Andy ITGuy – Information Security Blog

I’ve been kinda quiet lately mostly because I’ve been very busy with the changes in my job and getting ready to move. Lots and lots of things that have to be done in both cities.

Today I saw something that got my blogging juices flowing. This article on NetworkWorld.com talks about how the city of Los Angeles has decided to transition to Google Docs for much of their business. They are transitioning everyone from an internal email system (They used Groupwise for email and collaboration so it’s understandable that they would want something else) and they are going to use Google docs for much of their office suite duties as well. There were several things that got my ire up about this so I thought it would be a good subject for me to “rant” on for my first blog in a while.

So here are my thoughts and issues with this. First, this quote that shows that those who are responsible for ensuring that the data is secure and private don’t seem to understand the meaning of the word “responsible”.

L.A. officials were convinced by Google’s security credentials, which includes SAS 70 certification,

EXCUSE ME!!!! REALLY! They honestly think that a SAS 70 is ANY measure of security? Come on are we sure that this isn’t April Fools day again? Have they ever read up on exactly what a SAS 70 is?  Saying that a SAS 70 is even remotely proof of a secure environment is like saying that using Gmail is similar to having your own private email server.  Now don’t get me wrong I’m sure that Google has some pretty impressive security in place, at least on parts of their network, but it’s still gmail. That’s email that is available to any and everyone.

Then there is the whole “cloud” issue. All of their email and documents will be stored on public servers. Let me be clear, these are the same servers that some of your Gmail and Google docs are on. These are servers that every hacker in the world has poked around looking for issues. These are servers that could easily be misconfigured and expose these emails and docs to the world. Just look at how many times we hear of data stored on Google infrastructure being “accidentally” exposed in Google searches. I’d bet that everyone reading this has done some Google Hacking and found all sorts of things that the owner of the data didn’t want to be seen by others.

That brings up the point of configuring the settings on the documents. Will Google handle this or will the City of LA, maybe even the end user will have control of these settings. What about someone who decides that they also want access to their own Gmail so they configure forwarding from their city account to their personal account and log into their personal account. Now they have access to both accounts and now the cities data is no longer under their Google infrastructure (even though it may be on the exact same server). What about sharing of docs that are stored in the Google infrastructure. If the control over that is not closely controlled then users personal accounts may get access to these documents and that would seriously hinder any additional security that may be applied to the city account.

This whole thing just reeks of potential problems. Then when you think about the math behind this you really have to wonder.  The article says that the City of LA has 30,000 users. Google Apps charges $50 per user per year. That’s $1,500,000 but the city is paying $7,500,000 to get transitioned from their internal systems to Google Apps. That means they are spending $6,000,000 dollars for transition and that’s if Google actually charged them $50 per user which would mean that they didn’t get any discount off of “retail”.  Sounds like a consulting firm saw the city coming.

They next math equation seems equally as questionable. They expect to save $5,000,000 over the 5 year contract. That’s only a million dollar savings per year for a 8 million dollar initial investment. Not exactly stellar but every penny counts. They they say that they expect to get another $15,000,000 dollars in increased productivity. ARE YOU KIDDING ME! Do they honestly think that the ability to work on documents at the same time will provide that kind of added value. If you do the math that equals out to $100 per year per employee in increased productivity which is doable and reasonable. Again we have to be realistic about this. All 30,000 employees won’t see that kind of increased productivity. Most of them will see no increase because the way that they work will not change for the most part. Next they will still continue to use Excel and other MS Office products for a fair amount of their work because Google docs doesn’t have some of the required features. So let’s be realistic and generous and say that out of those 30,000 accounts in actually 5,000 of them will see increased productivity. Now we are looking at 5,000 employees having an increased productivity of $600 per year. Still possible but not probable. If we are honest about it maybe 500 employees will see increased productivity so now we are looking at $6,000 per employee in increased productivity and that WON’T happen.

So I think that as with many things government the people are getting a raw deal financially and now government documents are are increased risk of being breached. Sounds like a great deal for the people of LA doesn’t it.

Some thought that we would never make it. Some hoped that we wouldn’t make it.  Well we did make it.  Episode 10 of the Southern Fried Security Podcast is out!

It’s been a month since episode 9 was recorded due to time and technical issues but we have a great show for episode 10. Once again Martin and I were recording live after the April NAISG meeting (this time Martin didn’t wear his wife-beater and Speedo, WHEW! The Princess Leia costume was still disturbing though). We were joined by our News Yankee, Steve Regan, via Skype and had a special guest live with Martin and I. We were privileged to have Carlos “Dark Operator” Perez from Pauldotcom Security Weekly join us. He was in town for work and decided to attend the Atlanta NAISG meeting and when we found out we invited him to join us. We had a great conversation, discussion and Interview with Carlos.

Please download it, listen to it and let us know what you think. We’ve hit 10 episodes and plan on going for a long, long time. We want to know what you like, don’t like and would like to hear.

wondered whatever became of me. I’m living on the air in Cincinnati, Cincinnati, WKRP.

No, I have not given up Information Security in favor of being a radio DJ but I am making a change that will take me to Cincinnati, Oh. That’s right, this southern boy is moving north of the Mason Dixon line.I have accepted a position with a financial services company that requires us to relocate.

I’m sure some of you are thinking “Didn’t you just start a new job earlier this year?” Yes I did. I took a job that is quiet possibly a “dream job” in January and now I’m giving it up. Why you ask. Good question. It wasn’t easy. This job is a great job. It has lots of potential for me and the company. They actually want security. They are actually willing to make changes to be secure. They are wanting to be ahead of the game when the regulators finally decide to pass some laws that will impact them. You don’t find that often and when you do common sense says that you don’t give it up after just a few months. Yet I am doing just that. I’m doing it because this new job is also a great opportunity. It is with a much bigger company and offers lots of opportunities to expand my horizons and grow. It offers me a chance to get experiences that I don’t have and won’t likely get in my current position. It offers me a chance to work with a great group of security professionals that will challenge and stretch me to new heights. It will also get us closer to family and that is the kicker.

I went 6 months without a job last year. I talked to lots of recruiters and a few companies but nothing came together until my current employer made me an offer late last year. After I started this job I started getting calls about other jobs. Lots of calls and some were for really good jobs. I listened to what they had to offer and then told them “thanks but no thanks”. I was happy. I had a great job and wasn’t interested in leaving it for another position here in Atlanta. Then this job came along. It offered great opportunity professionally and personally. It allowed us to get to an area that would drastically shorten our drive time to visit with family. See I grew up here in the Atlanta area but I don’t have any family left here. My wife’s family is in in the KY, IN, OH area and Cincinnati is a very good location to live, work and be close to them. Of course it also helps that Cincinnati borders the Mason Dixon line. That way if I need to get a deep breath of southern air I can just jump across the river and inhale deeply.

The whole thing about working with a team of security professional is also very compelling. I’ve spent my career working in a “security silo”.  I have never worked on a security team before. They say that Team doesn’t have an I in it but in my case it sure has. I’ve always been the security team. I’ve worked with some really smart and great people who know some security but they are not “security” professionals. They are networkers, systems admins and developers. I have learned from them and hopefully added to their knowledge but their focus was on their discipline not security. I’ve been lucky in that living in Atlanta I have access to lots of great security professionals. I’ve been able to utilize their knowledge at times to work through issues that I’ve run up against. I’ve developed some great friendships all over the country and even the world with other security professionals who have been an invaluable resource to me but they are not people that I’ve had working side by side with me like I will have in Cincinnati. This is something that I knew I had missed out on but not until I took the job did it really hit me how valuable that experience will be.

It’s going to be hard for me to leave Atlanta. I was born and raised here. I’ve spent 3/4 of my life here and every time I’ve left I’ve always come back. The Atlanta area is a great place to live and raise a family. It offers everything that you could possibly want or need just about and what isn’t here isn’t too far away. It’s going to be hard to leave some of the friends that I’ve made in the info sec community. It’s going to be hard to leave the NAISG chapter that I helped start. Yet at the same time it’s exciting to start a new adventure. To move to a new place and a new job opportunity. The good thing is that I did live in Cincinnati several years ago so I know the area and actually have quiet a few friends there. It’s nice knowing that you are going somewhere where you have a built in support community. I look forward to getting involved in the local info sec community there and hopefully adding value to it. So if you are ever in the area look me up and I’ll buy you a cup of coffee.