Welcome!

Microservices Expo Authors: Stackify Blog, Pat Romanski, AppDynamics Blog, Liz McMillan, Elizabeth White

Related Topics: Microservices Expo, @CloudExpo, Government Cloud

Microservices Expo: Blog Feed Post

Jill Tummler Singer of the CIA Speaks on "Cloud Safety" : +1

I guess I am a geek if I am thinking in Digg/Slashdot shorthand

I saw this tweet this morning and I thought "+1" (I guess I am a geek if I am thinking in Digg/Slashdot shorthand).


The problem is that in Information Security, "security" is all-too-often used to mean only encryption. A line is considered "secure" if it's encrypted. But often, the real "security" requirements are much broader and include management (as in access management, identity management), business continuity defense against denial-of-service, and privacy.

I think language is a big issue here. I've always found it interesting that in German, the words for "security" and "certainty" (sicherheit, literally "sureness") are the same. In French, the words for "safety" and "security" are also the same (sûreté, again literally "sureness"). So, in those languages, "security" has a broad definition, incorporating senses of dependability, management, and safety. I can see how the French and German words fit with the broad information security concepts of business continuity, "management" (access management, identity management), and "safety" that users (and their data) will be protected. But the English language word "security" lets us down.

I read something similar in the BBC's "Letter from Europe" column a few years ago:

A friend and colleague who is annoyingly fluent in half a dozen languages notices the growth of something he calls "Brussels English". One example he gives is the persistent use of "security" to mean "safety", perhaps because in French and German they are the same word. This habit has evidently spread to England too. He cites an example at Waterloo Station, which requests that people put their hot drinks down while going through the ticket barrier "for their own security". But surely it is their safety, not security, that is at risk?

But that sets me musing on whether this is a reaction to a rather modern use of the word "security" in English. When did it first acquire its current meaning in English? Wartime? When did "security guards" first enter the language?
http://news.bbc.co.uk/2/hi/europe/4601722.stm

In infosec, I think that the meaning of security as "encryption" entered the language when Bruce Schneier wrote "Applied Cryptography". Also, although undoubtedly useful, SSL and the little padlocks in browsers are partly to blame because they give the impression a site is "secure" just because SSL is used. This carried over to Web Services where people, of course, thought "of course it's secure if we use SSL". And now Cloud Computing. Just last week I had to answer a question of "We are planning to use SSL for our Cloud-based PaaS services, people will be sending in their API keys over SSL, so that means it's fully secure, right?".

Since "Applied Cryptography", Bruce Schneier has since spoken on this topic. He had a memorable talk at RSA 2006 entitled "Why security has so little to do with security". He has spoken on how "security=encryption" is literally a "false sense of security". It is the word "security" used in the wrong sense.

At Vordel, the security we provide goes much beyond cryptography, into the areas of management (access control, reporting on traffic), availability and dependability (monitoring service level agreements), and safety (ensuring data is protected). By having governance in place for Cloud resources, you have more safety and security. We also include testing tools and performance acceleration and offload to provide the sureness that a service will not go down. That encompasses the broader French and German meanings of "security" to include "safety" and "sureness", not just the more narrow English language usage in Infosec to mean "encryption".

This is the reason why I 100% agree with incorporating "safety" into the meaning of "security", as Jill Tummler Singer, Deputy CIO of CIA, did in her keynotes at GovIT Expo . In this way, we can do more justice to security in general and Cloud Security in particular.

As an interesting footnote, I blogged about this before and Gunnar commented that "According to Robert Morris Sr.'s talk at DefCon last summer the word security is derived from a Greek word meaning "carelessness". That is funny, considering how often security is implemented carelessly. But, thinking about it, I can understand that if you have security (and safety) in place, then you have "less cares", so you are "careless" in that sense.

More Stories By Mark O'Neill

Mark O'Neill is VP Innovation at Axway - API and Identity. Previously he was CTO and co-founder at Vordel, which was acquired by Axway. A regular speaker at industry conferences and a contributor to SOA World Magazine and Cloud Computing Journal, Mark holds a degree in mathematics and psychology from Trinity College Dublin and graduate qualifications in neural network programming from Oxford University.

Comments (0)

Share your thoughts on this story.

Add your comment
You must be signed in to add a comment. Sign-in | Register

In accordance with our Comment Policy, we encourage comments that are on topic, relevant and to-the-point. We will remove comments that include profanity, personal attacks, racial slurs, threats of violence, or other inappropriate material that violates our Terms and Conditions, and will block users who make repeated violations. We ask all readers to expect diversity of opinion and to treat one another with dignity and respect.


Microservices Articles
Docker is sweeping across startups and enterprises alike, changing the way we build and ship applications. It's the most prominent and widely known software container platform, and it's particularly useful for eliminating common challenges when collaborating on code (like the "it works on my machine" phenomenon that most devs know all too well). With Docker, you can run and manage apps side-by-side - in isolated containers - resulting in better compute density. It's something that many developer...
Skeuomorphism usually means retaining existing design cues in something new that doesn’t actually need them. However, the concept of skeuomorphism can be thought of as relating more broadly to applying existing patterns to new technologies that, in fact, cry out for new approaches. In his session at DevOps Summit, Gordon Haff, Senior Cloud Strategy Marketing and Evangelism Manager at Red Hat, discussed why containers should be paired with new architectural practices such as microservices rathe...
With the rise of Docker, Kubernetes, and other container technologies, the growth of microservices has skyrocketed among dev teams looking to innovate on a faster release cycle. This has enabled teams to finally realize their DevOps goals to ship and iterate quickly in a continuous delivery model. Why containers are growing in popularity is no surprise — they’re extremely easy to spin up or down, but come with an unforeseen issue. However, without the right foresight, DevOps and IT teams may lo...
DevOps is under attack because developers don’t want to mess with infrastructure. They will happily own their code into production, but want to use platforms instead of raw automation. That’s changing the landscape that we understand as DevOps with both architecture concepts (CloudNative) and process redefinition (SRE). Rob Hirschfeld’s recent work in Kubernetes operations has led to the conclusion that containers and related platforms have changed the way we should be thinking about DevOps and...
"There is a huge interest in Kubernetes. People are now starting to use Kubernetes and implement it," stated Sebastian Scheele, co-founder of Loodse, in this SYS-CON.tv interview at DevOps at 19th Cloud Expo, held November 1-3, 2016, at the Santa Clara Convention Center in Santa Clara, CA.
In his session at 20th Cloud Expo, Mike Johnston, an infrastructure engineer at Supergiant.io, will discuss how to use Kubernetes to setup a SaaS infrastructure for your business. Mike Johnston is an infrastructure engineer at Supergiant.io with over 12 years of experience designing, deploying, and maintaining server and workstation infrastructure at all scales. He has experience with brick and mortar data centers as well as cloud providers like Digital Ocean, Amazon Web Services, and Rackspace....
Today most companies are adopting or evaluating container technology - Docker in particular - to speed up application deployment, drive down cost, ease management and make application delivery more flexible overall. As with most new architectures, this dream takes significant work to become a reality. Even when you do get your application componentized enough and packaged properly, there are still challenges for DevOps teams to making the shift to continuous delivery and achieving that reducti...
Modern software design has fundamentally changed how we manage applications, causing many to turn to containers as the new virtual machine for resource management. As container adoption grows beyond stateless applications to stateful workloads, the need for persistent storage is foundational - something customers routinely cite as a top pain point. In his session at @DevOpsSummit at 21st Cloud Expo, Bill Borsari, Head of Systems Engineering at Datera, explored how organizations can reap the bene...
Is advanced scheduling in Kubernetes achievable?Yes, however, how do you properly accommodate every real-life scenario that a Kubernetes user might encounter? How do you leverage advanced scheduling techniques to shape and describe each scenario in easy-to-use rules and configurations? In his session at @DevOpsSummit at 21st Cloud Expo, Oleg Chunikhin, CTO at Kublr, answered these questions and demonstrated techniques for implementing advanced scheduling. For example, using spot instances and co...
In his general session at 19th Cloud Expo, Manish Dixit, VP of Product and Engineering at Dice, discussed how Dice leverages data insights and tools to help both tech professionals and recruiters better understand how skills relate to each other and which skills are in high demand using interactive visualizations and salary indicator tools to maximize earning potential. Manish Dixit is VP of Product and Engineering at Dice. As the leader of the Product, Engineering and Data Sciences team at D...