The Smile-IT Blog » October 2013

Monthly Archives: October 2013

Challenging Security

Security standards, guidelines, recommendations and audit instructions seem to evolve from nowhere just like weed wherever you’d need it the least. And – to share the bad news first: There’s no way out, no way to avoid any new standard created – at least not as soon as anybody in the field decided to adopt it. You’ll be second best instantly.


“The nice thing about standards is that you have so many to choose from”

says Andrew Tannenbaum.


I dived into security standards recently and got pretty bugged by the standards to choose from, hence, started to note things down in a structured manner and – well — dumped it here to re-find it (and to get your thoughts on it, to be honest … )


Some slight differences to know

There’s (security) standards, (security) reporting standards and (security) attestation standards.

ISO 27001 – oftenly quoted a “data center security standard” – is actually a process and control definition for information security matters in organizations dealing with information in the broadest possible sense.  names it a “specification for an ISMS” (Information Security Management System). Actually it is the only real standard dealing with information security as such.

SOC (“Service Organization Control”) – e.g. – is a reporting standard specifying how an organization or a certified public accountant (CPA) would issue reports according to common other (security control) standards such as SSAE16 or AT Section 101.

Having said that, it is further important to understand that – e.g. – SAS70 (deprecated) or its replacement SSAE16 describe a standard for attesting controls at service organizations. In other words, these standards set the guidance for assessment on (a set of) controls which shall serve the purpose for an organization to adhere to (security – but not only security) regulations, both financially and technically.

Finally: By ensuring compliancy with the respective standard as well as reporting on the respective compliancy the organization at the same time proves (to itself as well as to customers) that it adheres to the standard, hence has and keeps a respective level of security and (technical or financial) compliancy.

It is a matter of fact – unfortunately, if I may say – that ensuring compliancy as well as reporting this ensurement follows myriads of guidelines and policies and Cloud/SaaS providers will most probably need a bunch of analgesics to get rid of their headaches again

I’ll gonna provide an analgesics starter package in the next few lines …:


Attestation Standards

SSAE16 – Statement on Standards for Attestation Engagements No. 16

  • replaces SAS70
  • is issued by the American Institute of Certified Public Accountants (AICPA)
  • has an international equivalent – the International Standard on Assurance Engagements – ISAE 3402
  • is a framework
  • requires service organization to provide a description of their system to control financial transactions
  • plus(!) a written assertion by management of the organization (which as a significant addon to the former SAS70)

A good summary on SSAE16 can be found here. Overview on ISAE 3402 is provided here.

AT Section 101

To put it very simple, AT Section 101 adds additional guidance to service organization outside the area of financial controls. Having said that, AT Section 101 actually creates value for customers when assessing their chosen service organization towards its capability and compliancy in the areas of

  • Security
  • Availability
  • Processing Integrity
  • Confidentiality
  • Privacy

The SSAE16 resource guide provides a comprehensible explanation of AT Section 101 here.

Trust Services Pricinples – in addition to AT Section 101 – describe the above principles in more detail. Comprehensible one-liners of these principles can be found here.

No question, there’s more. I wouldn’t have talked of a “myriads” otherwise; however, let’s keep it with those being most commonly talked about at the moment (please, do drop a comment if you feel, I’m missing one in this respect)


The Cloud Security Alliance Cloud Control Matrix (CSA CCM) provides an addition to the before mentioned relating to information security tailored to the cloud industry. It is becoming increasingly common to add attestation according this standard to SOC 2 reports (see e.g. the Windows Azure Trust Center).

More on the CCM to find here


Reporting Standards

Let’s KISS – keep it simple and stupid: Recently what evolved to be THE reporting standard, is the (set of) Service Organization Control reports – or SOC reports. Their intention is to guide service organizations as well as certified public accountants (CPA) through how to compliantly report on a given standard.


  • is used to issue reports in accordance to SSAE16
  • can lead to SSAE16 Type 1 reports (reporting on the service organization’s control system itself)
  • or SSAE16 Type 2 reports (reporting on management’s description of the service organization’s control system)

It has – according to SOC1 Reports and SSAE16 (at the webpages) – become common understanding, not to speak of a SOC1 report but rather of a SSAE16 Type 1 or SSAE16 Type 2 report.

BUT: SSAE16 Type 1 and/or Type 2 is simply not enough … because:


  • is the standard to report on controls relevant to security, availability, processing integrity, confidentiality or privacy.
  • is conducted in accordance to AT Section 101
  • hence extends reporting of an organization’s control system on financial controls to those on the Trust Service Principles (see above).
  • can be issued as Type 1 or Type 2 report in the same way as SOC 1

Fair to say, therefore, that an organization NOT issueing and providing a report according SOC2 may not be claimed compliant with security constraints necessary for Cloud/SaaS provisioning.


is an addition for SOC 2 in accordance with the Trust Service Principles (see above). Scope of any SOC 3 based assurance engagement is essentially defined by the 5 Trust Service Principles (Security, Availability, Process Integrity, Confidentiality and Privacy) as stated further above.

SOC 3 in essence comes into place when neither SOC 1 nor SOC 2 nor additional security standards such as payment card regulations (PCI DSS or HIPAA Privacy Regulations) or the like are considered appropriate.


Finally: SarbOx

And why all that?

In 2002 – after facing significantly serious loss of trust with service organizations out of well-known bankruptcies and control system breakdowns – the US Congress passed the Sarbanes-Oxley Act into a law.

SarbOx – aka: SOX, SOA (what an unfortunate abbreviation!) or simply “the Act” – requires management’s certification over their financial results as well as management’s assertion on the effectiveness of an organization’s control system. Thus said, it somehow forms the basis for all evolved standards in the respective area. If interested in that even more boring (yet: important!) aspect of security, check out this ->


So, truth is: There’s no way out

Having only walked through all the high level definitions of the mentioned standards and at the same time having understood the importance that analysts – and customers respectively – pose towards service organizations to assert their internal control system successfully, I reckon that there’s quite a way to go if you intend to become a trusted Cloud provider. So, actually there’s good news only for those, who’ve already started pathing their security way …


Related articles


Published by:

Tomorrow’s skills: Teachers watch-out!

IDC published a study: ”

“Skills Requirements for Tomorrow’s Best Jobs”.

I discovered it – gratefully – through @leitenmu and a Microsoft link:


About 15 years ago, when it also became part of my job to select new hires from applicants and lead them towards becoming a valuable team-oriented fun-loving contributor to projects and tasks, I had to painfully admit that most of what universities and high schools had trained those applicants, wasn’t precisely what we sought to add to our teams.

Those who were the quickest to learn and adopt, eventually had the greatest success in their ongoing careers (and where the greatest fun to work with).

Now, what IDC predicts in their study is an increased need for what they call CIP-skills – communication, integration and presentation. That’s not that different from what I had the honour to already experience a decade ago. As an appetizer to the whole, just have a look to that figure:

Top Skills for all U.S. occupations

Figure: Top Skills for all U.S. occupations


But while the whole study presents a highly interesting, thought-provoking outlook to what teaching institutions today need to focus on in order to provide the skills needed for tomorrow, I’d like to seriously ask: How can a school system stuck within 30-or-more year old paradigms ever gain even the faintest ability to educate what their students will need for their jobs?


Published by:

Internet behavioural education

Facebook: 1.26 billion users; Twitter: 500 million

Gmail: 425 million users (but Google+ only 343 – interesting, actually) and 400 million

WhatsApp: 300 million

LinkedIn: 238 million

Skydrive: 250 million

Shazam: 350, Spotify: 24, eBay: 120, Instagram: 150, Flickr: 87, Netflix: 38 million

Even Paypal (the payment platform: note – it’s about money!) has 132 million users


And then there’s this guy – a German “Spiegel” journalist – doing a self experiment by asking a group of hackers to inject malicious software into his devices (the full – German – article is here); and within 5 days his privacy is revealed and shared with millions, he’s outed gay on facebook, has a status posted that he’d resigned from his job, … …

… proving – by that experiment – that millions of billions of Internet users are actually idiots.


How can millions of billions still dare to use those services when it’s so ludicrously simple that their privacy is disclosed? Obviously the vast majority of those users still move safely around the net without fear. Why?

Maybe because they don’t reuse nor share their passwords, keep their pins secret, make use of elevated security measures (like security questions, alternate email, privacy settings). Maybe they also don’t click suspicious links in suspicious emails.


Folks – here’s a secret: Malicious software has to find its way into your devices first in order to successfully unfold its maliciousness!

I’m rather asking: How can an obviously small number of un-educated Internet users raise fear within the majority and thereby help such articles gain attention?

Maybe, we could push Internet behavioural education in our schools? I reckon, this might help more than slightly unrealistic self experiments …


(Figures above sourced from

Published by:

Is it self-serviced? Is it APIed?

With VMware and Microsoft now really entering the Private (and Hybrid) Cloud market, we’ll see an increased drive towards software-controlled DCs and IT-aaS. No surprise, hence, that many legacy DC providers and outsourcers seek their place on that battlefield also with their offerings.

Their way of doing so is to embrace this new technology “Cloud” which is brought onto a more comprehensive, digestable level with vCloud, SystemCenter and the like. Next steps seen from those on that path are normally e.g.:

  • Establish partnerships with those vendors – mainly to get their urgently needed discounts
  • Create a reference architecture which looks surprisingly similar to the diagrams provided by the above vendors
  • Re-organize their network, storage and server teams to jointly create the new data center
  • Create a GTM strategy which uses “Cloud” at least once on every slide
Private Cloud Reference Architecture according to Microsoft

Private Cloud Reference Architecture according to Microsoft

Now, what’s their offering?

Utlimately it is a virtualized datacenter infrastructure, supported by the resource pooling models that the mentioned technologies provide. Who’s using this new datacenter infrastructure? The provider himself. Essentially, this is no false approach – by no means; but! – it is no full approach.

Let’s simply mirror against the esential characteristics of cloud computing *):

  • broad network access: “broad” is not only meant in a sense that the (Cloud) DC is accessible form anywhere but that the service is accessible from anywhere, with any device, in any function. Apart form the fact that connectivity into the DC is seldomly changed from the provider’s earlier offerings, the newly established “Cloud” service is less than seldomly accessible from anything other than a PC.
  • resource pooling: yes, that’s what vCloud and SystemCenter (and maybe others as well) really know how to do – if there are enough of
  • rapid elasticity: yes, by embracing an infrastructure management framework like the above, rapid elasticity may be provided in a sense that the pooled resources can be provisioned to consumers in an instant – if there are enough of. Question is: Who’s provisioning it? And by which process? We’ll come back to that shortly
  • measured: The point of a “measured” cloud service is not that the provider monitors his performance. The point is that the consumer is offered full transparency of the provider’s compliancy with the agreed SLA in terms of performance, availability, realiability and cost. Key here: “transparency” of metered, measured and monitored services and components
  • on-demand self-service: BOOM! Fullstop here. Most of the offerings which are called “Cloud” and are provided by legacy DC providers offer the cloud capabilities internally within the providers’ DC. I tend to believe the slides about reference architecture, building block and service capabilities. But – this functionality is not brought to the customer. The contracting is not changed. Provisioning takes place in a ticket-based manner through service desk personal. Measurement is hidden. Rapidity is reduced. Elasticity and pooling are controlled by the provider. Guys, you’re not cloud. Period.

Why is this a problem?

Because, the world has long moved on. Cloud consumers are not asking for a cloud-based delivery of services out of a legacy DC. Cloud consumers wanna have it in their hands. Cloud consumers expect to gain control over their resources without(!) paying for resource guarantees upfront (btw: guaranteeing a certain amount of resources to cloud consumers is most rarely a way to offer higher service quality to the consumer but rather to gain higher level of control over resources for the provider).

What Cloud consumers will ask, as of now, is:

  • Can I self-service my IT when I run it with you?
  • Does it have an API exposed to the extern, that I can use to integrate?

Alex Williams predicts a hard time for “Cloud Washers” in this post on techcrunch. But what he even more predicts is consumers’ expectations regarding a new way of production, the moving of apps rather than VMs, a losely coupled mesh of services and consumers’ expectation to on-demand self-service these. Overall, this is going far beyond self-service and a featured API as such. Eventually it aims at process centric service (deployment) automation.

“Look out cloudwashers”, he says, “it’s just going to get worse. This shake up is happening faster than anyone realized.”

I’d like to add a wish: Cloudwashers, when embracing an inherently great technology for building your cloud offering, build it fully. Embrace and offer all of the essential characteristics!


*) Cloud Computing essential characteristics according to NIST Special Publication 800-145 „The NIST Definition of Cloud Computing“, Recommendations of the National Institute of Standards and Technology

Published by:

A Friend for Seamus

Seamus with his mate Ailean-Agnes

Here’s Seamus with his mate Ailean-Agnes – finally.
And below’s, how that came about …:

When in August 2013 Katharina and thom visited Scotland for the first time in their life, they not only fell in love with landscape, people, the islands, Whisky, single-track roads, … and those awesome lots of lovely sheep left and right of the road but also – and especially – with “Seamus”, the loveliest Glenfinnan sheep of the world.

“Seamus” obviously felt the same – and instantly agreed to accompany us to our home in Austria. And even though riding by motorbike with us and excitedly experiencing all those new surroundings, at a certain stage he felt a bit alone – which eventually led to one of the greatest birthday presents from Katharina to thom; i.e.: the loveliest Glenfinnan sheepess in the world: Ailean-Agnes.

And that came like this:


From: Katharina
Sent: 29 August 2013 11:29
To: Colan Mehaffey
Subject: A Friend for Seamus!!!

Dear Colan,

I’d like to purchase a sheep from the Glenfinnan shop – there were toy sheeps in bright white and woolen white, with black head, black feet and green eyes, and some 3 weeks ago we bought a woolen white one, named it Seamus and took it to Austria. Now it’s feeling a bit alone, and I would like to have a bright white one as a friend, but unfortunately I have no idea what company produced him, for I immediately cut the tag off. In fact we were looking at many other places throughout our visit in Scotland, but found no other one elsewhere.

As my husband would be really happy when I could give him such a sheep as a birthday present I would be glad if you could be of any help – tell me how to get in contact with the store or at least give me a hint where to find another sheep that can be shipped to our Austrian home.

Kind regards from a weird Austrian sheep-mother

Seamus in his motorbike riding place

Seamus in his motorbike riding place.
He loved the shaking but not when it was closed and dark.

From: Colan Mehaffey
Sent: Donnerstag, 29. August 2013 12:57
To: Katharina
Subject: A Friend for Seamus!!!

That’s a great story Katharina! We really love to hear these kind of things. I’m going to contact Emma who managed our online shop and she will contact you back if that’s ok?

Best wishes,

It likes all that's green!

We were pretty surprised when we discovered that
Seamus actually likes everything that’s green, not only grass.

Von: Gwen McInnes
Gesendet: Freitag, 06. September 2013 15:33
An: Katharina
Cc: Kirsteen Nielsen
Subject: A Friend for Seamus!!!

Hi Katharina,

I am so pleased to here that Seamus is enjoying his move with you to Austria. We have found that here in Scotland sheep are much happier when in a flock and we do have a bright white sheep in stock. If you could contact us here at the shop we can discuss postage, carriage etc.

Look forward to hearing from you.

Kind regards

Seamus enjoyed the Fab4 Beatles Taxi Tour in Liverpool very much.

Seamus enjoyed the Fab4 Beatles Taxi Tour in Liverpool very much.

From: Katharina
Sent: Freitag, 06. September 2013 15:50
To: Gwen McInnes
Subject: A Friend for Seamus!!!

Hi Gwen,

Thank you so much for your kind answer. Seamus was VERY happy when I showed him your mail. He actually rolled on the floor twice ☺

So if you’d be able to ship his new partner to us (please find our address below) he will be the happiest sheep ever! Of course I will transfer the money needed in advance, so if you can just tell me how much is necessary and what is your account I will immediately contact my bank. I hope they will understand that this is an important case ☺

Looking excitingly forward to making this dream come true,

Kind regards

Seamus in the mirror

That was a truly exciting moment for our little sheep mate
when he discovered the miracle of mirrors!

From: Gwen McInnes
Sent: Dienstag, 17. September 2013 16:09
To: Katharina
Subject: A Friend for Seamus!!!

Hello Katharina,

I will post Seamus’s mate tomorrow and confirm postage costs.

Kind regards

... a little coffee break ...

Whenever we had a break on our tour,
Seamus had to slip out of his travel place and
sit with us to enjoy coffee and sweets

From: Katharina
Sent: Dienstag, 08. Oktober 2013 13:07
To: Gwen McInnes
Subject: A Friend for Seamus!!!

Hello Gwen,

I hope you’re glad to hear that Ailean Agnes has arrived safely, and she instantly became friends with Seamus. She’s such a friendly sheep with a very open heart. In the meantime she has become a bit acquainted to her new home and we already took both sheep out for a weekend’s holiday – they need a bit of fresh air and green grass from time to time.

Thank you SO MUCH for letting this happen.

Warm greetings from Vienna
Katharina (and the sheep)

here's when they first met: Seamus and his new friend

So – well – here’s when they first met: Seamus and his new friend.
It took a couple of days for them to be sure about her name;
but it took only instants to become true friends:
Seamus and Ailean-Agnes
(though she still thinks that a double-name is too much of a burdon …)

Published by:
%d bloggers like this: