Slashdot is one of the places you can read about a recent report from the inspector general's office at the US Internal Revenue Service, the agency's IT staff hasn't been routinely checking its cybersecurity audit logs. Gasp! What?!? In short, the IRS is not in compliance with the Federal Information Security Management Act, called FISMA for short.

A quote from the report issued Monday and covered by PC World today states: "These weaknesses increase the likelihood that intruders from the Internet could gain access to sensitive taxpayer data residing on the IRS network without being detected."

The Department of Health and Human Services this week released new privacy guidelines (PDF) for electronic health records, the use of which President-elect Barack Obama has promised to support as part of his plan to jump-start the economy. Some quotes from this report: SAFEGUARDS Individually identifiable health information should be protected with reasonable administrative, technical, and physical safeguards to ensure its confidentiality, integrity, and availability and to prevent unauthorized or inappropriate access, use, or disclosure. ACCOUNTABILITY These principles should be implemented, and adherence assured, through appropriate monitoring and other means and methods should be in place to report and mitigate non-adherence and breaches.

LogLogic alum Anton Chuvakin is commenting on security sales and the mistake of "selling what you have" instead of "listening to what the customer needs".  I want to take this one step further: it seems to me that Silicon Valley has a long-standing tradition to "build technologies" and then "hope that they will come".  "They" being the customers in this case.

Read a full transcript of the discussion. Find it on iTunes/iPod.

Software-as-a-service (SaaS) and cloud computing are changing the nature of IT systems’ performance requirements and heightening expectations for end users from online applications and services.

Now in its 12th year, the SC Awards, hosted by SC Magazine, honor the professionals, companies and products that help fend off security threats confronted in today's corporate world. Yesterday, LogLogic was named a finalist for the "Best Computer Forensics Solution" Reader's Trust award. The winners will be chosen by a panel of volunteer SC Magazine readers. Judges vote on the functionality, manageability, ease-of-use and scalability of each product or service, as well as the customer service and support provided.

LogLogic has been advocating comprehensive logging for all IT components (or configuration items if you are in the ITIL camp) including applications for a long time now. We have worked with many of our customers to ensure that there's 100% collection and analysis of their IT log data. In the last several months there's been a huge uptick in the area of application logging, specifically for the application developers. This is partially due to the general interest in cloud computing and SaaS applications.

To quote a few blogs, Amrit Williams said in his blog "Amazon AWS, Google App Engine, Microsoft Azure, and More - Part 1: Can We Secure The Cloud?" (emphasis mine):

In my last blog, I talked about being optimistic for LogLogic - a "rising star" Silicon Valley company with a funny name. There's no doubt that belts will tighten around IT spending in 2009, but Enterprise Strategy Group analyst, Jon Oltsik, anticipates a few technology areas will remain strong. Namely: virtualization, networking, security, storage, and services.

Now that we have a new president elect, everybody is asking themselves: what does the Obama administration mean for me? LogLogic is no exception and I have been asked the Obama-question by employees and reporters alike. The bottom line is that I am optimistic – the new government appears intend to focus on innovation, transparency and accountability.

It's always refreshing to talk to customers and be reassured we are helping them improve their businesses day to day. Last week, we announced both The Body Shop International PLC and Ameren Corporation (NYSE: AEE) as new LogLogic customers. Both companies are using LogLogic to meet regulatory compliance – The Body Shop is using LogLogic in the U.S. and will deploy us in the UK, EMEA and APAC to meet the Payment Card Industry Data Security Standard (PCI), and Ameren is using LogLogic to meet the North American Electrical Reliability Corporation (NERC) requirements as well as Sarbanes-Oxley (SOX).

This podcast was done by Dana Gardner:

Read complete transcript of the discussion. Find it on iTunes/iPod. Learn more.

Despite growing complexity, IT organizations need to reduce operations costs, increase security and provide more insight, clarity, and transparency across multiple IT systems -- even virtualized systems. A number of new tools and approaches are available for gaining contextual information and visibility into what goes on within IT infrastructure.

IT systems information gushes forth from an increasing variety of devices, as well as networks, databases, and lots of physical and virtual servers and blades. Putting this information all in one place, to be analyzed and exploited, far outweighs manual, often paper-based examination. The automated log forensics solutions that capture all the available systems information and aggregate and centralize that information are becoming essential to efficient IT management.

This is the analysis of my last poll; the responses are here and also below.

Following the new "tradition" of posting tips of the week, I decided to follow along and join the initiative. So, after a long delay, Anton Logging Tip of the Day #16: Virtually There - Journey Into VMWare ESX Log Analysis CISecurity guide for VMWare (here) and DISA STIG for virtual machines (here) both mandate collection and analysis of VM platform logs; none goes into enough details on what to look for in logs. Let's try to shed some light on security-focused log analysis of VMWare ESX v. 3.x logs.

Our brilliant field engineer, Dimitri McKay (his blog) brings another fun and insightful story from the field:  "I recently went on-site for a proof of concept. I’ve always loved these exercises, as it gives me a chance to help a customer see that which was invisible in the past, whether it be virus-outbreaks, users abusing bandwidth via bit-torrent and file sharing, or VOIP phones assaulting DHCP servers for IP addresses. This particular customer had an interesting configuration.  They had been sending their critical/alert and emergency firewall logs to a 3rd party security operations center. That SOC was supposed to monitor the firewall data for any risky traffic, identify any anomalies, and report the instant there’s an issue.

[ Originally posted at OnSaaS ]

Today, the major use of cloud computing for enterprises are still in its infancy (heck the whole cloud computing space is in its infancy). Most enterprises use cloud computing for testing, development and other peripheral tasks. However, most, if any, are using the clouds for production use. This is fairly similar to the virtualization space, where early use of the virtualization technology are for testing and development. Ten years later, we are seeing more and more enterprises adopt virtualization for production use and virtualization has become main stream.

What are these challenges for enterprise cloud computing? I have tried to summarize them here (in no particular order).