Dispatches from the Front: 29 July 2012

… From Ken

Friends,

In some of the return e-mails, several have asked I not include or discuss the “un-pleasantries of war” in my “Dispatches”.  To those kind souls, my advice is to simply delete all future e-mails from me.

Unfortunately, I am not in a pleasant place to accommodate such a request.  The truth often is not pretty.  It matters not how eloquently words are strung together, daily death and destruction is difficult to mask.  I will try harder, but there is little in the few local Afghan merchants, third world mess hall workers, the barren landscape with its’

oppressive heat, the three separate species of birds [(1) mourning dove;

(2) black and white winged starling; (3) small body sparrow], the mice and rats, that are available to write nice things about.  I promised myself to record what I have seen and not made-up fiction.  I have

always believed, “to thy own self be true”.

Your’ Marines, Soldiers, Sailors, Air Force, and Coast Guard, our coalition partners, and the civilians, both DoD and contractors are doing a terrific job with their tasks.  Never have I seen any of them appear weary in doing their duty.  They are the doers of good and doers of the right thing.  I have never seen them afraid or discouraged, only strong and courageous. Sure they bitch, but I remember the same grumbling heard during any deployment or any place I have ever worked or traveled.  It would worry me more if I heard nothing.  They all have and draw from an inner strength securely put in place before their arrival.

To each, it is different; as it should be.  A life lived is determined by circumstance, luck, timing and your beliefs.   Surely there are other qualifiers, but without the benefit of a glass or two of a fine ancient single malt whisky to stimulate the senses, those are enough.  For me my inner strength comes from my absolute belief in God and His Son Jesus.

I believe in Them as much as I believe there is a United States Marine Corps.  I make a sorry Christian but I learned early in life, “once you trust in the Lord, fear not what others can do unto you”. I was also taught that “a man’s true worth is what he has done to help others”.

Every day is a gift and you only are given so many.  How you consume each daily gift is totally up to you.  I promise you, a day does not pass without reflection on just how lucky I am to live in the day and time I do and to be blessed with the people I know and have known.

Sadly, I am confident my enemy believes in Allah as much as he believes in the Taliban. That is why I have to help and do all that I can to kill him.   Negotiations, peaceful resolutions, let’s meet and sing “kume bye aye” are for the diplomats and politicians.  God bless their work.  A warrior’s work requires a more direct solution.  I never liked it years back when I first read it, but now fully understand, “From the ashes of the vanquished, the victor is able to build unencumbered”.

Unfortunately, we will not see victory in Afghanistan.  Also, the last I checked, we are not here to make Afghanistan the 51st state.

Counterinsurgency warfare or “COIN” operations is our current strategy.

Winning the hearts and minds of the people is a good thing.  I am from the old school and new techniques come hard to me, especially when a “time line” is put in place and when reached; you declare “success” and leave. COIN will indeed work as long as the people you have “won over” feel protected and free from retribution of evil.  I simply do not believe the Afghanistan military and police will be able to maintain good order and discipline throughout this miserable country once we and our coalition partners depart. My opinion and my opinion alone, their success will be short lived and “good order and discipline” is not going to happen. The evil that awaits the Afghan military, police and peoples still exists and patiently waits.  My advice if asked by the Afghan military or their government would be simply what I was taught as a young Marine officer; successful warfare requires the identification of the enemy, massing all available weapons and firepower and then close with and destroy them. I would also recommend they concentrate their remaining time and efforts on mastering all fire support weapons and the ability to deliver accurate artillery and mortar fires whenever and wherever needed. I would include close air support (CAS) but Afghan air force does not exist.

You cannot blame the Taliban for their tactics.  Even our forefathers shot from behind trees and harassed the British and with deadly accuracy.  When combined with determination, luck and tenacity they overcame the odds of winning against the mightiest military of that time.  The IED is the Taliban’s tree.  And yes there are volumes written on what really caused the Colonial victory.  However, I bet you, not facing a superior force on the grounds of their choosing, army against army, will be mentioned as a factor.

Daily routine has settled.  I am up at 0330 and complete the causality report by 0700.  If there are no US KIA’s, I decree that day as a good day. The report covers from midnight to midnight the day prior.

Unfortunately, someone has died every day for 41 days since I started this task.  Whether US, Coalition, Afghan military, police, innocent civilians; someone has been killed due to this war.  Compared to the bombing of London, Dresden, Tokyo of wars past, civilian causalities are very small.  But to the family of the one killed, it is as tragic as it was back during any time period.  The enemy also pays a toll.  I read and write those reports too.  I hate to say it, with each EKIA, the same glee that comes from catching, rolling and then crushing a Tsetse fly stirs within the black chamber of my heart.  May the Lord forgive me.

For those who have never hunted in Africa: The Tsetse fly has a harden exoskeleton that when he bites you and you slap him as you would a mosquito; once your hand is removed, it flies away to bite again.

The rest of my day 2200+ is crunching data sent in from the outlying US and coalition commanders concerning their assessment of the Afghanistan military’s and police’s ability to maintain good order and discipline.

Make no mistake; it was 46 partner nations who took from the Taliban their position and influence in this country.  Those nations are the same ones who trained and supplied the Afghan security forces.  These newly trained units are holding their own in the “cat and mouse” campaign being conducted by the insurgents.  I have observed, as soon as the “mouse” is recognized as a “rat”, the “cat” extends its lethal claws and calls in coalition fire support to neutralize the threat. The “rat” is quickly terminated but most often sent back into its hole.  For those times, congratulations abound and medals issued. Once close air support and effective artillery have been taken out of the equation, it is easy to predict the future as well as outcome.  The Afghan military and police may now own the nice shiny watch given to them by the coalition partners. Unfortunately, we all know, it is the Taliban who owns the time.

Oh look!!! There goes a little mouse scampering across the floor with a bit of cracker!  Isn’t he cute?  I will name him Marroof.  What else do you want to know about that mouse?

Semper Fidelis,

Ken

CJTF-1, ID, CJ5 Assessments

Task Force Defender

Bagram Air Field, Afghanistan

APO, AE 09354

Business got cancer? Smoke some “Cloud”

I apologize for using cancer as a platform and associating it with business but I feel very strongly about this and I do believe a business can have cancer.  What is cancer?  If you don’t know, fundamentally it is uncontrolled growth and consumption of resources by cells.

A cell is a unit of life, the smallest that classifies something as living.

A person in a business is similar to a cell.

How does a business get cancer?  

It starts with a person or people who start to work against the benefit of the business or the organization.  Productivity diminishes over time and bad behavior starts to grow.  Anti-productive behaviors and practice increase and start to consume resources and take over the organization.

There are many variables to take into account and that is why I think it is similar to cancer or is a form of cancer to the business.   The results are the same.   You either have to cut out the cancer, treat the cancer or die.

It can be a long slow death or it can be quick, it all depends on the severity of the disease.

How does this have anything to do with Cloud Computing? 

You can read my story or stick to the bullets, either way I just want YOU to get the point.

A few years ago, I went to my doctor because I am allergic to cats and I was having a pretty bad spell with a new cat in my house (don’t ask).    During my tests the doctor (I mean nurse practitioner) found elevated liver enzymes and told me that I needed to come back for tests.

Every week, I would come back for tests.  I was now required to go to specialists.   They gave me all sorts of concerns.   The gastroenterologist scared me so much that I wound up having a biopsy.   I must have seen 10 different specialists and none of them shared a common position.

I finally get through all the testing and the gastro guy calls me in the office.   He looks at me, scratches his head and says ” I don’t know what to tell you”  He advised me to make an appointment for 5 years later.

Not long after, I changed insurance and got another doctor, he looked at my records and said ” I wouldn’t have sent you for any further tests”

I spent hundreds of dollars, the insurance companies spent thousands.  The saga continued as I moved and was forced to go to another doctor who practically put me through another round of tests and specialists.

No doctor ever solved my problem.  I found something out though.   I was a little above my target weight and if I went to the gym or I ran a few miles a day a few times a week and addressed my diet, my “inflammation” or elevated enzyme levels went down.

The doctors wanted me to donate blood a few times a month as they told me that would solve my problem.

POINT: 

  • You can’t treat a symptom.   You have to discover the real problem (s)
  • Technology won’t fix your problems.  (Donate blood)
  • Technology is an enabler not a solution within itself.
  • People are trying to make money by providing solutions.  (Preventive care does not drive up revenue)
  • Solution providers want you to keep coming back.  (Subscription for your affliction?)
  • You have to treat the whole body. (Just targeting one area of your business won’t heal it)

Cloud computing is an enabler.   I love technology!  I love being enabled!  It is great for business.  It isn’t great for solving problems.  People are the core, people are the cells, people are what make your business.

You could go to the phlebotomist and it may ultimately appear on the surface that your problems are being solved but the underlying cause will still remain.

People, Process, Methods, Tools.. Always PEOPLE FIRST.

Treat the whole body and you are on your way to wellness.

 

Clouds Bring Rain

We are being hammered by companies selling cloud services and it is working.   I am telling you right now.. BE WEARY.   This is not going to be a lengthy post today but it is a warning.  DON’T JUST BUY THE BUZZ.

I have been talking to a lot of leaders in business and government and I am hearing the keywords repeated over and again.

1) Agile

2)Cloud

3)ROI

4)TCO

5)Consolidation

6) Less labor

7)Faster time to market

8)Faster development

9)Higher revenue

10)Far reaching

Those are great words, but they are for business development and aren’t broken down by analysis relative to YOU.   In other words,  what if someone came into your house and looked around and said “Move everything, I will show you now, just trust me and pay me.”   Really? You would kick them out.

I am really angry about it because this behavior gives people who are really trying to help business and government a disadvantage.  It is like SOA, it was beaten to death by marketing and bullshit.  The tenants of SOA were ignored and it became known as yesterday.

Now we are “agile” and “cloud” but what those things mean to you as a leader, a developer, a manager, an implementor are diluted by the noise of marketing.

My message to you today is “DO THE HOMEWORK” don’t dive into solutions and spend money head first.  Perform analysis, bring outside help into validate your work.    Don’t do what everyone else is doing, because what they are doing may have NOTHING to do with your business.

That is all I have for today!

 

Kenny Dispatches from the Field 20 July 2012

For a few hours this morning between 0400 when I got to my desk, up until 0700 having just completed the 19 July 2012 Significant Activity Report, I thought today was going to be a good day.  There were several IED explosions recorded the past 24 hours which included US wounded but fortunately no KIAs.  Joy is short lived in a place called Afghanistan.

As I clicked “send” an incoming e-mail notification appeared in the lower right hand of my screen. It was notification one of the young Soldiers wounded last night, had just died of his wounds. Today, 20 July, now sucks like all the rest. Hold your children tight.  Tell them that you love them.

Tomorrow is only a day away.  I can only hope that my report for 21 July will be filed with a happy heart.

Semper Fi,

Ken

Kenny in the field 14 July 2012

Afghanistan_PIX

It has taken awhile, attached are a few photographs I requested from the combat photographer assigned to our command. He is a talented young soldier and a good man.

As you can see from the photos, life here is far from pleasant. My living conditions are much better than theirs.  The thing I look forward to most is a daily bowl of oatmeal and a cup of terrible coffee for breakfast. The food for the rest of the meals from the mess hall all tastes the same.  If I were to guess, what most of the men in the photographs look forward to, they would simply say, “tomorrow”.

This war in Afghanistan has quietly fallen from the hearts and minds of most Americans, but I know not from yours. I sincerely thank you for that.  As MacArthur so wisely reminded us:

“The soldier is the one who prays most fervently for peace for he is the one who has placed his life on the altar of freedom”.

My burns are healing.  Last week, work was done to the showers by local Afghan workers. I am now convinced they are Taliban and reversed the dual Hot and Cold knobs on purpose.  In an instant, I was scalded down the front of my chest and received 1st degree burns complete with large blisters and pain.  The worst places I applied bandages with 1st aid ointment.  I knew that was necessary due to once removed, they were yucky.  I now approach the showers differently.  I go through a long start-up and shut-down process to prevent future incidents.

I purchased a new knife here in our little PX. It is the Benchmade “330 Infidel”.  Besides really liking the name, it is a spring loaded stiletto with a 4 inch blade.  I’ve used it to remove staples so far.

As I experienced during my time in Asia, Africa, and the Middle East, people stink. I hope I do not, but might. Thirty years ago, I told Pam not to throw away my bottle of “Hi Karate” and “Old Spice” cologne for I could use it now.  I am convinced the smell has to due to the food or the poor laundry process. I have been told that they do not use detergent because of possible bomb making potential.  Damn those IEDs and the bastards who are responsible for them!  So many of our good men and women are killed and severely injured by the cowards who make, plant, and install them. I read all the causality reports every day.  I consolidate them and send them forward.  You have no idea the horror I read.  It even makes my cold heart sad.

The other night’s “Fallen Hero” ceremony was especially difficult.

Because of on IED, six good men sent home to God leaving their comrades and families to morn their loss.  It does not matter how many of these ceremonies I attend, tears fall and I am unashamed.  I refuse to miss any for that is the very least I can do for those who have done their duty. You can tell when things are to go badly.  The night previously, I knew something evil this way comes when I first heard than saw multiple MEDIVAC choppers land and take off at the field hospital here in Bagram not far from my office.  Unfortunately, I predict the situation here will only get worse as we draw closer to leaving this miserable place.

Fortunately, tomorrow will be new and no one knows what it will bring.

I pray for protection, safety and success for our men and women in harms’ way. It is sad to note that I replaced the word “victory” with “success” in the previous sentence.  There will be no victory in this place called Afghanistan.  We the United States military are a decisive fighting force, period! We make our mistake(s) when we linger AFTER the victory trying to diplomatically dabble in democratic experimentation.

It is time to return to the “speak softly and carry a big stick” era, no more country building. Never works except to create a cesspool of greed, corruption, criminal activity and a considerable drain of our National treasure.  Too often that includes the loss of treasure bled from our closest allies.

Today is a new day.  Maybe, just maybe, it will be a good day.

Semper Fidelis,

Ken

CJTF-1, ID, CJ5 Assessments

Task Force Defender

Bagram Air Field, Afghanistan

APO, AE 09354

Want to Save Money in the DoD? Think about it!

I participate in an online community that discusses open source technology and solutions related to the US Federal government and the Department of Defense.   Recently there was a post about saving money in the DoD and Federal government by replacing desktops with some flavor of Linux.    This discussion has me thinking about the challenges the government faces in saving money simply from the technical perspective.

I have had this discussion with a lot of people though the years.  A little truth in history, I think I started my career on the wrong side of the discussion (just change stuff).   When you are a Technologist or even an Analyst, you may wonder why we as a people, a corporation or other body make stupid decisions.   A lot of the time solutions are right in front of us and we don’t employ them.   One example of this is using open source technology in the DoD to save money.

Let’s look at this from a few different perspectives to understand what people are thinking in context of this problem / solution.

Technologist: 

Open source technology doesn’t have any client access licenses tied to it.   It doesn’t have reoccurring license fees and product costs.  You don’t have to pay for maintenance if you don’t want to.  This can free up money to invest in people.  You could actually hire more people and you could get more customized solutions.  Think about all the money you can save!  

Consultant:

How much will open source cost?  What are the fees involved with maintenance?   How much will it cost to transition all of the systems?   How much will it cost to deploy the systems?  How much will it cost to train all of the infrastructure people?   If we are trading licenses for people, aren’t people more expensive?   If we turn to open source aren’t we just trading one problem for another?  How do we get all of the organizations to agree to transition?  What do we do about operation, IT, and business process governance?  What do we do about legacy applications that won’t easily transfer over?  How will this impact the enterprise? (etc)

Management:

I have to make a decision, where is a trade-off analysis?  I may not have the needed authority to make a decision like this, what does our CIO say?  How will the changes I make affect the operator?   Who and what policy and standards should I adhere to?   What if I am a Program of Record, how will this impact my funding?  What if because I am a Program I can’t change the configuration of my system?   HOW MUCH WILL THIS COST? 

Operator / User:

I have a job to do, I do my job well but I need my tools.  If you enable me to do my job by providing me consistent behavior with respect to my current capabilities and enhancements that are consistent with my training for my future capabilities, I will work hard.   Don’t mess with things that work.   Don’t make me learn a lot of new things at one time.  Don’t give me less than I have.  Don’t change my process.  Don’t interfere with my job, you have no idea how important my work is.    Be available when I need you.  

__

I could go on about this but the bottom line is that from a Technologist perspective (one that I know well), when you are holding a hammer, everything looks like a nail.  Unfortunately, things are much more complicated than that in our world.  The reason why small teams work well is because they can change and adapt quickly.   The way that the government is structured, it takes time to drive change unless the change is driven by “the operator” or the people themselves.  In other words,  if everyone in the DoD or Federal space decided to go open source at home and in their personal lives, that would change the demand and quickly change the requirements.  Look to mobile devices as an example of that .   That isn’t what is happening in the world concerning Linux and other open source software.

The world evolves and changes happen in small but effective increments.   The government is already saving billions in licensing fees by using open source technologies on the backend services (Apache Tomcat, Linux etc).  We need to look at our success and find the bright spots, what worked where and why.    We need to seek out and discover where we have created efficiencies by using open source technologies and we then need to duplicate those efforts.  Finally, we need to seek out ways to discuss this with mid-level leadership (not senior leaders),  senior guys already “get it” it is the person in the middle that feels their voice is unheard and they hold on to any speck of ownership that they can.

If you disagree, let me know.  If you agree, do something about it.  I am.

 

“It boiled down to courage and tenacity”: My “Inbox Interview” with Howard Cohen, Community Manager at DISA Forge.mil and Technologist by Chris Maher

I was interviewed a few weeks back by Chris Maher on Linkedin.  The topic was concerning “Trusted Computing”  and ramblings on security.

CM: Howard, as you know, I quoted you at the 2011 NSA Trusted Computing Conference & Exposition: “Well.. I believe in Americans. I believe that when we see various challenges that we individually step up and out to deal with them. We have put your faith and trust in leadership and leadership has been pounded with more work than they can handle (yes, I am being nice). That being said, it is up to us individually to lead where we are. We must individually work to change our own behavior and look to influence others by leading from where we are. If I am a Janitor, then I look for ways to be efficient in cleaning and thrifty in spending for supplies, or find ways to reuse supplies. If you are an Executive Assistant, find ways to make a difference in the office. If you are a Technical Strategist, teach everyone everything you know about Service Orientation and Trusted Computing and technical reuse models. It doesn’t matter who you are, it matters what you do. Our jobs do not define us holistically. In recent days I have seen civilian leaders (you know who you are) step up to the plate and take risks in order to share their ideas on how to create a more effective and efficient acquisition solutions. It isn’t only up to them. We will find more success together by working to change these behaviors and tackling the challenges we can see one person and one problem at a time…” (SOURCE):https://cohenovate.wordpress.com/category/howard-cohen/

It’s a great quote for a variety of reasons. That said, I want to focus on your awareness of and experiences with Trusted Computing. How you were first introduced to Trusted Computing?

Chris,  Thank you very for clearly understanding and articulating the message of “leading from where we are.”  I have been working for the Department of Defense for close to a decade now, before that I worked at a school division and the commercial industry.  I have worked for Joint Forces Command, Joint Staff and now DISA.   I started hearing about Trusted Computing while working at the school division, if anyone is going to break your system it will be the kids.  I learned a great deal about system hardening as I entered the world of military architectures at J8.   I started at US Joint Forces Command by using security technical implementation guides (STIGs) as we call them.   Prior to that I was using non-military oriented technologies like hard drive sheriff, deep freeze, bootable cd os (barts PE), stuff like that. 
And, in your estimation, why does Trusted Computing matter? Why is it important?
In enterprise computing you want to be able to leverage standards. We need the ability to look at metrics and we need to understand what “expected behavior” is.  In other words, we need to be able to know when something is not working right.   So you need standards so that experts can be on the same page and understand what they are looking for as “normal” as opposed to seeing something that “interesting” , if everyone is doing their own thing at the enterprise it makes it very complicated to know what the heck is going on.   You have “shadow IT” that will compromise the integrity of the network simply because it exists.   When working in an enterprise users and operators need to trust that mechanisms are in place to protect them.  I can go on about this but the bottom line is that to know if something is wrong you need to establish that something is right.  I believe that is why Trusted Computing is important. 

CM: As you may know, Richard Stallman once rebranded Trusted Computing (TC) as “Treacherous Computing” which made a neutral set of technologies out to be a threat to open computing and/or our civil liberties. Stallman conflated Microsoft’s Palladium effort with the word of then TCPA. Ever since, TC has been dogged by the adjective “controversial.” For me, TC (including self-encrypting drives) actually protects my civil liberties by arming me, the digital citizen, with technologies that can defend my information from any intruder… including an intrusive government. But that’s just my opinion. How do you assess the intersection of Trusted Computing and civil liberties.

As long as there are people involved in computing, there are going to be hackers.   As long as we are at war with others, there will be people who will look to harm us in the real world or through technology.  Sure you are sharing the standards but I would say process and method are two different things.  In other words, you may have common technological frameworks and standards but how enterprise strategists think about and employ these technologies are different.   For example, I know of an organization that uses two layers of username and password and additionally requires a common access card, all of which are standardized.   The practice is abnormal but if a technologist was brought in to help solve a problem once he or she understood the architecture and because they are using standardized technologies and platforms they can help solve the problem.   I equate it to having a human in the loop.  People are your greatest protection mechanism as well as your greatest threat.   In terms of civil liberties, I think we have some problems with the law more than technology.  We don’t have a right to privacy, it isn’t guaranteed by the constitution and that means corporations and people are free to snoop around our business.  When that gets into information gathering and data aggregation it poses a much bigger problem than just technical mechanisms to protect our data.  It is more about what information did your city just put out about you and your home value, stuff like that.  So, in other words I am not sure that Trusted Computing makes a difference here unless we are just talking about me protecting my local hard drive.

CM: Much noise is made by IT professionals about the difficulties of using TC, specifically going into the BIOS and having to turn on TPMs. And it must be said that there has not been the development of many applications that leverage TPMs. In your experience, is Trusted Computing too hard to implement?
I have seen full disk encryption at the corporate level and while working with the government.  I have not seen BIOS based modules employed and I don’t have personal experience with BIOS based secure computing.  As I mentioned earlier, while working at the school division we used a device call hdd sheriff and some technology out of Israel to perform persistent drive management and encryption.   This was over 10 years ago too but the concepts have been around for a long time.   There aren’t a lot of commercial options that I have seen at the application level that use TPM’s but I think there is value there depending upon the requirement.   This is all about balance.  Risk is the key.  How much is this going to cost you?  What are the implications?   If I am working in the financial sector, I want as much technology as I can to protect my information.  The same could be said for the medical industry, I haven’t figured that one out yet but I am sure there is a good reason.  

CM: It’s been my contention that government MUST take the lead in adopting and recommending Trusted Computing. In this regard, I’ve been heartened by the NSA’s (more or less) full-throated endorsement of TC and by the CESG’s recommendation in favor its use. Further, as you may know, NIST 800-155 (in draft form) has recommended (or will recommend) the use of a hardware root of trust as a foundation for BIOS Integrity metrics. Still, it seems like .gov and .mil domains have been quite slow to fully adopt these open standards and technologies. In your view, what’s the state of play re: TC adoption within our government?
This is about cost of implementation and ability to implement.  In other words, as long as there are programs that are “Programs of Record” with Title 10 authority, essentially meaning that they can control their own technical destiny there won’t be adoption unless it becomes part of the culture.  For example, while working for Joint Forces Command I stood up one of if not the first accredited virtual infrastructure.   Most people were getting rejected at the time because hardening didn’t exist aside from the vendor best practices.   Information Assurance folks were afraid to take the risk, although it could mean millions in savings.   It boiled down to courage and tenacity.   The government leadership I worked with and for championed the idea and helped me bring people together by supporting our teams ideas.   It took many briefs and I think I have stock in some chocolate company now as well to get people to believe that there was value in virtualizing the infrastructure.   I know that sounds funny now because so many have adopted virtual technologies.   Here is the kicker though, today even though virtualization has proven to be of great value there are many government programs that haven’t virtualized and / or won’t go because of requirements and title 10 authorities.  CM: A great deal of academic and industry research has focused on the value of TC when it comes to authenticating users in a cloud-computing context…as well as using TC to protect user’s data in the cloud from the “insider threat.” Speaking specifically about the cloud-computing context, how important do you think TC technologies (TPMs) and protocols are as enablers?

As I started working on enterprise computing concepts and strategies, I started to see a trend.  Thomas Erl talks about this in his service oriented architecture books but it has to do with understanding dependency.  Cloud computing may increase risk.  Notice I say “may” instead of will, the reason is that every enterprise situation and IT ecosystem is different, remember earlier when I was referring to process and method being two different things.   Regardless of the situation organizations will have dependencies, for example you need communication services to connect to the Internet.  As you increase services and connectivity requirements it is likely that you introduce more dependency.
The cloud really refers to “off premise” services. These services are interconnected enterprise services that go beyond an organizations local physical infrastructure.   This is very important to realize because it means that hardware and IT resources are still potentially under trusted controls of an organization which of course then leads to leveraging organizational standards etc.   

The difference is that when you have a dependency on a “cloud provider” that is outside of your organization you build dependencies in which you may lose control over the IT resources.  As you give up autonomy or operational governance, you become more reliant on legal remedies.  In other words, SLA’s or Service Level Agreements become critical to the organization.   This relates to Trusted Computing in a lot of ways, for example a service provider may need to employ certain (TPM’s) prior to an agreement of use.  This increases the cost to service providers and also may limit choices as to what service providers’ organizations can use.  An example is that Amazon offers Federal services with enhanced security.  I am not advocating for any service provider, I am simply saying that as cloud services increase, the costs of these services will increase and the demands of security and stability increase.   In the grand scheme of things it wasn’t that long ago that most folks were on dial-up, it was $9.95 to $19.95, today most people pay $40.00 for Internet services not including the extra services they pay for while on the Internet.  As these costs increase, it pushes the price of everything up, simple economics.  Trusted Computing in the cloud is costly, but organizations when moving to the cloud will need to absorb these costs.  

My key point is that we can’t rely on technology alone.  Technology as it is today can be overcome by the human brain.  That being said, we still must put barriers in place to slow down attackers enough so that we can identify in some manner that our information is being attacked.   It is the difference between having a lock on the door and adding a security system.   Some people would say that adding a security system adds no value or is a waste of time.  I think as we continue to build technological solutions to thwart attackers or secure the enterprise, we strongly need to consider how we can keep “a human in the loop” and have people involved in watching the various stores.   As we move forward with these kinds of discussions we truly need to consider people, process, methods and finally tools which in my mind is where a lot of the Trusted Computing area currently addresses.