October 26, 2009

Top 10 Presentation Tips from Presentation Camp Boston

Posted by Bill Wilder under Presenting, Trip Report | Tags: |
1 Comment 

I attended Presentation Camp Boston, a bar-camp style conference, on 24-Oct-2009. There were many good ideas and presentation tips. Among them, these are my favorites.

Top 10 Presentation Tips

The top 10 presentation tips I took away from Presentation Camp Boston

From Kenny Raskin’s keynote:

1. “Have a Passionate Purpose”

When you are speaking, it is not only about the content. If you mean what you say – you really believe in it – (which I believe Dale Carnegie refers to as conviction) - then you are more likely to be successful at conveying your message and persuading your audience.

Kenny shared a quote which was something like the following:

Who you are being when you are saying what you are saying says more about what you are saying that what you are saying.

Not just sell it – it was believe it + sell it both at once. This tip resonates with me and is consistent with a lesson from studying and performing improv; one of my instructors, Erik Volkert, really got across the difference between acting it out and really committing – and the impact that has on stage.

2. “The presentation starts before you are even in the room”

  • Find out who the audience is and what you want to say to them. What do you want them to FEEL. (“Know your passionate purpose!”)
  • As you are preparing to enter as a speaker, take a breath. Focus. Clear your mind.
  • As you enter, look your audience in the eyes. Before you say a word. Greet the audience. Pause… and let them respond.

3. Genuine eye contact != scanning

Eye contact is important. Don’t scan the audience and think that’s eye contact – you need to pause and connect with individuals one at a time – this may be for the duration of a thought or statement – or just until you feel you’ve connected. Some of your eye contact moments will be during pauses and are your opportunity to re-energize by breathing.

From Diane Darling’s Talk about Networking:

Not about presenting to large groups, but focused on presenting to very small groups of one or a few other folks in a social / networking situation.

4. Business Cards from A-Z

Some wisdom on business cards:

  • You need business cards. And they don’t need to be plain and boring… Diane’s cards have a list of tips on one side – useful and “sticky“.
  • She advises to keep your business cards in one pocket, and the ones you collect in another pocket – just have a simple system to avoid fumbling.
  • Write on the business cards – you may forget later otherwise that this card is from someone you offered to send a link to an interesting paper, or perhaps they might be a future business partner. Handy, easy hack.
  • If you do give a talk to a group, be sure to have a stack of cards handy to share at the end.

5. “Own the room”

I am a highly functional introvert
~ Diane Darling, author of The Networking Survival Guide: Get the Success You Want By Tapping Into the People You Know

I love that quote! As a fellow introvert, that’s how I want to be. Diane builds a case for being highly functioning with a plethora of straight-forward tips on how to handle lots of business social situations. A couple of examples:

  • Prepare several generic ice breaker questions you can use when you meet someone new. A good format for such questions is “Tell me about ______.” You fill in the blank with “your job” or “how you got into this line of work” or “how you ended up at this conference” etc.
  • Wear your name tag close to your RIGHT shoulder (since that’s where the eye most naturally is directed during a hand-shake.
  • Don’t start with your name! Introduce yourself by saying something about yourself, and end with your name – it is easier to remember there.
  • Saturday Night “Live” != Saturday Night “Unrehearsed” — you will be more successful if you practice some of what you will say — like what is your brief introduction of yourself (your elevator pitch), ending with your name, of course!

6. Connect with the Gatekeepers

If you want to get access to key people who may be hard to get to, consider connecting with those people who control access – such as a personal assistant to the CEO.

From Edwin Guarin’s talk, The Killer Presentation:

Edwin is an Academic Evangelist for Microsoft. His talk was called The Killer Presentation – Gettting to Point B.

7. Distributing Your PowerPoint Deck

Suppose you’ve given a talk, but now your audience wants a copy. Here’s how to do it, plus a couple of important benefits:

  • File > Save As… and choose either PDF or PowerPoint Show.
  • If you have Hidden slides – perhaps because you want “single source” for a slide deck that you use in multiple circumstances, but don’t want to maintain the bulk of the slides more than once – this will drop all those marked as hidden at the time you Save As.
  • If you have Notes, they are not included either. Sometimes your Notes are just speaking points, but perhaps they are not something you want everyone to see.

8. Spruce Up Your Talk with Images

You are preparing a deck, and you want to be memorable. You want that “just right” image or text effect.

  • Edwin recommends the use of royaty-free photos from http://sxc.hu.  You need to create an account to access them, then are free to use them in your PowerPoint slides.
  • Note that you are not licensed to subsequently redistribute these images if they are embedded in your PowerPoint deck. I registered an account on sxc.hu web site asking for clarification – and there was a tad bit of ambiguity around the licensing (the license text seem to both suggest it was fine and also say it wasn’t) – so I sent in a specific question on this scenario. The response from sxc.hu support was that the PowerPoint cannot be posted for redistribution. I am not a lawyer. And I do not even play a lawyer on TV.
  • [In my talk, I advocate searching through Google Images advanced search and filtering by Usage Rights to only include images labeled for reuse (usually through Creative Commons).]
  • To embed an image that is too bright, overlay it with a rectangle – and set the transparency to accordinly to fade it a bit so that text can be seen on top of it.
  • Use SmartArt to snazz up your text… transform a bullet list into a ring, or horizontal property or other eye-candy fanciness.

From Brainshark demo:

9. Sharing Your Presentation After the Fact

Brainshark has a cool way for you to post your slide-deck to their free http://my.brainshare.com hosted service: you can upload both the deck *and* an audio track.

This is way better than just distributing the PowerPoint deck, which may not be of any use for people who didn’t attend the talk. Of course, you do need to create (or record) an audio track.

I am not sure how the slides and the audio are sync’d – like when in the audio track should slide 7 pop in – but my guess is that you are expected to record your voice while delivering the talk – and some agent on your desktop keeps an eye on when you transition between slides. If so, I wonder if it can also capture screen shots of non-PowerPoint activities – like if I pop up a web browers, or use Visual Studio.

From Bill Wilder’s talk on Better Tech Talks:

Yes, I am recommending a tip from my own talk. :-)

10. “It is a Talk, not a Read”

Don’t even thing of reading your slides to your audience.

  • If you cram all the text for your talk into your deck , you will be guilty of promulgating support for Death By PowerPoint.
  • Your audience can read faster than you can talk anyway – they will be done before you. And they won’t be listening to you while they read; they can’t do both at once.
  • Your audience will resent being read to. As Jack Welch is reputed to have said to a presenter reading him the slides: if everything is on the slides, then we don’t need you.
  • There are better tools for a stand-alone document – like blog posts, or word-processors. PowerPoint is a poor substitute when writing a document that is being prepared for general reading.
  • If you do need to capture more info than belongs in the slides, consider putting it into the Notes section, and then using dual-monitor capabilities to have your laptop display different content than the projector, and configure PowerPoint to know about this via:  Slide Show > Set Up Show > Multiple Monitors.
 

October 25, 2009

Better Tech Talks session from Presentation Camp Boston

Posted by Bill Wilder under Bill gave a talk, Events, Presenting | Tags: |
[2] Comments 

I attended Presentation Camp Boston on Saturday 24-Oct-2009. I sat in on several excellent talks, plus led a session myself called Better Tech Talks. which was a presentation & discussion on giving technical talks to technical people.

I’ve been thinking a lot about how to give code-centric talks to software engineers, plus the general problem of clear communication through presentations. Those in my session will recognize that my slides (Better Tech Talks – 24-Oct-2009) do not stand alone well! – but should serve as a good reminder for those who participated in the session.

Feel free to follow-up with me to continue the discussion!

 

October 20, 2009

Boston Azure User Group Now on the Map!

Posted by Bill Wilder under Boston Azure User Group | Tags: |
Leave a Comment 

The Boston Azure User Group is a Cloud Computing community group focusing on Windows Azure, Microsoft’s Cloud platform, and …

The Boston Azure User Group is now on the map – literally!

Check out Jim O’Neil’s user group map. Zoom in on Cambridge, MA and you will see us waving from the NERD center. Thanks Jim!

While not as awesomely interactive and visual as a Bing map, we do appreciate other people plugging the user group:

Speaking of Roger Jennings… at the first Boston Azure meeting this Thursday night (Thu 22-Oct-2009 @ 6:30), we’ll give away copy of his hot-off-the-presses book Cloud Computing with the Windows Azure Platform!

I found Roger Jennings’ book chock full of useful information – from context to detail to practical code samples. I stopped at Barnes & Noble after a user group meeting in Burlington and picked up my own personal copy – why no Kindle version!? – and quickly plowed through it. Now I want to go back and play around with the abundant code samples. And in case you are wondering – no, this isn’t the copy we’ll be giving away…we have a new one.

The Boston-area User Group Calendar

 

October 18, 2009

Gary Chin Presents SketchFlow at Code Camp 12 in Boston

Posted by Bill Wilder under Programming
Leave a Comment 

Gary Chin on SketchFlow for Silverlight

Gary Chin spoke at Boston Code Camp 12 (on Oct 17, 2009) – his talk was all about using SketchFlow for Silverlight.

I heard from various folks that the talk went really well. Unfortunately, I wasn’t able to make it since I was presenting at the same time (actually presenting on presenting.)

Gary was kind enough to send me his slides which I have attached to this post: SketchFlow-GaryChin-Oct2009

See you at the next Code Camp! (Though will probably also see many of you before then – this Thursday night at the first meeting of the Boston Azure User Group!)

 

October 18, 2009

Boston West Toastmasters Scholarship and Open House

Posted by Bill Wilder under Programming
Leave a Comment 

Boston West Toastmasters Reaching Out

I’ve been a member of Toastmasters for the past couple of years. While Toastmasters has many clubs around the world, I belong to Boston West Toastmasters which meets in Needham, MA on the second and fourth Monday evenings.

While at Boston West Toastmasters, I’ve made friends with some really cool people (several of whom provided ideas for my Code Camp talk on giving technical presentations) and have been working to improve my speaking skills through application of Deliberate Practice (where the feedback, ideas, analysis, expert critique and encouragement all come from fellow Toastmaster members).

Now my club is reaching out to the community to help the unemployed, holding an open house encourage the general community to get a glimpse of what Toastmasters is all about… and not to mention taking part in a really fun social event.

Some Boston West Toastmaster members from 28-Sept-2009 meeting

Some Boston West Toastmaster members from 28-Sept-2009 meeting

Scholarship offer for Unemployed

Full details are in the attached Boston West Toastmasters Scholarship Press Release from 5-Oct-2009, but here’s the teaser:

Boston West Toastmasters is offering five scholarships to the unemployed who want to improve their speaking and leadership skills.  These scholarships, underwritten by Robin Samora, owner and president of Partner Promotions, cover the annual membership dues for the winners.

Bring a Friend, Meet a Friend – Open House at Nov 9 Meeting

Our meeting on 9-Nov-2009 will have a social hour before this meeting which is an Open House for Boston West Toastmaster. Anyone is welcome to attend this meeting – at no cost, no obligation. (The “no cost, no obligation” is actually true generally – feel free to check us out at any meeting – you won’t get a hard sell – just the information you might be interested in. For most people, Toastmasters sells itself.)

Here are the details:

Bring a friend, meet a friend at the Boston West Toastmasters Open House on Monday, November 9, 2009:

Mark your calendar for this important OPEN HOUSE.  It is a great opportunity to share your Toastmaster experience with friends, relatives and co-workers.  Invite them to attend the meeting.  We will have an informal start to greet guests and answer questions @ 6:30 p.m.  Robin Samora is our Toastmaster for this and we will have special snacks that evening during our Opening reception 6:30 – 7 for new members (and our team if possible).  Send an email to people inviting them to attend our OPEN HOUSE.  It will be a memorable event!!!

You don’t need to let me know – thought would appreciate a heads-up so I can look for you – but just showing up is the key.

Soiree in Back Bay – Social Night – Co-Sponsored by Boston West Toastmasters

This looks like a really fun event: Soiree in Back Bay on 22-Oct-2009, co-sponsored by Boston West Toastmasters.

[Unfortunately, you won't see me there - I will be at the kick-off meeting for my Boston Azure User Group that same night.]

 

October 18, 2009

So, You Want to Give Your First Code Camp Talk?

Posted by Bill Wilder under Bill gave a talk, Presenting, Programming | Tags: , |
Leave a Comment 

Gave a talk 17-Sat-at Boston Code Camp 12 called So, You Want to Give a Code Camp Talk?.

How to Give Your First Code Camp Talk – 17-Oct-2009

If you attended my talk, you learned than I don’t advocate ensuring the slide deck makes sense stand-alone (since it is a framework for a talk, with purpose different than that of an article or blog post). You’ve been warned. :-)

 

October 12, 2009

First Boston Azure User Group meeting next week

Posted by Bill Wilder under Boston Azure User Group, Programming | Tags: , , |
Leave a Comment 

We are getting close to the kick-off meeting of the Boston Azure User Group – next week, on Thursday October 22, 2009 starting with pizza at 6:30 at the NERD in Kendall Square. Microsoft’s Brian Lambert is the featured speaker.

We have a couple of behind-the-scenes planning meetings this week then will finalize the information on the bostonazure.org web site.

Have you joined the Boston Azure User Group mailing list?

 

October 9, 2009

Demystifying Prism – talk at New Hampshire .NET User Group 17-Jun-2009

Posted by Bill Wilder under Bill gave a talk, Programming | Tags: , , , , |
Leave a Comment 

Spoke at New Hampshire .NET User Group back on June 17, 2009. Talked about Prism (focusing mostly on Silverlight, a little homage to WPF), showed some code, shared a slide deck.

I will be giving an updated version of this talk at the upcoming Code Camp 12 in Waltham (Boston area) on Sat Oct 17, 2009.

 

September 27, 2009

Supporting two domains in one ASP.NET MVC site – A Poor Man’s Approach

Posted by Bill Wilder under Programming
1 Comment 

Hosting Two Different Domains in Same ASP.NET MVC Site

Motivation – I am Cheap!

I have a hosting account at DiscountASP.NET that I have used as a playground for anything I want to host on the web. My personal Coding Out Loud site is hosted there (with a few directories that are not linked, for example). Since starting the Boston Azure User Group, I need a place to host a page. While I would eventually like to host the user group site on Azure itself, for now I have produced a simple ASP.NET MVC site. To avoid paying for two hosting accounts, I am reusing my existing account – sharing the hosting across bostonazureusergroup.org and codingoutloud.com – but still maintaining their distinct identities.

We can consider the Boston Azure User Group the main site, and Coding Out Loud the secondary site.

Requirements

The approach I take makes sense to me since I want a solution that is:

  • Very simple
  • Inexpensive
  • Easy to manage once implemented
  • Treats bostonazureusergroup.org as the main site, but “tolerates” codingoutloud.com being around (in other words, maintainability/risk of errors for codingoutloud.com is less important)

Solution

In order to host two sites with a single hosting account, you have a few steps:

  1. Add a Domain Pointer with your ISP. If, like me, your site is hosted on a shared IP address, this step is necessary so that the site’s IIS web server knows which top-level directory your domain is associated with. In my case, this tells both codingoutloud.com and bostonazureusergroup.org to go to the same site.
  2. Configure your DNS. This is easier than it sounds. Your ISP will tell which DNS servers your should point to. You could also deal with Godaddy’s Domain Forwarding and cloaking, but for a one-time cost of $15 with my ISP (DiscountASP.NET) I just added the pointer – a cleaner solution, and possible more search-engine-friendly.
  3. Note that the following changes to the code are only necessary if you want different results dependent on which domain is used to access the site – in other words, I don’t want my bostonazureusergroup.org visitors to be stumbling across any codingoutloud.com artifacts, and vice versa. The following screen shot includes the hack simple code modifications – they are circled – a private method with a little dirty work, invoke the method in the right place, and display a specific View. Note that the view is specified in a different file – and under a folder that is specific to your secondary site – CodingOutLoud in my case.

Poor Man's Domain sharing in ASP.NET MVC

To create the …/Views/CodingOutLoud/Index.aspx view shown in the right-hand pane in the screen shown above, you would do the following:

  1. Right-Click on Views folder and choose Add > New Folder from the pop-up. I called mine “CodingOutLoud” and it is shown above.
  2. Right-Click on the newly created Views/CodingOutLoud folder, this time choose Add > View… from the pop-up, as shown below. I called my View “Index” (and since it lives under CodingOutLoud folder it does not clash with other Views with that name, given the default routing rules).

image 

Name your view – and I also chose not to use the master page, so I unchecked it:

image

Once created, …/Views/CodingOutLoud/Index.aspx can contain any code you like – even plain old HTML.

This is all it took to get this simple approach to work. Now when users visit via “codingoutloud.com” they are diverted to …/Views/CodingOutLoud/Index.aspx, and otherwise the usual machinery of ASP.NET MVC takes over.

Other Potential Approaches

I considered, but did not adopt, some other approaches – mostly since I wanted to do something very simple. Here are some of the other approaches:

 

September 23, 2009

Cloud Security – A Business Tradeoff?

Posted by Bill Wilder under Programming, Trip Report | Tags: , |
Leave a Comment 

I took notes during the Boston Cloud Computing Group Meetup 23-Sept-2009 – the raw notes are below, but a couple of more noteworthy highlights appear first with some of my views interspersed.

Executive Summary – Key Take-Aways & Highlights

Notes from Javed Ikbal’s talk (http://10domains.blogspot.com) are in regular type. My editorial comments and thoughts are in italics or bold italics – so don’t blame these on Javed. :-)

  • Key take-away – going to the Cloud is waaaay more about Business Tradeoffs than it is about Technology.
  • “There are 2 kinds of companies – those which have had a [data security]breach, and those which are going to have a [data security] breach” -Javed
  • Centralization of data makes insider threat a bigger risk -Javed
  • “On premise does not mean people are doing the right thing” –Javed – right on! I bet the majority of the fortune five-million (as 37 Signals refers to the medium and small business market) have insufficient IT – they just don’t know it. Any stats?
  • Someone from the audience stated there are more breaches in on-premise data centers than in cloud. Therefore cloud is safer. I don’t buy the logic. There could so many more publicized breaches in on-premise systems simply because there are so many more on premise data centers today. So this is easy to misinterpret. We can’t tell either way from the data. My personal prediction: today if there is a data breach for data stored in the cloud, people will not be able to believe you were reckless enough to store it in the cloud; 5 years from now, if there is a data breach for data stored on premise, people will not be able to believe you were reckless enough to store it locally instead of in the cloud which everyone will then believe is the safest place.
  • Someone from audience commented that business value of losing data will be balanced against business cost of it being exposed. This comment did not account for the PROBABILITY of there being a breach – how do you calculate this risk? I bet it is easier to calculate this risk on the cloud than on premise (though *I* don’t know how to do this)
  • Comment from Stefan: We can’t expect all cloud services to be up all the time (we were chatting about Google and Amazon downtime, which has been well documented). I completely agree – And many businesses don’t have the data to fairly/accurately compare their own uptimes with those of the cloud vendors – and, further, if the cloud vendors did have 100% up-time, that may destroy the economies we are seeing on the cloud today (who cares if it is 100% reliable if it is 0% affordable – that’s too expensive to be interesting)
  • Off-premise security != in cloud – different security issues for different data – Javed In other words, treat SSN and Credit Card data differently than which books I bought last year. But I can think of LOTS of data that is seemingly innocuous, but that SOME PEOPLE will balk at having it classified  as “non-sensitive” – might be my bookmarks, movie rentals, books purchased, travel plans/history, many more… not just those that support identity theft and/or direct monetary loss (bank account hacks). I think it would be a fine idea for data hosts to publicly declare their data classification scheme – shouldn’t we all have a right to know?
  • I think IT generally – and The Cloud specifically – could benefit from the kind of thinking that went into GoodGuide.com.

Raw Notes Follow

The rest of these notes are a bit rough – and may or may not make sense – but here they are anyway…

Intros

  • Pizza & drinks, some social (sat next to Stefan Schueller from TechDroid Sytems and enjoyed chatting with him)
  • Went around the room introducing ourselves
  • People who were hiring / looking for work spoke up
  • Around 30 people in attendance
  • Meeting host: Aprigo – 460 Totten Pond rd, suite 660 – Waltham, MA  02451 – USA
  • Feisty audience! Lots of participation. This added to the meeting impact.

Twisted Storage talk

From Meetup description: Charles Wegrzyn – CTO at TwistedStorage Inc. (Check actually built an Open source cloud storage system back in ‘05)

TwistedStorage is open source software that converts multiple storage
repositories, legacy or green-field, into a single petabyte-scale cloud
for unstructured data, digital media storage, and archiving. The Twisted
Storage Enterprise Storage Cloud provides federated search, electronic
data discovery with lock-down, and policy-driven file management
including indexing, retention, security, encryption, format conversion,
information lifecycle management, and automatic business continuity.

History of Building Storage Management software

  • Open Source
  • Been downloaded 75k times
  • Re-wrote – now version 4 – in Python

Common anti-pattern observed in real world:

  • Users storing “stuff” in Exchange since that was a convenient place to store it
  • Results in a LOT of email storage (and add’l capacity is easy to keep adding on)
  • Can’t find your data (too much to logically manage)
  • Backups inadequate
  • Complexity, complexity, complexity

The Twisted Storage Way

  • Federated storage silos w/ adaptors/agents
  • Provide enterprise capabilities spanning sites (access control, audits, search/indexing – including support for metadata, simplified administration and recovery)
  • Petabyte-scale
  • ILM = Information Lifecycle Management
  • Open Source
  • Work-flow (Python scripts, XML coming)
  • Policy-driven (“delete this after 2 years”, “encrypt me”) (Python scripts)

Twisted Storage Design Goals

  • Always available content (via replication)
  • No back-up or recovery needed (due to replication)
  • Linear scalability (scales out)
  • Able to trade off durability with performance
  • Supports old hardware
  • Minimal admin overhead
  • Support external storage systems and linkage
  • Portable – will run on Linux, Windows, (iPhone?) – due to portable Python implementation
  • Pricing: Enterprise Edition: $500 / TB up to 2 PB (annual), minimum $10k for first 20 TB (see web site for full story)
  • versus competition like Centera which charge $15k/Silo + Enterprise Edition
  • http://www.twistedstorage.com, cwegrzyn@twistedstorage.com

Info Security & Cloud Computing Talk

From Meetup description:  Javed Ikbal (principal and co-founder of zSquad LLC)- will talk about:   “Marketing, Uncertainty and Doubt: Information Security and Cloud Computing”

  • What is the minimum security due diligence that a company needs to do before putting it’s data in the cloud?
  • Since 2007, Amazon has been telling us they are “.. working with a public accounting firm to … attain certifications such as SAS70 Type II”  but these have not happened in 2+ years.
  • On one side of the cloud security issue we have the marketing people, whohype up the existing security and gloss over the non-existing. On the other side we have security services vendors, who hawk their wares by hyping up the lack of security. The truth is, there is a class of data for every cloud out there, and there is also someone who will suffer a data breach because they did not secure it properly.
  • We will look at Amazon’s EC2, risk tolerance, and how to secure the data in the cloud.
  • Javed is a principal and co-founder of zSquad LLC, a Boston-based information security consulting practice.

Javed is a Security Consultant

Also co-founded http://www.layoffsupportnetwork.com

Formerly worked in Fidelity (in security area)

Cloud Definition

  • Elastic – provision up/down on demand (technical)
  • Avail from anywhere (technical)
  • Pay-as-you-go (business model)

Cloud Challenges

  • Data stored in China – gov’t could get at it
  • We never have direct access
  • May be locked in? (for practical reasons)
  • March 7, 2009 from WSJ – Google disclosed that it exposed a “small number” of Google docs – users not supposed to be authorized were able to view them. Google estimated < 0.05% of all stored Google docs were impacted – BUT! – this is a LOT of documents. http://blogs.wsj.com/digits/2009/03/08/1214/
  • Sept 18, 2009 from NYT – a recent bug in Google Apps allowed students at several colleges to read each other’s emails – this impacted only a “small handful” of colleges (like Brown University, for 3 days)http://www.nytimes.com/external/readwriteweb/2009/09/18/18/18readwriteweb-whoops-students-going-google-get-to-read-ea-12995.html
  • Google’s official policy for paid customers states “at your sole risk” and no guarantee it will be uninterrupted, timely, secure, or free from errors
  • Amazon states it is not responsible for “deletioreach” – Javedn, destruction, loss” etc.
  • Google will not allow customers to audit Google’s cloud storage claims
  • Amazon says PCI level 2 compliance is possible with AWS, level 1 not possible
  • SAS 70 Type II reports not meaningful unless you can see which controls were evaluated
  • “on premise does not mean people are doing the right thing” –Javed
  • Perception of more breaches in on-premise systems – but there are so many more of them, it is easy to misinterpret
  • Business value of losing data will be balanced against business cost of it being exposed – but this does not account for the PROBABILITY of there being a breach – how do you calculate this risk? I bet it is easier to calculate this risk on the cloud than on premise (though *I* don’t know how to do this)
  • We can’t expect all cloud services to be up all the time – right, and many businesses don’t have the data to fairly/accurately compare their own uptimes with those of the cloud vendors – and, further, if the cloud vendors did have 100% up-time, that may destroy the economies we are seeing on the cloud today (it may be 100% reliable, but too expensive to be interesting)
  • Off-premise security != in cloud – different security issues for different data
  • “There are 2 kinds of companies – those which have had a [data security]breach, and those which are going to have a [data security] breach” -Javed
  • Centralization of data makes insider threat a bigger risk
  • Customers should perform on-site inspections of cloud provider facilities (but rare?)
  • Ask SaaS vendor to see 3rd party audit reports – SalesForce has one, Amazon does not (Google neither? What about Microsoft – not yet?)
  • Providers need to be clear about what you will NOT support – e.g., Amazon took 2 years to provide an answer… Amazon/AWS disclaimers are excellent models
  • Providers need to understand they may be subject to legal/regulatory discovery due to something a customer did
  • Unisys has ISO 27001-certified data centers (high cost, effort)

Creating Secure Software

  • Devs care about deadlines and meeting the requirements
  • If security is not in the requirements, it will not get done
  • if devs don’t know how to code securely, it will not get done right (if at all)
  • Train your devs and archs: one day will help with 90% of issues!
  • Build security into your software dev life-cycle
  • Let security experts, not necessarily developers, write the security requirements
  • Secure Code Review can be expensive –  bake in an application security audit into your schedule, to be done before going live
  • (high customer extensibility + low provider security responsibility) IaaS – PaaS – SaaS (low customer extensibility + high provider security responsibility)
 

Next Page »