Following the Wh1t3 Rabbit - Practical Enterprise Security

Enterprise Security organizations often find themselves caught between the ever-changing needs of the agile business, and the ever-present, ever-evolving threats to that business. At the same time – all too often we security professionals get caught up in “shiny object syndrome” which leads us to spend poorly, allocate resources unwisely, and generally de-couple from the organization we’re chartered to defend. Knowing how to defend begins with knowing what you’ll be defending, why it is worth defending, and who you’ll be defending from… and therein lies the trick. This blog takes the issue of enterprise security head-on, challenging outdated thinking and bringing a pragmatic, business-aligned, beyond the tools perspective … so follow the Wh1t3 Rabbit and remember that tools alone don’t solve problems, strategic thinkers are the key.

Rafal (Principal, Strategic Security Services)

Is PaaS the optimal cloud service model option for security? (Part 1 of 2)

Cloud computing ... it's an interesting thing. While it's not a completely new technology per se, it's given organizations new ways to re-imagine delivering technology as a service rather than an item. Which service delivery option is best for security though or does it really matter? I have some thoughts after the past year of discussions with various audiences and customers...

CloudBeat 2012 - "Whose job is cloud security?"

CloudBeat, a VentureBeat conference in Redwood City, CA really gave me some interesting things to think about. The cloud + security panel I was on made quite the impression on me... here's what I took home from the event.

Chat Summary: Converged Cloud Chat Thursday 30th, August

This post is a summary of today's #ConvCloud (Converged Cloud) chat, in which we discuss cloud computing answering questions and taking on some of the misconceptions organizations still hold... today's topic was "What do organizations need to do in order to move from a virtualized environment to the cloud?" ...but as you'll see, we stumbled over something else first.

Are applications & services deployed to the public cloud secure?

I'm baffled by the question - "Are applications or services deployed to the public cloud secure?".  The answer isn't a simple no like many security folks want to knee-jerk respond ... it's "it depends".  Let's look at this one more final last time... I'll start by over-simplifying the question, and giving you an idea why this question can often be a silly cop-out for security professionals to avoid public cloud...

Full Analysis: FFIEC statement on cloud computing

As promised, here is the full analysis of the FFIEC document on cloud computing.  Fair warning, it's long so grab a cup of coffee or a sandwich... I believe it will be well worth your time.

Quick Summary: FFIEC statement on Cloud Computing

Here's a quick write up as I quickly gave the FFIEC statement on cloud computing a quick read... oh, it's called "outsourced cloud computing" ...focus on that.

The Patchwork Cloud - To rent or buy your cloud?

I read a lot. That should not surprise you.  Today I got an interesting poke on Twitter that the folks over at PistonCloud have written up an interesting blog post in response to last night's mysterious Amazon outage ... and it caught my attention.  To be fair, many folks I know have commented on the post, and on Amazon's issues - but as always you can expect a slightly different viewpoint from me here goes.

The Path to NoOps is through the Cloud

In recent articles I've talked a lot about DevOps, and specifically addressed and expanded on the role information security has to play in the NoOps methodology - but today I'm going to dive into discussing how you should be leveraging the cloud to get you closer a state of NoOps in quest to deploy faster with less risk.

Let's talk business agility (Survey analysis)

A while ago we put out a survey that asked the following question:


"Are you getting the agility you expect from your Cloud?"


By the way, in case you haven't answered the survey yet - please click here and do so, and spread the word to your colleagues.

NoOps and the Evolving Role of Information Security in Software Development

A while back I wrote a blog post explaining the difference between NoOps and DevOps - with a slant from the Information Security perspective.  If you haven't checked it out yet, I encourage you to do so as a primer to this post, and to get a more grounded understanding of where my head's at when it comes to addressing the NoOps movement.  Is NoOps just another excuse to forget security?  Or do we (Information Security Professionals) actually have a chance to affect fundamental change in how code gets deployed in a risk-averse manner?

Public cloud security - 5 conversations that will shape your cloud security model

Today we hosted another of our Converged Cloud chats on Twitter using the #ConvCloud hashtag.  If you missed it, you missed a conversation of epic proportions - a massive thank you for the throngs of people who jumped in and discussed.  While there were several questions posted and discussed in several veins of conversation, the one many of us got hung up on and never left was this: "How do you decide what to build internally (private cloud) and what to consume externally (public cloud)?"

Patch Management in the Cloud - It's About Consistency and Automation

Patching is the bane of many a InfoSec pro's existence.  Pushing patches always feels like playing Russian roulette with 4 bullets in the chamber ... and it's never a good feeling.  Now that we're all going cloud, the question of maintaining sane patch levels across massively scaled environments - we call this consistency looms over like a vulture circling... so what are our options?  Let's investigate.

The Patchwork Cloud - What's the deal with cloud security?

Depending on who you ask, cloud security is either one of the top concerns for enterprises, or it's not a serious concern at all. Since everything I've been reading from the press, my colleagues, and analysts I know has been telling me security is ranked high in the top 5 concerns for cloud computing adoption - this article on ARN by Spandas Lui was like a bucket of ice water to the face. I got that initial shock after reading it that forced me to take a minute and think. This poses an interesting question - is cloud security a real concern amongst enterprises seeking to adopt cloud ...or not?

The Patchwork Cloud - Cloud Service Providers, security and incentives

Sometimes, a fellow colleague in the industry hits a point so well it's worth repeating and expanding on it. I'm referring to Dave Shackleford's post title "The Cloud's Low-Rent District". Dave nails the point perfectly discussing positive incentives for Cloud Service Providers (CSPs) and whether they work - or whether another approach is needed, a more negative approach. While I'm participating in the Cloud Security Alliance (CSA) and their efforts to create standards - I think I'd be delusional if I believed every provider will jump on the CSA STAR bandwagon and provide fantastic levels of security to their customers.

About the Author(s)
Follow Us
Twitter Stream

Community Announcements
HP Blog

Technical Support Services Blog

The opinions expressed above are the personal opinions of the authors, not of HP. By using this site, you accept the Terms of Use and Rules of Participation