Navigation
Search

RSS
Twitter

Social
About Jimmy

James 'Jimmy' Blake is the Chief Security Officer for Mimecast,  a leading cloud services vendor based in London.  James has overall responsibility for risk management and business continuity for the organisation's internal IT infrastructure and service delivery platforms across four continents and within global partners such as Cable & Wireless and Iron Mountain.

He holds a PhD in Information Security Management and is a Certified Information Security Systems Professional. James has nearly two decades of commercial experience in information security, business continuity and storage.

James has a love of loud Harley Davidson motorcycles, real ale, role playing games and even louder heavy metal.  He lives in rural Kent with his partner, Sonia, and stepson, Rafael.

Monday
08Feb2010

ISO 27001 - due diligence on cloud vendors

DateMonday, February 8, 2010 at 12:22PM

As I am preparing our company for ISO 27001 certification I am spending a lot of time answering due diligence questions from customers about which of the 133 ISO controls we have in place. 

The most concerning thing is the first question on all of these questionaires - "Are you ISO 27001 certified? (if so include certificate, skip to end, sign and return)".  This would indicate that most prospects think their data is safe with a cloud vendor that is ISO 27001 certified, they couldn't be more wrong.

Trying to implement ISO 27001 using ISO 27002 controls well within a Software-as-a-Service company isn't easy - trust me, I've spent the best part of a year working on it.  Most controls have at least two owners - one for internal systems and one for the production environment.  Much of the ISO 27002 guidance is based around internal systems with limited access, not around multi-tenant service platforms with hundreds-of-thousands of subscribers.  ISO auditors are also not used to auditing such environments, leading to a much more iterative process.

There seems, on the face of it, to be managed service and Software-as-a-Service providers who are ISO 27001 certified, but you have to dig a bit deeper to understand how they've managed it.  This is normally through one of two methods:

  1. Limiting the scope of the ISMS to not include production platforms; or
  2. Increasing the level of acceptable risk to reduce the amount of controls required.

Neither of these does the customer any favours.  One of our major competitors only includes their HR and Finance processes in the scope of their ISMS - not very reassuring.

I've really made my life difficult for myself, we have put our production platforms into scope, as well as all internal systems.  In addition we've chosen a risk treatment plan that includes 128 of the 133 possible ISO 27002 controls (the other 5 were out of scope as we don't conduct ecommerce or outsource development).  By increasing my workload ultimately delivers better security to our customers - and delivery to customers is what Software-as-a-Service is all about. 

Ultimately a customer's security is only as good as the security of the cloud vendors they use for handling critical outsourced business functions.  Prospects need to get wise and make all vendors state the scope and nature of their controls, it increases our workload but those who've taken the time to align the security of their platform and operations to their customers will win.

AuthorJimmy Blake | CommentPost a Comment |
tagged , in , , ,
Monday
14Dec2009

Mathematical formula for perfect parking

DateMonday, December 14, 2009 at 9:41AM

According to an article in the Daily Telegraph Professor Simon Blackburn of the University of London Royal Holloway has created a formula for perfect parallel parking.

Blogged with the Flock Browser

Tags: ,

AuthorJimmy Blake | CommentPost a Comment |
in
Thursday
10Dec2009

Google CEO: "Privacy is for those with something to hide"

DateThursday, December 10, 2009 at 3:59PM

Eric Schmidt, Google's CEO, stated during an interview recently "I think judgment matters. If you have something that you don't want anyone to know, maybe you shouldn't be doing it in the first place.", this is a shocking statement from the CEO of a company that holds more personal information on individuals than any other organisation on earth, including intelligence agencies.

You have to consider what business Google is in.  Google is not a philanthropic benevolent giant, it is the World's largest advertising agency and advertising is an industry with a long reputation of manipulation and surreptitious intelligence gathering.  Every action Google takes, from helping children in Africa get on-line to releasing a free browser, is designed with two simple goals: 1) to get more eyeballs to see advertisments; and/or 2) to improve the targetting of advertisments.

One of the biggest challenges that cloud services providers face customer concerns about privacy.  Unfortunately many people consider Google to be one of the World's leading cloud services companies, which they are - the World's largest cloud advertising agency.  The remaining cloud vendors, who are specialists in their particular area, aren't using their massive advertising revenues to subsidise the roll-out of services whose main goal isn't to sort out customer issues but to get more eyeballs or improve advert targetting.  No, these specialists are interested in innovation and the security of their customer's data, not the exploiting of it for conflicting purposes.

Anyone who has adopted any of the products that Google's have been pushing into the Enterprise, especially email archiving through their acquisition of Postini, and Google Docs, should be concerned about Schmidt's attitude. Google Voice users have recently found their voicemails plastered across the web - imagine your internal corporate documents or emails having the same fate because of your service provider's view that information should be free?

I have posted in the past about the lack of focus on these fringe products that bring in very little revenue for Google, unless Google can find a exploit the data held by these cloud services, what is their long-term viability for Google?  Signing a ten-year archiving contract to meet your legislative or compliance requirements with a company that sells its products as a loss-leader is a risky move. 

When your Google representative comes knocking, don't just read the menu right to left and only consider price.  Listen to the words of Eric Schmidt ringing in your ears "..privacy is for those with something to hide...".

AuthorJimmy Blake | CommentPost a Comment |
tagged , in ,
Friday
13Nov2009

Roomba pacman

DateFriday, November 13, 2009 at 12:18PM
I miss not being involved in worthwhile research projects anymore:

AuthorJimmy Blake | CommentPost a Comment |
in ,
Wednesday
11Nov2009

Jonathan Coulton - London tonight!

DateWednesday, November 11, 2009 at 1:15PM
I've just booked my hotel room in London so I can stay over after the Jonathan Coulton concert on Friday.

AuthorJimmy Blake | CommentPost a Comment |
in , ,
Page 1 2 3 4 5 ... 39 Next 5 Entries ยป