The Risk Assurance Revolution has Begun

Yesterday, some of the most influential members in the cloud computing, information security, and risk assurance industries convened in Atlanta to discuss what can be done to take some confusion out of the market around risk assurance.  COX Communication's Phil Agcaoili (@HackSec) hosted and moderated the discussion.  I was humbled and honored to be invited to give the presentation below as a basis of kick starting the discussion.

Please take a look at the following presentation, and you can download it hereThe Cloud Security Alliance is making this idea public, and is soliciting your feedback.  Please tweet your comments using the hash #csamtg, and your comments will appear both on this page and in the presentation wherever it goes worldwide as long as Office 2010 is installed.

I apologize for being rude, but I would ask that everyone please be respectful in their comments, and refrain from using avatars.  If it becomes a problem, I will have to start screening the comments, and I would prefer not to do that.  Thank you in advance for your cooperation.

"Risk" is probably another term that we should define and clarify. I stumbled across this video today that will make you pretty paranoid.

Stuxnet: Anatomy of a Computer Virus from Patrick Clair on Vimeo.

Here's how simple it is to create a virus and launch a DDoS attack.

Here's Paul C. Dwyer (@PaulCDwyer) explaining mitigation strategies for a DDoS attack.

Here's an informative interview with the founder of Kaspersky about the dangers of "Hacktivists."

Please see this article on the fact that Anonymous deleted This demonstrates the power of "Hacktivists", and the need to unify against them.


  1. Good job showing the difference between standards, assurance & certified. Also points out the almost overwhelming set of data center standards that are out there - which confuse users and frustrate operators.

    One of my concerns is that new groups are considering developing new standards to resolve the problems with the old standards - which compounds the issue. In a recent HIMSS Cloud security call, there was discussion about creating a new HIMSS security standard. Ughh!

    IMHO, we need to find a way to collapse these security audits & standards so users know what to ask for & data center operators have a common, well understood bar to design their processes around.

    Until then, users will fall to the lowest common denominator (SSAE 16 seems to be it right now) and data center operators won't be able to justify the ROI on the spectrum of audits that can be performed.

  2. Thank you for your comment. We appreciate your leadership, and for having the courage to speak out in your article: @hacksec @miketklein @itcontrolsfreak @rebeccadswain @aprilsage @ragjonlong

  3. Nice post keeps on posting this type of interesting and informative articles.

  4. Bluehost is ultimately one of the best website hosting provider with plans for any hosting needs.