LSQHA Blog Reviews

At 1:00 a.m. on Sunday morning I was doing routine maintenance on my personal Amazon Web Services account and instead found myself looking at something I had no right to be seeing: A database with 800,000 user accounts to the e-card site CardMaster.com . Along with that were the database passwords and back end of a major U.S. Public Broadcasting Service news show website ( Gwen Ifill's Washington Week ), including daily updates from panelists on the stories they cover. I wish I wasn't the person to find this. I founded one of Amazon's earliest dashboards. My consultancy is on Amazon's European Customer Advisory Board. But this highlights a significant issue in the cloud today: There is a whole new user profile acting as developer and administrator. We are becoming empowered with amazing tools - and being given enough rope to really hang ourselves. Sponsor Guest author Jonathan Siegel is a serial entrepreneur and founder of the cloud applications consultancy ELCTech.com as well as a handful of cloud startups. Jonathan's book, Electric Connections , is due out in June of this year. I am an early adopter, business builder and owner of a cloud consultancy. On Sunday morning I went to clear out my personal Amazon Web Services account of excess files after seeing huge usage numbers from a report by CloudSplit. For those technically inclined, I was clearing out my S3 buckets and moving the few files that I wanted to save into an EBS disk instead. My EBS disk ran out of space and I went to use a feature called EBS Snapshots. Snapshots are like a tape backup of your EBS disk drive. That's when I noticed something odd: My EBS Snapshot account was filled with hundreds of snapshots, when I knew I had only made a handful. I wondered, Why do I have access to these backups? Were these backups made by my teammates? Shared snapshots from Amazon? Or something else... What I saw were backups of Enron emails, a genomics database and then two made my stomach turn - a database for 800,000 user accounts to CardMaster.com and the database and site files for the Washington Week website. Yeah, the Enron emails are a non sequitur and the genomics database was likely meant to be public. But the other two, there's no way they were intended for the public, yet here they were - marked as public and available to me or any other Amazon cloud user. How Did This Happen? Amazon is the largest and longest running public cloud computing platform. It has pushed the boundaries of technology infrastructure for us users. In fact, it has given us tools that are more powerful than anything we previously had available in our own small datacenters. This is great, because before we needed to hire trained Cisco or NetApp administrators in order to do basic tasks as our websites scaled. This was expensive and added another step - a delay - to our deployments. Amazon's infrastructure commoditizes much of this technology into simple Web calls; paste some XML to Amazon and your website gets a full incremental backup to live-networked NAS. But as Stan Lee has warned us: With great power comes great responsibility. By giving programmers control of the network and storage, we've empowered developers to take on system administration chores. This power has come too quickly or is being digested too lightly - as my discovery has shown. In the case of PBS's Washington Week there was quick acceptance of the issue. "It was human error and nothing personal was exposed," said Kevin Dando, PBS's Director of Digital Communications. "Although we weren't aware of the issue initially, it was easily corrected. Because of Amazon's strong audit capabilities we could pinpoint the error and fix it quickly." Despite numerous attempts we were unable to reach CardMaster.com. This highlights a deeper issue in the cloud today: Despite what you may think, cloud security is not sexy. We are seeing products that address the baseline needs of cloud functionality, like Amazon's dashboard and the support sites for the cloud. They focus on the sexy: deploying mobile apps, auto-scaling, grid processing and other buzz-word-friendly features. But the dirty truth is that the cloud has a whole new user profile acting as administrator and needs a new set of tools and expectation management to ensure that little mistakes make little problems and not big ones. Remember: This is not something that Amazon did wrong. This is an intentional switch thrown by Amazon's users that allowed their data to be public to any other Amazon user. The users did not mean to hit that switch and it's unclear whether those users would have found this issue without my notification. This is the switch in Amazon's Web Console. It can be more subtle when packaged deep within cloud-assisting tools: And Why Me? A spokesperson for Amazon pointed out that snapshots were private by default and users must choose to share them. According to Amazon, "in general users understand this feature very well as this is no different than users explicitly choosing to share their data by any means." However, as we've seen, users are obviously making their data inadvertently public. Amazon said they were updating their documentation "to provide more explicit guidance on this feature," and that they would be "reaching out to the few who may be unknowingly sharing their snapshots." The question, though, is: Is it too easy to accidentally make your data public - and whose role is it to play data cop? This leads to me, at 1 a.m., and finding security leakage with Amazon's cloud customers while doing unrelated housekeeping. Look, I'm anything but an IT Security guy; I've got enough on my plate to worry about. For god's sakes, I have 6 kids! Moreover, I'm an outspoken supporter for moving companies to the cloud - and I exclusively recommend Amazon's cloud because of its reliability and features. Why is it me that finds this security issue - one that has been open since January of this year if the Snapshot dates are accurate. This tells me that there is a pattern about to be replayed: That the users on the cloud today are a motley crew. That we need more supervision and hand-holding - whether we like it or not. That powerful services like CloudKick and CloudSplit need to be encouraged to add security as a top-priority feature. And we need to budget for their services and embrace their boring, yet hyper-important role as perimeter guard and security inspector. If I were to try to keep this security problem in the bag - and avoid alerting the community - I would be fostering a sense of complacency that is antithetical to the marketplace needs. The cloud is so young that when we find a problem we need to admit it and find real, workable solutions. Since the cloud represents new ways of doing things, it gives us new ways of getting in trouble, and we need a lively forum for nipping these issues in the bud and laying a framework for ongoing success. What Now? If you are on Amazon's cloud, I can't stress enough that you need to immediately go to your AWS Management Console. Check at a minimum that your Snapshots, for every Region, are marked PUBLIC only if you mean them to be available to ALL other Amazon Web Services users. I've already checked mine. If you find data that you did not intend to make public, you need to engage your security team to remove the snapshots from the public and mitigate any data exposure. Hopefully this gets chalked on the wall as a lesson learned - and we continue our march to the cloud with a deeper appreciation of our security support needs. This isn't about calling people out. I work in the cloud and am passionate about its development. These mistakes could very well have been ones I made - or any other cloud user. To move the cloud forward we need to encourage a dialog about our new found power, new paradigms and new needs in the cloud. Discuss

View post:
User Ignorance Causes Cloud Security Leak; Accounts, Passwords Revealed

In the past few weeks we've seen more references to FourSquare as a potential enterprise tool. The discussion represents an emerging law of Enterprise 2.0 Inevitably, a consumer trend in the social technology space will start to seep into the business world. Hutch Carpenter of Spigit says it is a two-year lag before the enterprise adopts a social computing trend. He writes that wikis emerged in 2002 as a consumer tool and by 2004 came into the enterprise. Social networking emerged in 2006 and by 2008 had made its way into a business context. Microblogging hit in 2007 and by 2009 it became a central part of the Enteprise 2.0 suite. Sponsor And so as the social concept of location based networks emerges in 2010, Carpenter's bet is that we will see location based networks arrive into the enterprise by 2012. For reference, Spigit is an idea management platform. It is referenced by Dennis Howlett in the comments of Mark Fidelman's CloudAve post as a company that could potentially enable this capability. "If i've understood you correctly what you are suggesting sounds fine in theory but i'd prefer solutions like Spigit which do a very good job of surfacing peer reviewed ideas but using algorithms that avoid the inevitable gaming problem." Using Carpenter's theory, here are some additional possibilities we can think of: IT Admins may have control over who is able to post to their location and in what context. Location-based systems will be required for some jobs. Permissions will be controlled by a business manager or IT administrator. A new generation of location-based applications will integrate with microblogging platforms. Web-oriented dashboard environments will provide live updates for managers to get an immediate view of their team with updates that are filtered to different communities based on the employee's work role. Foursquare and Gowalla will be important for adoption but the first dominant player will probably be a new company or a company with an understanding of the importance of location-based systems. These outcomes do seem plausible. In the current generation of Enterprise 2.0 applications, we see the emergence of similar trends. IT Admin is becoming a basic requirement for cloud-based, collaborative applications that serve the enterprise. We could name everyone here but just look at the latest crop of new arrivals. Both Novell's Pulse and Status.net make this requirement standard in its microblogging applications. How location based networks affects the way we view employees will become one of the most important issues in this brave, new world. Enterprise data, bound together by data analysis, may become such a tightly woven fabric that recommendations can be made at each check-in. Suggestions about work habits may become part of the network. How we view our basic civil liberties will be challenged. But in the end, we'll keep looking out two years, waiting for the next consumer wave while managing the reality of working in a transparent universe. Discuss

Originally posted here:
FourSquare for the Enterprise: Give it Two Years, Max

Imagine visiting a website and finding that it already knows who you are, where you live, how old you are and who your Facebook friends are, without your ever having given it permission to access that information. If you're logged in to Facebook and visit some as yet unnamed "pre-approved" sites around the web, those sites may soon have default access to data about your Facebook account and friends, the company announced today . Barry Schnitt, Senior Manager, Corporate Communications and Public Policy at Facebook, told us in an email that "the right way to think about this is not like a new experience but as making the [Facebook] Connect experience even better and more seamless." There will be new user controls made available, but this is a new experience: this makes Facebook Connect opt-out instead of opt-in. Sponsor The proposed change was first written about by Jason Kincaid on TechCrunch, who called it Facebook's Plan To Automatically Share Your Data With Sites You Never Signed Up For . Here's the language Facebook used to describe the draft policy: Pre-Approved Third-Party Websites and Applications. In order to provide you with useful social experiences off of Facebook, we occasionally need to provide General Information about you to pre-approved third party websites and applications that use Platform at the time you visit them (if you are still logged in to Facebook). Similarly, when one of your friends visits a pre-approved website or application, it will receive General Information about you so you and your friend can be connected on that website as well (if you also have an account with that website). In these cases we require these websites and applications to go through an approval process, and to enter into separate agreements designed to protect your privacy. That sounds downright creepy. It's nice to have one-click access to your Facebook info if you decide to share it with other sites - that's what Facebook Connect does - but the prospect of having that information automatically shared when you show up on another website seems like an idea that won't be well received by users. There's a big difference between opt-in and opt-out "data portability." Schnitt says: "People love personalized and social experiences and that's why Facebook and Facebook Connect have been so successful. We think there are some instances where people would benefit from this experience as soon as they arrive on a small number of trusted websites that we pre-approve." Shnitt is the man who told us in a previous interview about Facebook's fundamental shift away from being private by default ( Why Facebook Changed Its Privacy Strategy ) that users generally go along with the company's default privacy settings because they agree with the company's recommendations and because the world is changing to be less private. He cited the growth of Twitter, blogging and reality TV as evidence that the world was changing this way and that people are less interested in privacy. In that interview, Schnitt also acknowledged that business reasons, like pageviews and advertising, were part of why Facebook was transforming away from privacy as well. We asked if this new opt-out Facebook Connect was the first step in a Facebook Ad Network, where your profile on Facebook is used to target ads that Facebook sells on sites all over the web. Schnitt told us, "this has absolutely nothing to do with advertising." Do you buy all that? Do you trust Facebook to select trustworthy websites to automatically share your data with when you browse around the web? If you don't trust Facebook's judgement, you will be able to opt-out of exposing that data. But by default you'll be sharing it. By default, you're sharing more and more these days, with more and more people. Perhaps that's because of your love for Twitter and reality TV, but perhaps its because of Facebook's cultural and commercial agenda. Discuss

Read this article:
Facebook May Share User Data With External Sites Automatically

The Google break from China raises some questions for the enterprise considering cloud computing. It's one thing if the network goes down. That can be fixed. But when the government does its own blockade, that's another story. Google Apps customers face this very issue. Google has the thorny task of explaining to its customers of what they may expect when using Google Apps in mainland China. Sponsor First off, it's important to clarify that Google is not shutting itself out of the China market. Google has stopped censoring its search services: Google Search, Google News, and Google Images on its Chinese domain, www.google.cn. But Google intends to continue to do R&D in China ad it will maintain a sales presence there. But for people working in China, there can be a bit of a mixed message. What if you are using Google Apps in Beijing? What can you expect? To keep customers updated, Google has created a Google Apps status dashboard that updates daily to show what in the Google network is working on a day-to-day basis. Google Groups, Blogger, YouTube and Google Sites are entirely blocked. This could pose a number of issues. For example, a customer may use Google Sites for an intranet, project site or an employee profile page. You could go on with the issues this presents but basically it's one of the downsides when using a cloud computing service in face of a repressing regime. Google has some recommendations for those doing business in China: "... it is important to know that there are several networking configurations and associated technologies available to help ensure ongoing access to your critical business services such as Gmail, Google Calendar, and Google Docs. These network configurations, such as a Virtual Private Network (VPN) connection, secure shell (SSH) tunneling, or using a proxy server, are already in place by many businesses with worldwide operations who serve their users from various locations. Companies should consult their own technical, legal and policy personnel to find a solution that works best for them." But then what if the applications do work? Where is the data? Who can access it? Google says it does not host a customer's data in mainland China nor do Google employees in China not have access to Apps systems or customer data. Discuss

More here:
Google Apps in China: It May Work, It May Not

It's a sunny afternoon in San Francisco and health care is in the air. I'm sitting at the the Peet's in the SF Ferry Building eating a vegan ginger cookie and waiting for Matthew Holt, founder of The Health Care Blog and the leader of Health 2.0 conference to show up for an interview. He arrives wearing shorts and a Health 2.0 t-shirt, and has his dog with him. He tells me he jogged to our location on the bay from Health 2.0 headquarters seven minutes away. It's a beautiful day - and here in the United States, the health care reform bill just passed. ReadWriteWeb's founder and leader, Richard MacManus, joins us, and we dive into a conversation on the revolution underway in cloud, mobile, and social health tools. By the end of the day, we were left with one question: Will health care reform build a health Internet, or will entrepreneurs do it because they can? Sponsor A Brief History One nice thing about profiling the thoughts of bloggers is that they leave a trail to track them down. Here are a few of Holt's social and technology posts on The HealthCareBlog : A new campaign against childhood obesity Aneesh Chopra on txting in Haiti PatientsLikeMe buys ReliefInSite Here are a few of MacManus' posts at ReadWriteWeb that track to health care: McKinsey: Get Ready For Sensor-Driven Business Models iPhone Apps For The Masses: Health & Fitness Health 2.0 Through the Eyes of a Diabetic - One Year Later Health Care Reform is like Ice Skating in San Francisco A phenomenon I see every year in San Francisco in December is the setup of the ice-skating rink. Palm trees and skaters. For children and adults alike, it's a way dream about a past and present, whether real or fiction. And, yet, while good for humanity, something about it doesn't quite hold the spirit of the pristine pond and cabin by the lake. We know, even though the ice is icy, generators are pumping along the edges. It's not quite pristine, and it's not quite ours. That's how health care reform feels - a victory indeed - but for some reason not a personal win. Somehow, reform feels artificial and hard to grasp. A small part inside of me wants to scream out, "is there an app for that"? Is it One Big Health Cloud? To get the conversation started, I asked Holt and Macmanus, "What is your take on cloud computing for healthcare?" Holt asked in return, with a grin, "What exactly is the cloud? Is it a thing, or is it a collection of services that are connected together?" We discussed this question in practical terms Holt : "Here's a question: Will Salesforce's cloud be merged with other organizations' contacts, and will we have shared controls? Is that the difference between cloud computing and SAAS?" We came back to our business, blogging. Blog software like Moveable Type (RWW) and WordPress (The Health Care Blog) generate common feeds in simple formats (RSS) that can be used and mashed up in all sorts of ways. But, that doesn't mean that MT and WordPress themselves are hot swappable, as there are controls, widgets, and other tools that are optimized in the application layer. Perhaps, in this way, EHR (Electronic Health Record) systems can be thought of as a blogs, where people are the categories, and events are the posts. If so, what is needed for health care information exchange is a basic feed for key members of the exchange: doctors, patients, pharmacies that connects new systems on top of it. For health care exchange, connecting patients is so much more than connecting infrastructure, platforms or software. Like all good software, it's about finding the shortcut. We should endeavor to find, build, and monetize the simplest exchange that will drive the future generations of meaningful interoperability. As we spoke, a light turned on. Is Health Part of the Internet of Things? Macmanus : "Health devices are one of my favorite use cases for the Internet of Things. Let's take the example of a blood pressure monitor. It's a portable device that augments your life and well being, and the promise of connecting to other things and streams is real". Holt : " ...and look at these devices closer - we see they are intelligent, self adjusting, and include feedback loops and reminders. Thse devices are starting to connect to the Internet and to people." "And what about the Wii," he continued. "The Mii is already virtual me, and the WiiFit is compelling and network enabled". All of us noted that Nike's work in this area is inspiring - from ease of use to business model implications, there is something great going on with the Nike + sensor and the company's broader ambitions. We realized that technology has already started a revolution in health - and it's getting traction. Macmanus : "I'm fresh from SXSW and have location on my mind. We heard that FourSquare is at work on a next-generation feature on websites, where checking in will connect virtual and real worlds. Also, with innovations like self-tagging StickyBits and Microsoft Tag floating around, real-world augmentation is starting to take form and connect with the Internet world." Holt : "UPC tag scanners, such as mobile phone bar code readers like ScanAvert connect real world things to facts about them, such as ingredient and nutrition information." We were reminded of the Quantified Self movement. This is a meetup that has growing momentum in the SF Bay Area and around the country. It is a place where self-reporters get together and share war stories. Organized by Gary Wolf and Kevin Kelly, it combines what's on the cutting edge and our overwhelming fascination of creating a digital diary through logging data about oneself. And, best of all, the meetings focus on "What did you learn about yourself," which focuses the meetup on us, not just technologies or business models. We learn that our motivations matter. Let's Run it All on Amazon and Get Scale The tools are ready, entrepreneurs are on board, and we all believe that the cloud is here. But, what about the data? That is a tougher question, and a familiar storyline of permissions, identity, matching, EDI, XML - it's enough to make you sick considering all of the potential work to align it all. In the spirit of the shortcut, the three of us came up with an idea: What if instead of connecting all of the hospitals, instead we connected every person in the U.S.? What if we would each have a server in the cloud, tuned to receive and share our own health transactions? This health server on the network would run software to receive files, add streams and connect devices under our direct control. The three of us did a bit of back of napkin work and believe that we could outsource the entire thing to Amazon for about US $1 billion yearly. This would cover server fees and data access for every American to have their own instance of server optimized for transmitting health information Here's our math: 300 million people [multiplied by base fee of $30.00 per year multiplied by the .1 concurrent utilization rate. Build a cloud architecture that reduces the cost by 10 times by leveraging computing systems that spin up on demand and therefore dramatically reduce physical costs. We think this type of math, however crude (and perhaps wrong), is worth thinking about as we spin up the servers for health care reform. We're Convinced: People Eat, Sleep, Pirouette, Take Pills By the end of our conversation, Macmanus, Holt and I were left with an invigorating idea about the new health care reform: It isn't a thing, it's a moment in time. Innovations for health care are already springing out of the Web and will thrive on their own merits, so the job of health care reform technology should be to instigate this innovation, stat. What would you do if offered a fixed bid contract for $1 billion annually to build a new health cloud for America? Who would you bring along to get the work done? Photo credit: abhijittembhekar Discuss

More here:
Healthcare Reform is a Cloud: Interview with Matthew Holt & Richard MacManus