Podcast – Ed Daniel, ITIL, Audit & Cloud

I am joined on today’s show by Ed Daniel. Bit of a coup. Ed is one of Europes leading OSS evangelists but like me shares a background in process management ITIL, security and enterprise enablement. Ed works for Normation and was in London attending DevOps and I didn’t have to push very hard to get him to sit down in front of my microphones.

This podcast is really for the companies who are thinking about deploying Cloud, who are thinking security hardening, process management, ITIL, PCI-DSS, ISO standardisation, deploying against Cloud Security Alliance or SELinux guidelines. If you’re a service provider too this podcast also helps you. It’s your opportunity to hear myself and Ed try and give you a steer on designing your cloud and to get to deployment safely whilst growing the frameworks around Cloud management.

We talk ManageIQ/Cloudforms, how audit and logging is essential, OpenStack and Ceilometer, Heat etc etc. How you should engage with a Cloud provider or upstream vendor.

This is one of those difficult conversations which you rarely hear and that is designed to get you to a point where Open Hybrid Cloud can become a reality. We don’t always agree but between the two of us we try to get you to a point where you are armed to safely and securely start designing and consuming Cloud compute capacity.

 Download the podcast in MP3 format here – or alternatively browse the RSS.

Podcast: Max Cooter of CloudPro talks sense


I’m joined on the podcast today by Max Cooter who is editor of CloudPro Magazine for a remotely recorded podcast, Max in Sussex me in windy wet Wiltshire for a podcast I’ve been meaning to record for some time but last time we tried we couldn’t get diaries to sync. Technology allows us to do next best thing other the ether and this is the result we recorded yesterday. We originally aimed to record 8-10 minutes but the discussion got deeper and we ended up putting a lot of things on the table that are vitally important to decision makers and to cloud in general.

I let the session run and listening back when I was mixing the session in the early hours of this morning I am glad I did because here you have a podcast that might just make people start making notes and thinking about their own plans and provisioning and thinking about the structure of their ambitions in Cloud.

Max is a heavyweight, he talks Cloud for a living but gets to see a lot of the actual cloud metrics and deployments across the entire industry so is more “clued up” than most analysts due to exposure. We’ve worked together on a Dell Think Tank before and we were both out at GigaOM Structure in Amsterdam last year (Max is pictured above on the left during one of the fireside chat sessions).


We talk governance, regulation, security, privacy, PRISM fallout for Cloud, we talk Red Hat Certified Cloud Provider Programme, service providers and the need for conformity, PaaS and OpenShift. CTO and CIO pressures in the datacentre – theres a whole wealth of stuff going on.

Do take time out to listen and come back next week where I have a podcast with Tim Kramer my colleague of way way too many years talking OpenSCAP, Cloud Security, OpenShift and the Cloud Security Alliance. Don’t miss it we’re going to make some people sit up.


Download the podcast here in MP3 format only

I’ve been busy – Red Hat Summit 2013


The last ten days have seen me camped out in Boston in the US at Red Hat Summit recording, mastering and publishing fourteen podcasts during Red Hat Summit. Usually I do one a week so to get fourteen recorded and out there on iTunes, Stitcher and a dedicated smartphone app for all platforms was tiring to say the least.

So for those of you wondering why there hadn’t been a Cloud Evangelist podcast last week, go listen to the shows I made available to you on the Red Hat Official Podcast page from Summit by clicking here.

Podcasts on OpenShift, OpenStack, Gluster, RHEV, IBM PowerLinux, ARM and Hyperscale, identity management in the Cloud, SELinux (with Dan himself). We talk NetApp and oVirt with Jon Benedict once more and we have a lot of fun along the way.

Fourteen shows you can’t miss out on with over 10,000 listeners to date – go listen.

Podcast: David Egts talks Secure OpenShift

If you hadn’t noticed theres a bit of a credit crunch on, it’s affecting every aspect of life including provisioning of every aspect of government and military forces and their supporting services and solutions bodies. Governments and the military use en ever increasing amount of Open Source technologies, and a lot of platforms that have grown up with open APIs and that fit secure accreditation regimes.

We’re talking DISA, STAX, how to get to secure PaaS using OpenShift and how we are helping defence (or defense for those over the pond that can’t spell) get to secured accredited trusted PaaS.

David Egts has been on a podcast here before and appears weekly on the Red Hat Gunnar and David show that I listen to avidly. David recently wrote a great article about how military platforms should not be deployed on proprietary PaaS solutions and frameworks, if you haven’t read it go do so before you listen to the podcast.

Thanks for this show also go out to Red Hat’s Paul W Frields who wrote the amazing Pulsecaster that sits on Fedora and that I used in a very different split channel mode this week thats allowed me to get this remote podcast out fast and in great audio quality considering there is 6000 miles between the two people talking. Also this week both David and I are solely using Samson GoMic’s and the entire thing as usual mixed using the free and open source Audacity DAW. The GoMic is a revelation if you don’t know what I’m talking about follow the link.

Come back soon for two podcasts next week talking CloudForms with James Labocki and OpenStack with Rhys Oxenham.

Download the podcast here in MP3 format only

Security 101: an update

So last week I blogged about a breach of security at a major company that was actually extremely isolated and I am totally satisfied that this was a breach contractually outside of their control and hopefully will land in litigation with the company who breached their contract and terms of reference with the originating company.

So what actually happened is that tech refresh took place with equipment being taken offsite under contract by a industry regulated company specialising in recycling corporate IT hardware whose job it is to sanitise and where applicable destroy or recycle / remarket IT equipment to the “third market” that is eBay etc.

Unfortunately this third party failed utterly to understand their responsibility and re-marketed this multi function laser printer containing sensitive and potentially compromising information that is once more entirely in the hands of the originating customer, the data controller in the eyes of the ICO. Considering they are ISO 27001, 14001 and 9001 certified they demonstrated a total and utter failure both to their customer and to the needs of data sensitivity. I’d assume they just lost a customer and I certainly would have major concerns over their capabilities and can’t see them being a continued supplier of the organisation concerned.


I am entirely satisfied having seen first hand the processes that this major organisation has in place, having worked with their IT staff since last week and having met with one of their IT managers today in person that they have been failed badly by a supplier.

Word of caution, data has a lifecycle. When you handle something non specific such as an MFP, a router, a network boundary device, switch, firewall or the like – kill it before it goes to your third party recycler. Heres where having a CUPS print server could have saved a world of pain. Don’t rely on the manufacturers to assist you, most hardware vendors do not take security seriously and sacrifice price point and features over security management capabilities. Heres where Software Defined Networking in Cloud is going to prove invaluable.

My thanks go to the CEO, IT staff and the Public Relations person at the company concerned for having jumped on this and proved that lessons do need to be learnt in all organisations of every size but that they have been able to show me, in writing, and to demonstrate proveable thought leadership around IT process management.

Oh and they replaced the printer which will go in my soon to be massively downsized office (a pregnant wife giving me clear instructions to give away hardware and to hire a skip) up the road in Devizes in the next few weeks before the baby arrives.

Security 101: I’m with stupid

For those that listen to my podcasts, read this blog or see me on stage or at conferences with my security hat on you’ll all be aware I take security and privacy of data seriously, very seriously.

In 2000 I co-invented SmoothWall the ubiquitous firewall that became so popular (from where Endian and IPCop then became derivatives) and I then bankrolled and started the company of the same name. Since exiting there in 2003 I’ve advised at the highest government levels as a certified cleared consultant and advisor and now tell you all how to protect yourself in Cloud.

Therefore tonight when configuring some 2nd user kit acquired from an eBay commercial seller nowhere near my home I was surprised to find the kit actually originated from a very large commercial company in the catering sector four miles from my home here in Wiltshire.

The kit, a multi function laser printer, HP branded presumably was from an office clearance. Now heres where I get prickly. I wrote white papers and good practice guides for MFP disposal years ago recommending the only way to get rid of them is to actually scrap them as industrial waste and not to let them go to a recycling company. Most recycling companies are generally self proclaimed specialists with VERY BASIC ISO 27001 / BS standards (read paper collection exercises that don’t qualify you to do squat) who can run dban on a laptop and apply an acetate sticker saying data cleansed on it. You can’t do that with MFP’s they have either solid state logic, flash memory or worse a harddrive. And they’re manna from heaven for hackers.

Cue some basic easy legal and above board manipulation of report functions via HPLIP under Linux and now I have 150 confidential faxes sent and received from the original owner on what is now actually legally my property, and worse because it’s a network device I now have their IP address schema, gateway details and enough info from the faxes to play social engineering havoc if I was a malicious hacker.

I am on vacation for my sons birthday the next few days so I am not going to go out my way to point out to the IT director concerned what shape and size a fine from the office of the CIO looks like but after the recent food scares in the UK I am sat on purchase orders from every supplier they work with and it’s just stupid, idiotic and immature awareness or lack of awareness on their part that they 1) contracted their IT disposals to a bunch of clowns who broke the law and presumably their contract 2) left the original entity open to a fine or worse still a malicious hacker had they got that info.

Heres the worse kick in the teeth to me personally, turns out they’re a SmoothWall user so they obviously do get Security not just the major risks of data privacy or their responsibilities under any of the blended security matrixes that make up common sense IT practitioning,

Time to draft an email to their CIO and ask him who he employs to look after security as I’d be handing them a P45 and working out how to get this back into a box to own it. Wonder what else they recycled without due diligence ? Time to hand these faxes to their rightful owner and to point out the genuine sheer unadulterated stupidity of their ways. It’s even more stupid when you think that this company are actually market leaders by hard won hard grafted achievement supplying catering to local government organisations, hospitals, care homes etc. Not small fry – so you’d expect better process control and understanding of IT security.

Epic fail.

Please if you are one of the thousands of people who read my blog don’t emulate them.

Podcast: Kuan Hon – Cloud & The Law

Please be under no illusions. This latest podcast is a big deal. It’s also a bit of a coup. Tackling difficult topics in Cloud from a vendor neutral perspective is always hard. This podcast takes one of the most difficult topics that can sometimes cause Cloud ambition to stumble, and addresses it as best we can in the short format I bring you weekly.

Nobody likes wondering whats in your average sausage never mind talking about it, well in much the same vein nobody really likes talking about Cloud and the law, no matter where you are globally this affects you directly and is another reason why you should be listening in to my shows, if you aren’t already.

So joining us today is Kuan Hon from Queen Mary University in London. Getting her on a podcast was a dream come true, I’ve read her papers and her analysis and views on Cloud and law for so long now and she’s a heavyweight who knows her topics inside and out. A qualified attorney in the US and solicitor in the UK shes taken time out to go and do her PhD and also write a great blog, speak at events (including Defcon) and to carve out a reputation as the eminent goto person on everything Cloud and law.

Do take time out to visit her blog and also vist the QMUL Cloud portal to read some of her published papers that just further add credence to her ability and reputation – and also demonstrate why I worked hard to get her on a podcast to talk to you. From the House of Commons to Microsoft, from Forbes to the European Union, Kuan is taken very seriously as a voice of legal common sense and authority. Her papers both in her own right and as a co-contributor continue to shape and influence the ability of law to pervade Cloud sensibly and with clarity. You can read selected papers shes written on every aspect of Cloud law and contract law within Cloud by visiting this link.

It has taken walking over broken glass to get it out the door, recorded in the offices of Red Hat in London a month ago this podcast has been through legal review and internal review at Red Hat to get it out the door. My public thanks go to Michael Cunningham Chief Legal Counsel at Red Hat and to his team and to David Perry especially for taking time out of his diary to work with me to get this to release.

Remember: This podcast is two geeks talking, it does not constitute in any way any legal advice. You should always consult your attorney or company legal counsel before taking any action that potentially impacts you or your data, your company data or assets at risk by way of contract or exposure. However, at least with this podcast you know where to go to ask the right questions.

Enjoy the podcast – come back next week for more great content. For now I’m taking a few days off to celebrate with my wife and family the second birthday of our eldest son Christopher so I’m going to leave you with this podcast and disappear into the ether.

Download the podcast here in MP3 format only