It was at a security practitioners’ conference, the ISSA CISO Forum in Las Vegas, November 20, 2008, where the concept of the Cloud Security Alliance was born. Following a presentation of emerging trends by Jim Reavis that included a call for action for securing cloud computing, Reavis and Nils Puhlmann outlined the initial mission and strategy of the Cloud Security Alliance. A series of organizational meetings in early December 2008 that included Reavis, Puhlmann and industry leaders such as Dave Cullinane, Philippe Courtot, Alan Boehme, Izak Mutlu, Jay Chaudhry, Christofer Hoff, Paul Kurtz and Jean Pawluk formalized the founding of the Cloud Security Alliance.

That’s the introduction on the CSA website. Says it better than if I tried to paraphrase it.  I think I first heard about the CSA via posts on Chris Hoff’s blog which I follow.

The first thing the CSA came out with was their “Security Guidance for Critical Areas of Focus in Cloud Computing” whitepaper. It takes a whole raft of well established IT security methodology and applies it to the emerging world of Cloud Computing. It’s very good reading, and excellent reference material.

The next big release was the Certificate of Cloud Security Knowledge exam. It was announced at the end of July, and the exam made available on the 1st of September.  With timezones in Australia ahead of those in the USA, it was late afternoon Sydney when the exam went live. I had a free evening and thought, why not give the test a go. You get two tries for your exam fee.

Well, I passed, which was nice. But the surprise came later when i got an email from the CSA Executive Director, Jim Reavis. It turned out that I was the first in the world to pass and also the fastest to complete the exam during its first day. That gave the ol’ ego a boost. But the voice of reason in the back of my head started to speak up, and bring me back to reality. There are a lot of good people out there. Better than me. There’s lots I still need to learn.

But I think i’ll enjoy this for a bit 🙂

Mixed feelings, but overall, things are good

April 8, 2010 – 10:06 pm

There’s been a few developments. First, the simple one, swimming. First session with the swim squad tonight. I meet the minimum requirements now. I’m not too slow to be in the slower group. Also, I’m not the slowest which is very nice to discover.  The 1-on-1 sessions with the coach have helped a great deal. Swimming is actually enjoyable now. Before i knew it, a whole hour had passed, and I’d swum 2km. It wasn’t torture. This is a new thing for me 🙂

The other development is around the problems I’ve had with running for quite a long time now.  If I run more than a couple of kms i start to get pains in my right knee and hip.  I thought it was due to neglect, insufficient stretching and massage. After switching to training with STG, and being very disciplined with stretching, i started to wonder if something else might be the problem.  I went to see a sports chiropractor in the city near work. Thank god I did. As it turns out, years of neglect before i started exercising in 2008, have resulted in my spine being in pretty poor shape. All the pain associated with running is due to my hips being rotated and tilted (left forward and down, right back and up). So i fork out the dosh, get my back sorted out, and lay off the running for a while.

Tip: strengthen your legs with lunges

Run training

April 1, 2010 – 12:27 am

Another track session this evening; 2km warm up. active stretching. then five 800m runs, with 1min rest in-between. The  goal being to keep a consistent lap time of 2:05 – 2:15.  It’s harder than it sounds.  First 400, i was close, then the 2nd 400 was too slow. The next 800 was better, almost bang on. later, as i felt the fatigue coming on, i put in a bit more effort to try to maintain the pace. However i overcooked it and did a 2min flat 400. The second last 800, the first lap was ok, but then i let the pace drop to come in at 4:30. The last 800 was good, about 4:20.

After that, to end, a ~1km cool down then proper stretching. I rugged up before i got cold. Once I got home, hot shower, then a good go with the physio-roller.  pressing out the knots in my leg muscles, particularly my quads, ITB and TFL.

My heart rate wasn’t that high during the session, ~170bpm or so. It was actually the condition of my legs that limited me.  I’ve done not nearly enough to look after them.  Proper maintenance of your muscles is SO important I’m discovering. It gets more and more important as you aim for more and more endurance. This is the stand out biggest change since starting with STG.

Trying to do too much

March 30, 2010 – 12:11 pm

I may start blogging more often now. I don’t like blogs where people blather on about stuff that isn’t interesting to the general public. So I didn’t post often. I’d think, “will anybody really care about this?” and then usually not write an entry (except for at the start when it was a new toy).

Now that I’m starting to get into Triathlon training more seriously, I thought the ups and downs of my journey might be of interest. What does a normal person go through in the attempt to train to be able to do an endurance triathlon? Yea, that could be of interest to people. So, i’ll see if i can maintain regular updates.

So, to my update. I received my training plan from the coach at STG last night.

  • Monday: Swim training in the pool. ~1 hr
  • Tuesday: Morning ride training. ~1 hr
  • Wednesday: Run training at the track. ~1 hr
  • Thursday: Morning ride training. ~1 hr. Evening swim training. ~1 hr
  • Friday: “recovery” longer run. 45mins-1hr.
  • Saturday: “brick” training, cycling then running. ~2 hrs


I did a swimming technique session last night(mon). Swam and rode the day before(Sun). Swimming technique session the day before that(Sat). I tried to get up and do the ride training session this morning, but I’ve hit my limits already. Sore upper body muscles and really tired. That and it was raining.  So, my first “failure” of sorts.

I’ve started eating more as the coach recommended. That’s helped with recovery, but as I’ve not done much swimming at all for a very long time, it’s really exhausted me. The upside is that the coach is telling me my swim technique is improving.  Amazingly my kick is perfect, which is just a fluke. My arms however need a lot of work.  The stroke correction over two lessons has reduced my 100m time by ten seconds. amazing.

So today i make sure i drink lots of water and eat right.  tonight, lots of stretching and using the physio-roller. Then hopefully i’ll be good for tomorrow night’s track running session.

Two transitions, career and sport/fitness

March 27, 2010 – 8:59 pm

Almost two months ago, I started a new job. I left Verizon Business at the end of last year. It was a good two years there, i learned a lot. Verizon do a lot of things right, but they have their faults too, mostly due to their massive size. In short, Australia is not important to Verizon. On the other hand, Australia IS important to Telstra. My new role is the first proper Unified/Network/Utility Computing and Security solution architect in Telstra Enterprise and Govt. The Hosting product portfolio was not important until now, and thus was allowed to languish. With all the recent hype around Cloud Computing and the trend back to consolidation in the datacenter, the product set is being revamped. Interesting times ahead. Lots to be fixed, but there’s a lot of effort going into it. I’m along for the ride, to see where this takes me.

The other big change is in my fitness and sport training. I’ve been with Vision Personal Training for a bit over a year now. Huge progress has been made, but in recent months it’s tapered off. I finally figured out the problem, I’ve outgrown them (plus they’ve changed to be more weight-loss oriented). I did a lot of research and spoke to friends that are triathletes. I settled on STG. I’ve got a qualified tri-coach now, and have started on a program with him. STG also provides a squad to train with, which is really good for motivation. Obsession with counting carbs, protein and fat is out. the “go hard or go home” mentality too. In with more logical and customized coaching. No more “don’t be lazy! just do it!”. Now it’s “ok, why are you tired/sore? what did you do/eat/etc?”

I’ve got some big events coming up this year and next. Kinda exciting and scary at the same time. a month ago i wouldn’t have thought i could reach those goals. now, with the new training and coaching program, i reckon i’ll do it!

note: not going to jinx myself by saying what I’m aiming for. I was planning to do the half marathon in May, the old personal trainer was pushing me hard. I was trying to keep to a training plan, but kept hitting injury obstacles. I wasn’t confident. The new coach; “forget that, you wont be ready”. Dude is hardcore, but fair, and logical, and experienced….

I’m stoked. Life is good.