Category Archives: Technology

VCPs technical analysis on the MAS Technology Risk Management guidelines.

Since Singapore MAS released the TRM guideline last month, I believe many people are studying them (including me). Big Four accounting firms are usually most active in publishing explanatory reports and article with a purpose to generate more business leads.

However, a group of Vmware certified professionals are taking the lead this time. They worked together and published a MAS TRM analysis report focusing on DR and visualization. Some of the observations are valid. The document could be found at Vmware website

 A few I like to share

  •  Process and Committee oriented. No Agile and rapid innovation. 
  • All social media sites, cloud-based storage, web-based emails are classified as “unsafe internet services”. No technical fact given to support why they they are all insecure.
  • Trust no employee :Sys Admin must be tracked.

 

 

Singapore MAS Tech Risk Guideline (TRM) – Incident Reporting

When attending a PWC Singapore meeting on new MAS guideline, there are many questions in my head regarding how the 1 hour incident reporting requirement could be fulfilled.

The requirement requires banks operating in Singapore to report to MAS within one hour when relevant incident ( security breaches and malfunction) is discovered.

There are a few levels of complexity. One is boundary of application issue. The other is SLA issue.

Most international bank system are located in multiple time zone. Trading system maybe in London and centrally managed. Singapore application is running side by side with other regions applications. If only Japan application is under attack, shall MAS be informed taking the consideration that the affected JP application is running on same hardware platform as SG? If yes, MAS will be a central info hub of security incident globally. Also with time zone issue, international banks in Singapore will need to respond global incidents and be able to decide if the incident happening in London should be reported to MAS, not to mention the one hour requirement.

Systems are no longer running localized version. Virtualization and cost saving already change the old system to centralized and shared platforms. A clear boundary could not be easily draw when a component is affected.

I believe this question is already considered by relevant parties and MAS. One possible solution is focus on whether the remote incident materially impact Singapore operation. There should be some mutual understanding between regulator and banks on how to limited the catch all possibility of incident reporting requirement. Will talk about SLA later

The traditionals fight back

In my last post, I wrote about an equity research report stated traditional outsourcing companies are losing. However, the big giants are not retreating without a fight. This war is real and happening. 

“IBM charged that the CIA improperly awarded the deal to Amazon Web Services  by failing to evaluate all the pricing scenarios.”URL http://gigaom.com/2013/06/07/gao-says-not-so-fast-on-proposed-secret-amazon-cia-cloud/

The $600Mil is now re-opened. For sure, the earth loses a few trees as a direct consequences. But if looking at the big picture, it seems the transition to cloud computing is going to be nasty! With new technology, both the buyer and seller are new to the possibility created by innovative ways in managing computing resources. However, bureaucracy kicks in and The Government Accountability Office found that the CIA failed to evaluate prices comparably under one of the solicitation’s pricing scenarios, and that it had waived a requirement in the Request For Proposal only for Amazon. 

 

 

Attacking the Traditionals

I am reading an equity research paper published by an investment bank this morning trying to balance my portfolio and gain some insights. The most surprising thing to find is not related to any investment advice or market prediction. It is about their statement on cloud computing.

“The traditional IT services model is under attack – Cloud based revenues to see 30% CAGR over the next 5 years.” & “Losers will be the traditional outsourcing vendors”

DB US tech

Cloud computing has been in the limelight for a few years now and we are seeing both success and failures in the IT industry. But a statement from equity researchers is different. Especially it said traditional IT services model is under attack. Who and what are the “traditional” ? Do they mean only the falling revenue in IBM, Dell and Microsoft?

AWS Cloud Security

Going to Vegas for the Amazon Re:Invent event is one of the best ways to learn about Cloud Computing and Cloud security. And the second best of course is to just browsing the slide decks or videos of the event, from your office or home. So here you go, fresh from the Internet, the course 206 of the security track – “Security of the AWS Cloud”.

And don’t forget to follow up with the slide decks of “AWS Cloud Security” and “Security and Compliance

Enjoy !!

Browser Side Cryptography

I talked about browser based security last week. As we have more and more cloud or web delivered applications, the browser is playing an important role. Most (if not all) user interaction in browser are programmed via javascript. With Cloud Computing, client side script will be playing a ever more important role.

The data security and data privacy concerns on using cloud services or hosted application (like web email) is holding people. The incident in Paula Broadwell showed law enforcement agents had far move power and means to access individual data than we think of. If you like to understand the legal framework on this, there is a very good paper wrote by three Netherlands legal researcher.

Cloud Computing in Higher Education and Research Institutions and the USA Patriot Act

 

One way, user could protect their data ever if it in the cloud is using client side encryption. Why client side? It is because the data must be protected before it is going to the Internet. This means that data are encrypted at the client and the servers only store encrypted data. When the user want to use it, the servers send the encrypted data and the client decrypt it. As most user are access the internet using a browser, it it an obvious choice for doing the data encrypt/decrypt job. However, cryptography functions are not well developed in the javascript domain. There are some open source editions like Google-CryptoJS.

W3C has a working group on Web Cryptography and they is developing a library standard for JS cryptography.  Below are some user cases, for how the new Web Cryptography API is designed for

http://dev.w3.org/2006/webapi/FileAPI/OverviewUseCases.html