Securities Technology Monitor has a short list of risk questions for financial firms who are considering the cloud. Spoiler alert, they provide a list of eight:

1. Who Will Have Access to Your Data?
2. Will the Regulators Approve?
3. Where Will My Data Be?
4. How Will My It Be Kept Separate?
5. How Will It Be Brought Back?
6. What If Your Service Provider Goes Out of Business?
7. What Financial Applications Can Be Safely Put into the Cloud?
8. What About Executing Trades?

No surprises, except maybe for the fact that it’s a mixed bag of questions and they have no regulators listed in their sources of information.

SOURCES: Gartner, Accenture, Lime Brokerage, BT Radianz

Easy to tidy things up with some regular compliance-relevant concepts:

1. Data Inventory: Location, Access and Recoverability
2. Application Security
3. Regulatory Approval

Do they have to be questions?

1. Will you be able to maintain a Data Inventory: Location, Access and Recoverability?
2. Will applications be secure enough to protect you and your customers?
3. Will the regulators approve?

The “Hello Cloud” walk-through for Project Kenai gives an example of how “examining the virtual data center” with the Sun Cloud API would show rules on a VM firewall

  "vms": [
    {
      "name" : "Firewall"
      "uri": "/vdc/m~FW01",
      "run_status" : "HALTED",
      "description" : "Firewall appliance; ports 80 and 22 open.",
      "hostname" : "FW01",
      "os" : "Solaris 10",
      "cpu" : 1800,
      "memory" : 2,
      "boot_disk" : 10,
      "data_disk" : 80,
      "temp_disk" : 10,
      "params" : { },
      "tags" : [ ],
      "back_up": "/vdc/m~FW01/ops/back-up",
      "attach": "/vdc/m~FW01/ops/attach",
      "detach": "/vdc/m~FW01/ops/detach",
      "backups" : [ ],
      "interfaces" : [
        {
          "mac_address": "00:16:3E:08:00:91",
          "ip_address": "144.34.100.199",
          "public_address": "/addresses/144.34.100.199",
          "nic": "eth0"
        },
        {
          "vnet": "/vnets/10.31.145.0",
          "mac_address": "00:16:3E:08:00:92",
          "ip_address": "10.31.145.254",
          "nic": "eth1"
        }
      ]
      "controllers": {
        "start": "/vdc/m~FW01/ops/start",
      }
    }
  ]

Binder is a logic-based security language by John DeTreville

We introduce the concept of a security language, used to express security statements in a distributed system. Most existing security languages encode security statements as schematized data structures, such as ACLs and X.509 certificates. In contrast, Binder is an open logic-based security language that encodes security statements as components of communicating distributed logic programs.

Soutei, a dialect of Binder, is a trust-management system by Andrew Pimlott and Oleg Kiselyov. It attempts to improve upon and replace simple data structures like access control lists in order to accommodate large and volatile sets of users and resources, complicated constraints, and distributed administration.

Soutei brings Binder from a research prototype into the real world. Supporting large, truly distributed policies required non-trivial changes to Binder, in particular mode-restriction and goal-directed top-down evaluation. To improve the robustness of our evaluator, we describe a fair and terminating backtracking algorithm.

A new public report of recent aircraft accidents in America has been posted by the NTSB.

The Members of the National Transportation Safety Board meet in a public session, under the provisions of the Government in the Sunshine Act, generally held on Tuesdays to discuss and adopt accident reports, special investigation reports, safety studies, and other Board products.

One report focuses on the need for better medical examination procedures of pilots to anticipate the risk of brain haemorrhage, as well as how to reduce failure of flight recorders.

The other discusses the catastrophic impact of poor risk management and incident response:

Contributing to the accident were an organizational culture that prioritized mission execution over aviation safety and the pilot’s fatigue, self-imposed pressure to conduct the flight, and situational stress. Also contributing to the accident were deficiencies in the NMSP aviation section’s safety-related policies, including lack of a requirement for a risk assessment at any point during the mission; inadequate pilot staffing; lack of an effective fatigue management program for pilots; and inadequate procedures and equipment to ensure effective communication between airborne and ground personnel during search and rescue missions.