Author: Tim Hastings

High profile security breaches into cloud-based applications like GMail and Google Apps serve to remind us that when people and companies stores all their information “out there” then security measures are of critical importance.

In most cases the security breaches are “front door” attacks where a hacker has exploited a weak password or the password recovery process. “Security Breach” has many connotations: an insecure applications, unpatched servers, back-doors or inside jobs. But where a hacker exploits a weak password or a user’s use of a favourite password across multiple sites, who is to blame? Perhaps the only failing in such circumstances is that the application allowed a weak password, or rather that it used single-factor authentication.

Sponsor

The strength of an authentication mechanism can be judged on how many things it depends on. These factors can be grouped into:

• Things a user knows… username, email address, PIN and password.
• Things a user possesses… inbox, credit card, mobile phone, security token.
• Things only a user has… finger prints, voice, retina, face.

The number of groups involved in an authentication mechanism gives us the number of factors required to authenticate. For example, a passport relies on two factors: possession of the passport and that the person holiding the passport looks like the photograph in it (except a little older and fatter.)

The all too familiar combination of username and password is a single-factor authentication mechanism. It relies on only one group of things; things that a user knows. If I know your username and password, this is all I would need to authenticate myself as you. Banks and some other companies often use additional fields for authentication like PIN or address. Whilst these do make it more difficult to authenticate, this is still single-factor authentication.

Password Recovery

Most online services provide some form of self-service password reset or recovery function. The behavior we have come to expect is that a temporary password gets emailed to our inbox, or an email is sent that contains a link to a web page where we can enter a new password. Some low-security systems will email your actual password in clear text! In all cases, this makes the inbox central to accessing all our online identities. Own the inbox, and you most likely own all the accounts linked to it.

In the case of the Twitter Attack in July 2009, the attacker’s main point of entry was the password recovery process. Once the GMail account was compromised other services could be targeted. The other exploit relied on the user habit of reusing passwords across other sites.

Market Leaders

Two of the heavy weight cloud players have multi-factor authentication offerings. Amazon EC2 supports Multi-Factor Authentication using a time-based security token key-fobs supplied by Gemalto.

Security tokens use mathematical functions to create a difficult to predict sequence of numbers that are valid for a time period, usually 60 seconds. The sequence of numbers is only known to the security provider and is programmed into a key-fob issued to the user. As each number only lasts for a short period and the next number can only be computed using the secret formula you must be in possession of the key-fob and know the username and password to authenticate.

To add additional security to Google Apps, they have a solutions marketplace with a dedicated category for identity management add-ons. Solutions available include LDAP integration and security tokens.

Many banks and other financial service organizations are also starting to add additional layers of security to their Internet Banking services. The most common method are the time-based security tokens.

If you and your organization are planning to move parts of your IT into the cloud, or have already done so. Please consider the risks of single-factor authentication mechanisms. Remember that people are the weakest link. How will you ensure that your staff are using different passwords across all the different services and that those passwords are changed frequently?

Image source: plenty.r.

Discuss

At London’s Royal Opera House yesterday Oracle presented their perspective and strategy on cloud computing along with two industry experts, Amazon’s CTO, Werner Vogels and Gartner’s VP of research, Phil Dawson.

The consensus was that the industry is heading towards a mix of public and private clouds. Although by Werner Vogels’ definition, private clouds are not true clouds. True clouds, he argues, allow you to think about resources in an unconstrained manner. Elasticity and pay-as-you-go pricing are central to Vogels’ definition. When resources are switched off, you stop paying. If privately owned, a cloud would have fixed capacity (no elasticity) and would always have fixed operation costs – regardless of utilization.

Sponsor

Gartner’s definition of cloud computing has evolved between 2008 and late 2009 to include elasticity as a characteristic, and now includes this differentiation between public and private cloud computing:

Public cloud computing [is] a style of computing in which scalable and elastic IT-enabled capabilities are delivered as a service to external customers using Internet technologies. Private cloud computing is defined as a style of computing in which scalable and elastic IT-enabled capabilities are delivered as a service to internal customers using Internet technologies.

Private-Cloud-In-a-Box

Oracle used concept videos showing Cloud Administrator consoles integrated into Enterprise Manager as a way to demonstrate their vision and strategy in the private cloud. But the company did not disclose any detailed plans for the future to avoid setting timescale and feature expectations. With that said, they did hint that they expected it would take them 3 quarters to get the integration work done.

Discuss

Customer Service operations have undergone some heavy changes in the last few years. To save money, many call centers have been moved offshore and self-service Websites allow users to tackle mundane tasks like ordering, paying bills and checking statements.

CrowdEngineering believe that the Social Web is bringing a new wave of disruption to the way customers get help. Their CrowdForce platform is already helping telecommunications companies to crowdsource assistance from distributed online communities and is delivering real value. In one year they raised 100k community members, managed over 500k support requests and reduced support costs by $3M.

Sponsor

Customers Looking for Help

When people experiences problems, they will often turn to Google, their friends or to online communities to look for solutions. This is a great opportunity for companies to reach out, connect with their customers and proactively solve their problems in these online places.

Forums and services like GetSatisfaction are established tools for customer support. What’s different about the CrowdEngineering approach is that it invites community members and existing customers to support other customers for rewards and their technology facilitates support across many different sites and services like, Facebook, Twitter, MSN, Skype, SMS and Email as well as integration into a company’s backend business processes.

Community members are rewarded for their participation with points. Like most of these models, points can be exchanged for things that the users value such as service discounts and accessories. Many teenagers, for example, are very happy to exchange their time and expertise for call credit, ring tones, or mobile phone accessories.

The CrowdForce platform uses a skills database and skills-based routing to match requests with community members when their online presence is detected at their preferred Website. If a contributor decides they can help, they accept the request and will be rewarded once complete. If tasks accepted but never completed, they will time out and reallocated. If requests go unanswered for too long, they can be escalated to higher skilled specialists or even contractors to ensure that responses are delivered within service level agreements.

With a clever arsenal of Website widgets and applications, integration work can be kept to a minimum. Behind the scenes, a toolbox of business processes can be tailored to integrate with backend systems for monitoring and reporting.

Crowd Effects

Filtering requests collected from multiple sources allows CrowdForce to spot duplicates. Sudden avalanches of tweets or messages reporting that “XYZ is down” are all too common and can often be the first sign of a pandemic problem.

It can be handy to have an army of loyal customers easily contactable and willing to assist. There are many scenarios where they can help: beta testing, monitoring quality of service or referral programs and product promotion.

Triangle of Happiness

According to CEO Gioacchino La Vecchia, by harnessing online communities to support customers, companies are realizing a “triangle of happiness”:

• Happy customers who like to be engaged online where they are discussing their problems.

• Happy contributors who like the rewards they receive in exchange for assistance given.
• And happy companies who are reducing support costs and delighting their customers.

CrowdEngineering was founded in 2008 with seed funding and targeted trials in the telecommunications industry in 2009. The CrowdForce platform has recently come out of stealth mode and has also been applied to the banking and manufacturing sectors.

Discuss

Today Amazon Web Services announced the availability of a new feature of their Simple Storage Service (S3).

Object Versioning now joins the ever growing list of features supported by S3. This proves once again that Amazon Web Services are listening to their customers and putting plenty of distance between them and their competition.

Sponsor

They Grow Up So Fast

In March 2006 Amazon publicly launched S3, the first of their web services. In doing so, they also unveiled their new Web Services division of their business.

The service will soon celebrate its 4th birthday; to date, Amazon S3 holds over 102 billion objects and at peak times, handles over 100,000 requests/second. That is approximately 17 objects for each person on the planet! By anyone’s standard, the service is successful.

Amazon S3 provides storage buckets that allow users to PUT files in and then GET them back later. Simple right?

Taking things beyond the simple GET and PUT might have a lot to do with S3’s success. Amazon has added many features making S3 suitable for many different use cases.

Pick and Mix Features

The different S3 features can be switched on and off for individual buckets allowing users to pick different features depending on what they want to do.

For example:

Backups – buckets can be private and because they are securely hosted by Amazon far away in the cloud, they are an ideal “other place” to store a copy of important files.

File Sharing – access controls can be used to white-list other users to have access to your buckets.

Content Distribution – buckets can be made publically available via HTTP. This makes it perfect for websites to offload the serving of static content such as images. The CloudFront feature takes this one step further and makes your content available to users via their nearest Amazon Internet presence; so a user in Japan or Europe would not have to download your content from servers in the USA.

Versioning (today’s announced feature) provides primitive version control of objects. When an existing file is uploaded to S3 it will create a new revision instead of overwriting the original. If you have ever accidentally deleted your backups you will appreciate the benefits of this feature! This simplifies the use of S3 for backups where you want to avoid overwriting a good backup with a corrupt one.

Many cloud storage companies support versioning (like DropBox and GitHub) and S3’s support should not be seen as a threat. It’s a required part of a mature storage offering, so it makes a lot of sense that S3 should support this too. Not in a “me too” kind of way, it genuinely plugs a gap in the Amazon Web Services storage offering and will undoubtedly be very useful for its users.

Is Time to Drop the “Simple”?

Unlike the beta label that some web services wear with pride, the “Simple” in S3 is telling of its humble beginnings. The simple days of just GET/PUT are definitely gone. Given the fun packed feature list, it must be time to drop the ‘simple.’ Or should S3 be re-branded altogether?

Let’s crowdsource some suggestions:

• Amazon Fully-Featured Storage Service (F2S2)
• Amazon Storage Service Now All Grown Up (S2NAGU)

Can you think of any better ones?

Discuss

On Jan. 27 Oracle announced it had finalized its acquisition of Sun. In doing so it adds a number of open source darlings to its portfolio, MySQL, Java and VirtualBox to mention just a few.

Now that Oracle has acquired VirtualBox, what does this mean for the virtualization market?

Sponsor

No time has been wasted in rebranding the Sun websites and products that now come under the Oracle umbrella.

Most notably the MySQL website totally separates the MySQL’s commercial arm from the community site. And unsurprisingly, the Sun website redirects entirely to Oracle’s home page.

The reworking of the VirtualBox logo to include the Oracle brand is much more subtle and unobtrusive. This may be telling of Oracle’s future plans for VirtualBox. Unlike many of Sun’s products (ahem, MySQL), VirtualBox clearly stands out as a foothold into a new market for Oracle, the same as Sun’s hardware division.

Oracle’s move into the virtualization market will undoutedly stir things up. We can expect VirtualBox to be driven hard to assert Oracle’s new position in this maturing marketplace.

For sure, Oracle will certainly be a more agressive competitor than Sun.

Discuss

Relief agencies, companies and volunteers came together and built a global network of systems and people to coordinate emergency aid operations for the Haiti earthquake victims.

This piecing together of a jigsaw of different organizations and technologies with one common goal serves as a testament to what is possible using cloud computing and may serve as a template for disaster relief operations in the future.

Sponsor

SMS and Radio

Whilst SMS is low tech in comparison to mobile services like 3G and Wi-Fi, its simplicity is its success. Repairing or erecting temporary cell towers is a far more efficient way to reach people than fixing wire-line infrastructure. As SMS is a basic feature supported by all handsets, it is widespread and popular in Haiti.

A short-code weather service (4636) was commandeered and setup on the Digicel and Comcel networks to serve as a gateway for anyone who could access a mobile phone. Josh Nesbit co-founder of FrontlineSMS:Medic humbly describes his involvement as a “co-coordinator” who put together the SMS team by getting lots of different volunteers and organizations talking together. The work was done by people like Jean-Marc Castera, a Haitian network engineer for Digicel, and Nicolás di Tada from InSTEDD who went station to station and made sure the message got out and was clear. The service was publicized via local radio stations and word of mouth.

The earthquake hit on Jan. 12, and the first emergency messages from Haitians were being received four days later on Jan. 16.

Translation and Classification

Messages received were forwarded onto a crowdsourced team powered by CrowdFlower and SamaSource who would translate the messages into English and then classify them. Other information such as addresses, mobile number and map coordinates were derived from the cell locations.

Once classified, messages and the accompanying information was forwarded on to a number of different agencies like the International Committee of the Red Cross and the United States Coast Guard.

Messages relating to lost or found people would be forwarded to people finder services. Mobile phone numbers were added to a distribution list to receive information bulletins via the Thomson Reuters Foundation AlertNet and InSTEDD.

The Big Picture

An open source piece of software called Ushahidi was re-purposed by volunteers wanting to assist from afar. They created a Web portal to visualize and collate this information for relief agencies and the public.

Ushahidi, which means ‘testimony’ in Swahili, was originally developed to map reports of post-election violence in Kenya. Its ability to graphically display maps and “hotspots” was ideally suited for visualizing areas where relief was most needed.

The Future?

The earthquake disaster in Haiti happened less than a month ago and the emergency support service built has already served over 26,000 messages and played a vital role in coordinating the relief effort. You can imagine what an impact this service has to the people who need it most when you consider one such message:

“We need water, food and medications. We are about 950 people. Thank you Abner”

The world may just have had its first glimpse of a truly global disaster management system. We should marvel at the scale of problem it tackled and how quickly it was developed. The use of cloud services like the crowdsourcing platforms and their APIs demonstrates how quickly cloud services can be used to integrate traditional agencies like the Red Cross.

Given the frequency of natural disasters and the uncertainty around climate change the world has an opportunity to rollout a global 911 service that could benefit us all.

Image credit: visualpanic. Mission 4636 diagram kindly supplied by Josh Nesbit.
Discuss