I wanted to spend more than a half-day at SecTor 2010
at the Metro Toronto Convention Centre this week, but things has been hectic at IT World Canada Central in the last week in the run up to our ComputerWorld Canada IT Leadership Awards (check out our winners here
), and between that and various other fires to put out, I should be grateful I got four hours in. Here are a few nuggets of wisdom I picked up in passing.
* David Mortman, who runs operations and security for C3 LLC, fell il at the last moment. It's a credit to the vendor-neutral nature of the show that Dave Lewis of research and advisory firm Securosis LLC
and Zach Lanier of consultancy Intrepidus Group
jumped in to gamely deliver his presentation, “How many vulnerabilities? And other wrong questions,” unrehearsed. My favourite wrong question: What's more secure, Mac, Windows or Linux? Oracle, SQL or DB2? Internet Explorer or Forefox? (“Chrome,” deadpanned Lanier in answer to the latter.) The questions should be: Which product can I best manage?
The unrehearsed nature of the presentaton made short, fresh and very interactive. Some of the pithier nuggets came from the crowd. For example, on the subject of compliance: “Compliance should be the residue of good security.”
* Speaking of the wrong questions, Government of Ontario privacy impact assessment specialist Tracy Ann Kosa's proposition that a fundamental re-think is needed about the relationship between privacy and security
might have trouble getting traction. In the Q&A at the end of her keynote, one security pro wondered aloud why Google took so much heat for collecting wireless information that was unencrypted, when the responsibility for encryption rests with whoever owns the access point. Following Kosa's train of thought, the right question should be: Why was Google collecting the wireless information in the first place?
* Patrick Thomas of Qualys Inc.
outlined the “blind men and the elephant” approach to identifying Web apps. Long story short, Qualys scanned Web apps online to see how many outdated versions were being used that had serious or moderate vulnerabilities. Many — I'll call it most — of the apps had figures in the 70 to 95 per cent range. The best protected? WordPress. While the creators aren't very open about vulnerabilities, they also make it supremely easy to keep the app up-to-date. “That's what drives user behaviour,” Thomas said.
* I don't know if Astaro Co.
community development manager Jack Daniel claims any blood ties to the distiller of the same name, but he did bring some Virgina White Lightning with him. (He was willing to share, since he didn't like his chances of getting it back across the border.) His presentation, “Cloud definitions you've been pretending to understand,” cut some clutter out of the standard explanations of cloud terms. A few:
Cloud: A model for enabling on-demand computing from a pool of resources. The five essential characteristics are: on-demand self-service; broad network accessibility; resource pooling; rapid elasticity; and measured service. (The alternate definition, frequently used in the mainstream press, according to Daniel, is: Anything on the Internet.)
Software as a service: Using a provider's applications on its cloud infrastructure.
Platform as a service: The capability to deploy user-created or acquired applications using tools supported by the service provider.
Infrastructure as a service: Provision of resources so the user can deploy and run arbitrary software, including operating systems and applications.
Private cloud: “The best way to start an argument.”
Daniel also kicked off his own Q&A session.
Q: Is the cloud good for disaster recovery?
A: Absolutely. I always keep a copy of my resume on Google Docs.
(Daniel was, for this show, not accompanied by the sock puppets he's legendary for using as a speaker.)