 Okay, I think we can probably get started with a pretty good crowd here and people seem to have stopped drifting in so You'll first of all a little bit about me. I'm going to have wrote a Cloud book earlier this year and these are all the various ways you can get hold of me These slides that I understand will be up on the will be up in the latest foundation website and I It's also my Well, the quite new year's resolution at this point was one of my resolutions to get more recorded versions of my various presentations up on my website, so there should be some version of this up there so my sort of the the origin of this talk is the sort of link baby Headlines that you see out there. There's nobody from the media here is there. No my friends the media. Okay, so that People writer that may be their editors, right that sort of every time something or other vaguely connected the cloud computing goes wrong We have these headlines, you know, is it safe the cloud isn't safe and you mean public cloud But you know just serve broadly by way does anybody get the movie reference here? anyone Marathon man go see it. It's very good So I mean so basically the genesis of this talk is that you you have this these headlines serve the cloud isn't safe in these very broad brush statements about You know about whether you should use cloud computing public cloud computing specifically and We're unfortunately having some slight weirdnesses with the With the resolution I guess but with this slide said would say if you could see the whole thing would be Safety in this context Really means a number of different things. It means serve in the same sort of things You think about what you think about banks safe actually and you'll serve the integrity of what you have there What are other people can get at it? Privacy, you know continuity is you know you sort of trust that your money just isn't going to like not be there any longer some day and I think the term that we see used most often or that sort of mashed up with security most often is security and So I think when we see Surveys for example about cloud computing, you know, what was the biggest inhibitor to cloud computing? Security is almost always at the top there and that tends to be how people answer I'd actually argue that today's is a little bit less the case then it was historically But you still see that at the top of surveys a lot and the problem is in another movie reference that Secure idea a lot of people who say that security is an inhibitor to cloud It doesn't mean what they think it means or they don't mean what they you know What they think they're saying because they're really not meaning by large security in the sense of Amazon doesn't know how to configure their routers or their firewalls. I mean that's not what they normally It doesn't mean that Amazon or most big public cloud providers You don't know how to properly solve and have passwords and that kind of thing but really they rather have concerns about a broader range of topics and That's really kind of what the subject of my talk today is going to be. You know, what are the broader range of topics? how are You know, how are some of these things maybe a little different from Computing historically and frankly How are they this really the same as they've been historically, you know, if anybody here is really kind of a IT governance compliance, you know expert or at least are very familiar with those kind of issues those kind of concerns and IT Frankly, a lot of this is going to be very familiar to you that I talk about today What what the reason I talk about though is You know, first of all as I said, I think a lot of these topics get very stereotype The other is that I think for a lot of people just gang into cloud computing You know kept from the grounds up some of these IT governance topics may not be as familiar and You know, this is Chris Hoff. He's many of you may have heard of him or know him I used with Juniper these days and Very outspoken there'll be another quote from him later in this talk The security isn't a red herring nor is it an eight-her-pound gorilla in the sense that it's the problem with public cloud computing It really isn't security. It's these other types of issues and those are what I'm going to focus on today so Was new what isn't new I'm going to talk a little bit about some of the Certifications that we see around public cloud providers. So if you're thinking about picking a public cloud You these are some of the things you you might start thinking about and Then I'm going to take us through at some level detail Something called the cloud control Matrix from the cloud security alliance and there's a number of these types of documents out there And I have a slide at the end that Offers up some of them that you can take a look at more detail Offline, but it kind of walks you through a lot of these concerns a very detailed level So What is new I say a lot of things aren't new But I'd argue there are some things that are a bit new about cloud computing Especially about public cloud computing although I'd argue some of this also applies to in-house IT the first is this idea of shared responsibility and Where if you have an application? Running on a public cloud or really in a cloud provider period because this provider could actually be your own IT department or somebody you've contracted to run your IT and the idea here is for these different levels of abstraction And I'm talking a little more about those in the next slide infrastructure platform software with each of these you at some level In these are you know don't get too wrapped up in exactly where these lines are But you'll have as you move from infrastructures of service up to software as a service You're at some level increasingly trusting your provider to do certain things Right and they may not in many cases even tell you exactly how they're taking care of all those things But some level you have to trust them they are and there are as I will get into various certifications which relate to audit and so forth that might give you some Piece of mind there, but there is this air. You know there is this sort of You know Demarcation between what the provider doesn't what you don't do and you know the flip things around You know if you're running your application Amazon You know you know you've written an application you're running in their infrastructures of service and you know They're taking care of this stuff down here There's obviously still lots of security things that you could mess up And even as you kind of move you know kind of move up the stack there are security and compliance and User privacy things that you know you're absolutely perfectly capable of messing up Even if the provider is doing everything they promise to do properly properly And many of you are familiar with with this probably so infrastructure service platforms of service software as a service It's not a perfect categorization and for clouds and I'd argue that you you tend to get some blurring at the boundaries here And in fact, you know There's a certain school of thought that some of these things like platforms of service and Infrastructure service may even merge together over time, but but you can't have these different levels of abstraction and One of the things I think is different about cloud computing as opposed to the case historically you're making greater use of these abstractions and You're deliberately by design Hiding some of things and making providers responsibility than was the historic norm and Yeah, we did this to some degree with and do it to some group hosting providers in the light But I'd argue cloud computing has to serve more deliberate and more explicit abstraction model than was the historical case I To also argue the other thing that's Different certainly in degree and I probably to a Sufficient degree that's really a difference in kind is this whole idea of you know Self-service for everything stuff happening very rapidly the fact that you can get access to resources so quickly and You're not going through a you know a five-step paper-based approval process to get compute resources or access to some type of resource and I I would argue that that creates Certain differences that affect compliance and security and things like that and You know just kind of maybe all those bringing all of that together more broadly We've kind of moved from excuse me We kind of moved from having these you know applications you know IT resources and so forth that were these fairly monolithic IT controlled to this much more loosely coupled set of distributed applications and you know with these different types of service abstractions and running across Hybrid environment so both in-house IT and various types of public cloud resources and I think if you kind of step back and You know from the details and look at the picture as a whole that does I think tend to create a New set of concerns or certainly a heightened set of concerns to deal with but not everything changes as I said and the very quotable Chris Hoff to return to him and for this audience I decide I didn't need to censor Chris's quote And that is if your security practices suck in the physical realm You'll be delighted by the surprising lack of change when you move to the cloud and I mean I actually really like this quote because besides The fact that you know it kind of comes out strong here because I think there's a huge amount of truth to I mean I think you have this assumption of it's the cloud so Everything is different and in fact a huge amount of stuff. I think for reasons I just said I think some things are bigger problems some things are probably lesser problems With a public cloud, you know You can assume if you're using a big public cloud provider that they probably have some pre-competent people who are kind of doing some of The basic security blocking and tackling and backups and things like that You know not say they can't screw up, but frankly, they're probably better than most smaller organizations particularly have in-house But because of this loose loose coupling and because of this self-service other concerns are probably heightened So one thing I will mention Partly because I'm in Europe here and because I definitely get questions when I talk about cloud security practices Now mention this and then move on but there is something called itill Which is probably more used in Europe than in the US and IT departments at least explicitly and Basically, this is an idea the idea of basic idea behind itill is it's providing guidance on generating a strategy To more of a service delivery Again this idea of not delivering applications, but delivering Services perhaps self-service services to to users and a lot of this Sort of dovetails with some of the changes that we're making it that we're making in cloud I mean ITill existed before before cloud I think it's it and some of its sort of sister type of Process sets have been denigrated with you know greater or lesser degrees of fairness as being you know These kind of big manuals filled with procedures and processes and so forth But I think having said that some of the ideas of some of the things we need to look at as We go to cloud computing in terms of we have to automate ruthlessly We really need to standardize a lot of things Even if they're being done in a lighter weight way than was historically the norm here I think these basic concepts are pre valid And you know another thing that is still very much applies as we as we talk about cloud computing is You know some of the fundamental Sort of framework through the way Approaches that we take when we start thinking about risk. This is from actually another European Inissa That came out with this report of I think by a couple years ago now Maybe looking at some of the risks associated with specific cloud computing and basically what they did was for this whole set of risks And if you're interested, this is why the one of the kind of frameworks reports I'd suggest at least skimming through in detail was that you know You have this idea of you have you have risk X and I'll actually show you a specific example here which is compliance challenges and For each of these well first of all, how big a deal is it if you mess up here? Or if there's a problem here and they say well compliance is you know, that's pretty big. That's pretty big risk You know bad things happen Lawyers get involved. You don't want lawyers getting involved if you can possibly avoid it Does anyone here want lawyers to get involved? No, so don't want that to happen But you know, even if it's a big risk, you know, yeah, I mean if a meteorite hits your data center, you know, that's pretty bad How likely is that to happen? Well, not so much in the case of compliance They say actually the probability given all these Regulations and guidelines involved is actually pretty high. So, you know going back to that previous chart Well, that's down here. That's down in the red So that's something we ought to pay attention to, you know You know the meteorite, you know, well, that's probably over here somewhere So, you know, maybe we don't spend a lot of time worrying about what we do Maybe we worry about other events that might wipe out our data center, you know, particularly where to flood it You know flood prone area or something and again, this is just kind of an approach, you know As any of you have done anything with security and compliance, you can eliminate the bottom line here is you can't eliminate risk Everything I'm talking about here is about mitigating risk and you really need to spend your time Where you're going to have the biggest impact So Surfcations, um, I'm not going to spend a lot of time in this Because it's kind of boring, frankly But just to make you aware that there are various regulations and certifications out there On certifications related to regulations depending upon your industry Some of these may be more important than others One that you probably will hear a lot mentioned is something called sass 70 and I think it's sort of The last few years have been taken. Oh, you know, that's something you need to have as a cloud provider It actually doesn't tell you an awful lot was really created Essentially for financial auditors. So it sort of has to do with, you know, kind of The business reliability at some level of the organization But it's actually less to do with some of the other things you might care about in in it This is support the iso i e c 27,001 That's actually sort of relevant in the uk PCI DSS Primarily relates to if you're processing credit cards Fed ramp is actually a very big deal in the us for the federal government. In fact, that was kind of the first sort of government wide set of requirements and standards around Security and related items in cloud. So that's kind of big then HIPAA is effectively confidentiality of patient health care records and so forth in the us This is suck to suck three is really the first I would say very explicitly public cloud provider focus of certifications It's mostly in the us today. It does seem to be getting some traction It's type two is sort of suitability of design effectiveness sock three is essentially a condensed public version sock two is something that A provider will release You know, essentially under non disclosure to potential customers sock three is really kind of a Strip down version of that The sock is sock two and to a lesser degree sock three those do seem to be getting some traction So if you're looking at certifications, it's a very quick review, but these are some of the things you might think about What i'm going to spend That you know kind of most of the rest of this talk on is going through something called the cloud security alliances cloud controls matrix and This and then there's some other kind of variants of this to other organizations have and if you know, you really want to think about uh, you know, you know Whether or not it's your direct job or because something you won't think about as a developer whoever um, it's really worth reading through one of these things and You know, it may not be the most exciting literature you've ever read in your life But I I think it's actually really useful for thinking through actually all the Kind of all the areas and all the sub areas that create risk in an it organization Including things that you maybe had never really thought of as connected to it So, you know in the case of the ccm you've got 11 categories of things and 98 Quanko control areas to span those 11 categories Um, so here's here's one example of one of those control areas So security architects for production and non-production environments, you know, it has a definition You know, what what do I mean by that particular control area and basically those two things ought to be separated from each other and What this csa cloud controls matrix does is it actually maps each of these uh control areas to a set of the of applicable regulations slash Certifications to apply to them, you know, who does this affect? Is it the provider or is it the user of the service? um and You know it and you know, but yeah So that's the service provider and that can be an internal service provider an external or the consumer slash tenant and then also which Does this apply to infrastructures the service platforms the service or software as a service? So it's really, you know, it's a very kind of formal methodical look through these different areas and I always hate when speakers say you probably can't read this from the back of the room but I guess what it's a basically it's a big um spreadsheet and It goes through kind each of these areas. So there's the specification You know whether it's relevant to corporate governance to saspas ias service provider consumer and then you know in this case dss and uh Some of the other regulations that apply so it you know, they're basically 98 lines down here That's why I said it doesn't really make scintillating reading But I mean I I certainly find it very useful as a way to really kind of go to get away from Kind of very simplistic views of risk management in the cloud These are the 11 domains And I'll just point you can read through them comply and stay governance And you know, there are things in here like facility security that you know may not be that relevant to you as developers But they're all part of Um, you know an overall it governance plan, you know human resources, you know If you know if somebody leaves the company, you know, how does that get tied in to your identity management systems for example um So I'm going to go kind of through these uh compliance I'm not not all of them, but uh, just talk about some of the things. They're probably kind of some of the you know kind of the Items that you're most likely run into and are probably most relevant from an IT operations or a Uh or a developer point of view. So you know compliance. You know a lot of this is by having audit controls in place um, this is actually an interesting one because In my view a lot of the concerns about public cloud security are Really not necessarily issues with How they do certain things is really more with not having visibility into How they do things and not having Direct control over for example if they get A subpoena for your data or are they going to tell you about what's their notification process? So I think this is actually kind of a big deal and in fact if we look at Some public cloud providers out there, um, ain't Verizon that may be a good example of this They're one of the ways they're kind of um distinguishing themselves is giving their customers More access to to audit logs and things like that than somebody like amazon is willing to give So this is actually an area of potential differentiation providers And i'm going to talk about data in a bit more detail, but The regulatory mapping, uh, you know, essentially, you know, is there a rule in you know, france for example about Certain types of data not being able to travel across borders and there's a number of regulations Like this around around the world. I thank you a whole podcast with a lawyer a few months ago on the topic and Really kind of understanding what you need to do in order to be compliant, especially around data And data ends up being probably when we keep coming back to data here and There certainly are a lot of things by how you store passwords and and stuff like that and you know provisioning your employees and things like that, but You know, if you kind of peel back the covers a little bit the biggest concerns for For around compliance and corporate governance tend to be data, um, especially customer data because that tends to be where you really intersect the law privacy laws and the like Um What are the keys of kind how you approach this is really classifying it? You know, there's a lot of data out there a lot of that data is not going to be particularly sensitive So, you know, this kind of comes back to kind of the tree the triaging I alluded to earlier is really kind of pulling out, you know, what's the data I really need to be careful of Um, you know, they're to mention one of the control areas retention and secure disposal policies So what does that mean? Well, it means ensuring data is not recoverable by any computer forensic means And I think as an industry we've gotten better about this over, you know, the last 10 12 years or so, but you know Before we had the cloud isn't safe headline, you know, we had headlines where you know, somebody had dumped a dumpster full of Magnetic tape with customer, you know, customer names customer records on them and you know, they're big scandal and so forth so I think we've gotten better about that, but it's still important and you know Do you have controls in place in a multi-tenant type of environment? So one of the things that again talk about differences from Traditional computing is a little bit different is you have a lot more multiple customers running on a single physical server and more the mechanisms that you use to separate One of the things we've done at red hat here in our open shift platforms of service, for example, is to use se linux policies labeling in order to provide that extra level of protection against isolation and You know a lot of this stuff is frankly not technology that I'm talking about here It's process the light, but there certainly are pieces of technology that we can use to I you know give that extra little protection in cases Information security, you know, I'd say a lot of this is not Necessarily technology and I think that's sort of highlighted here. So in the case of This particular item is zero one. There's a requirement for a management program So, you know having detail, you know having documented processes safeguards to protect assets and data from an authorized access disclosure Alteration destruction Another big thing in general is identity and access control and this is interesting as it ties Into a lot those other areas like like human resources. You're having the right Group policies and so forth and you know, that's like you're having timely identity Information. So again, you know, this does things and this relates to things like Deprovisioning, you know immediately when somebody no longer has access and Theoretically again in the kind of more traditional monolithic IT This was well, I won't say it was easy It's probably took us a long time as an industry to get this reasonably right But you know, you only had to change things in one place that was pretty straightforward as we talk about cloud with the With you know, kind of a law federated resources or loosely connected Having identity management systems that can handle that sort of distributed framework are increasingly important and you know It's really important actually our identity manage management product manager Asked me to to make a particular plug for this item Because she feels it's really critical. It is still evolving. I'd say for cloud use cases. I think we We you know, we were kind of getting it right and more monolithic systems and now clouds kind of made it harder again Um, so continuing here This is probably going to you know, particularly with various events of recent months. I think Probably going to be a lot more discussed of encryption going on and Obviously, you know encryption at some level is easy, but the key management is the hard part And you know, I think we'll have to see how that plays out But you know, I I expect we're going to see a lot more requirements for encryption as time goes on You know instant kind of instant response. This is I guess kind of risk management 101 but it's important piece And you know, even having things like for the acceptable use policies and what happens when there's violations of acceptable use policies These all kind of factor in here security arch is so security architecture is another It's another big piece that quite a bit of time in the cloud controls matrix goes into So, you know, one of the minimum standards for user and password controls Um, interestingly, uh, this the ccm mandates multi-factor authentication for all For for all remote access um You know password passwords are an utter and complete mess and Tim bray at google among others has given some very compelling talks about kind of why passwords are just a broken system and I'm seeing another red hat or shaking his head vigorously in the back row Uh, I mean, I think we're going to have to do something about this as an industry but You know as a near term multi-factor authentication is You know, it's something it's it's it's bear the bear them what we have and it it's really Is a good idea to take advantage of it where you know where it's available because You know, I've been bringing some really scary articles recently You know about You know, the sort of the bad guys are or you know, or researchers who Presumably the bad guys are doing the same thing as the researcher, you know mining, you know Gutenberg mining wikipedia mining the bible for like word combinations And just building up these bigger and bigger dictionaries to do dictionary attacks and This article, I think it may have been in new york times recently kind of went through what to me was really some Pre-mine boggling You know how these word combinations that you think wow, that's a really primo grade a password And it's in dictionaries to attack passwords with So so I think I think that's kind of a big deal um segmenting segmenting networks between trusted and untrusted One of the things that's one of the trends that's kind of interesting in public clouds right now that serve in this vein is A concept called virtual private clouds is actually becoming quite popular Which basically Is the idea here is you're using a public cloud But you set up this virtual private cloud which Which gives you some additional control over the over isolating the subnets and so forth that you're using And in fact something like amazon gov cloud Requires a virtual private cloud Some of the things that we we offer at red hat Through our certified cloud provider program some of the kind of update services for for rail and so forth We have customers using a virtual private cloud that you're connecting to Through a vpn for that so this seems to be one area that people are kind of using to To kind get a little bit greater control over a public cloud as opposed to just using an arbitrary Serve an arbitrary multi tenant situation Um These are some sources. Um, I don't expect you to write those down as I say the slides The slides are going to be up on We'll be up in the linux foundation site and I'm going to put some stuff on my own blog about this as well um The Deloitte cloud computing risk intelligence map is this nice big Well, if you have it in paper big fold out thing But if you don't have it in paper you just have it in pdf it goes through from an auditor's perspective What a lot of the risks associated with cloud computing are and it's it's a very Very good read. Um The as I you know, I meant, you know, I've been talking at length about the cloud security alliance cloud controls matrix um The csis twa critical security controls Is also a good document going through kind of a similar type of thing If in fact if you um assume they'll have some new presentations at amazon reinvent Next month in november in las vegas, but there's actually you can go up and do Do some searching and like amazon reinvent and security presentation or something like that and there were some very good Presentations given by amazon folks last year that go that basically take these security controls and talk about them in amazon context and in fact, that's some of the inspiration for me to to give this talk So there's a there's a lot of good information out there and you know, certainly my goal today has You know kind of not been to you know, turn everyone here into a risk compliance or a security expert But you know really, you know taking you folks So i'm sure i'll have you know some some you know, at least some familiarity with security and other aspects of risk management in it And maybe you know, maybe broadening your horizons a little bit to some of the things that You might want to look at in kind of a broader look at risk management in your organization um You know, and i think one point i'm making this is you know my my sort of one and only slight commercial law here But i'm kind of using a picture of kind of red hat portfolio plus our partners To just sort of send a message here that what you're doing here is kind of not a product specific type of thing or some segment of your infrastructure specific thing But you know is looking at the infrastructure. So, you know, I talked about things like Se linux for multi tenant security, for example, and you know, maybe using virtual private clouds in your In your public cloud provider and some cloud providers actually even let you Have dedicated servers Making decisions over whether you run you run things in house or whether you run them in a public cloud You're having hybrid management on top of that and some of that is you know, again enforcing policy about where things run Is also with um, you know, something like red hat satellite is about automating things, um, you know having drift detection for configurations You know being you know, so so basically having being able to sell policies and configurations To you know to deal to deal with patching to deal with changes that could affect security Now I think overall, you know, automation is a huge part of you know, what we're kind of talking about here because if You know, it's kind of the traditional way of doing things by hand Uh, there's just no way that you can do security Manually at this kind of scale you you have to be able to automate it with with the appropriate tools and You know, again going going back to very game. What is different about cloud computing? I think one of the differences which I didn't mention and maybe should have is just a scale at which so much of this is happening and You know, I argue, you know, we could argue that You know, historically, we should have done all these things. We should automate all this You know have proper, you know golden images that kind of thing in practice. I think we could often get away with it most of the time because Because you know the whole scale was small enough that we could But with with cloud computing in terms of you know data management, you know omat classification You know again being able to handle things in an automated way. You absolutely have to and um But really kind of the bigger message is you you kind of have to think about this as your iT as a whole as opposed to Oh, you know, we're doing this Compliance stuff in this one little piece because I didn't include any of them in this talk But one of the real themes that we see from talking about our customers and analysts is this idea of hybrid iT You're moving towards this idea of having these distributed services they're coming together from a bunch of different places and You really then need to manage that hybrid iT as a whole so Hopefully that has been helpful and I we have a few minutes for any questions. Uh, yes I see a lot of Yeah For me I I basically agree with you. Um, I think you know, and I think certainly One of the things that we are trying to so I'll say a few different things You know one is I think one of the things we're trying to do with platforms of service, for example is to Sort of expose Is certainly to show developers that really fast self-service and multi language multi framework and all that kind of good stuff While having control over the underlying infrastructure and you know being again You know remembering back to the you know to share responsibility You know developer has to do some things right but a lot of the underlying infrastructure can kind of be taken care of there um, I think one So I think Before you know, let's call it a year ago. Um, I think the answer in terms of the kind of public cloud Private clouds less private infrastructure. I think the answer in a fortune 500 type of company was We simply don't use public cloud or at least we don't use it for anything that is kind of part of our sort of official Infrastructure, you'll certainly our systems of record What we're starting to see in the last year or so Are things like the virtual private cloud and the gov cloud from amazon and so forth So I we're starting to see those efforts to bring them together Um, I think I agree with your basic point though. There's there's absolutely attention here and I think one of the You know kind of what the goals from you know the kind from both it at customers and commercial vendors like you know when we work for is Working with people to you know to kind of balance those things. You know, how do you serve? Keep the stuff that's good about public cloud and rapid self-service and all that While at the same time You know meeting sort of the it and chief security officer and so forth requirements and one of the ways companies are doing that in many cases is You know, we like all that cloud stuff, but we're going to run it ourselves and You know, and I I think over time more people A more people are going to get more comfortable about public clouds And I think you're going to have public cloud providers like Verizon perhaps who Do who are willing to go that extra mile? To to give air price customers kind of features or the visibility or odd ability that they at least think they need that Yes You know, I think headlines that you know this You know this You know, it's a huge blow to you know the public cloud computing. I don't really agree with that I think It is going to make people think about stuff like encryption and so forth And You know, it you know, sort of if you kind of Assume, you know people are watching whoever those people may be Um, you know, I I think you know, I think people will we'll have to side You'll kind of what you're comfortable with and and as I say there may be some things Like you know like encryption that are relatively well understood and easy to do and people just start doing more broadly and having said that I think it remains to be seen to what degree the People in the mainstream really care about a lot of stuff and you know, we might You know, we can argue kind of in this room whether they should care or not I think the evidence so far is by and large, you know, they don't and You know, and yeah, I mean do we really want as a you know kind of a society for folks like google to have that much at least potential Visibility into things that we do Well, I think the answer is a lot people don't care about it and You know at some level kind of Sure, you can just cut your connection to the internet and kind of go live in You know go live up and you know wilds of Alaska or something But you know, that's not a very practical answer for most people So I probably didn't really answer your question But I think I think there probably are some relatively simple things that we might decide give us one extra level of protection, but But Yeah, I mean, it's not most certainly it's not mostly a technology thing And I think we're going to continue to see adoption in any case Yeah, I mean you you can run your own server, you know, rather than using gmail and believe me on our corporate mail internal corporate mailing list these these discussions come up every now and then You know where you know Oh, how many people out there still running their own mail server and some you'll some people do and and I absolutely You know will fight for people to have that choice But most won't Any other questions? Well, thank you all for um taking a late lunch to To to see this and I hope it's been helpful And as I say these slides will be up there and I should have some more of this With my travel over for the fall mostly get some more of this up on my website Oh, thank you all