Enterprise Security organizations often find themselves caught between the ever-changing needs of the agile business, and the ever-present, ever-evolving threats to that business. At the same time – all too often we security professionals get caught up in “shiny object syndrome” which leads us to spend poorly, allocate resources unwisely, and generally de-couple from the organization we’re chartered to defend. Knowing how to defend begins with knowing what you’ll be defending, why it is worth defending, and who you’ll be defending from… and therein lies the trick. This blog takes the issue of enterprise security head-on, challenging outdated thinking and bringing a pragmatic, business-aligned, beyond the tools perspective … so follow the Wh1t3 Rabbit and remember that tools alone don’t solve problems, strategic thinkers are the key.
Rafal (Principal, Strategic Security Services)
Cloud computing ... it's an interesting thing. While it's not a completely new technology per se, it's given organizations new ways to re-imagine delivering technology as a service rather than an item. Which service delivery option is best for security though or does it really matter? I have some thoughts after the past year of discussions with various audiences and customers...
I'm baffled by the question - "Are applications or services deployed to the public cloud secure?". The answer isn't a simple no like many security folks want to knee-jerk respond ... it's "it depends". Let's look at this one more final last time... I'll start by over-simplifying the question, and giving you an idea why this question can often be a silly cop-out for security professionals to avoid public cloud...
In the Converged Cloud, information security departments have to make a choice. Either adopt the new security paradigms, learn to let go of control and adopt governance, or risk becoming irrelevant. A bold statement, sure, but one that I feel strongly reflects the reality of the collision of security and the cloud.
In a previous post on this topic, I talked about how when you're thinking cloud, you really need to think about a model-driven approach. Today's post is a continuation of that thinking and discusses portability as a key requirement for cloud adoption and of course security.
Back in January Christian Verstraete and I did a tandem post on an article we had read and thought was a bit ridiculous and was over-selling the whole of cloud computing. Now, back then we just decided to put to rest the misconceptions that the article we were addressing was representing so this time around we're going to write up a few reasons (from each our own perspectives) on ways that it does make sense to 'sell' cloud computing to your senior management. Now, Christian's a smart guy and he looks at things from a senior management perspective, namely from the eyes of the CIO - but my viewpoint is slightly different and rather from the CISO perspective.
Depending on who you ask, cloud security is either one of the top concerns for enterprises, or it's not a serious concern at all. Since everything I've been reading from the press, my colleagues, and analysts I know has been telling me security is ranked high in the top 5 concerns for cloud computing adoption - this article on ARN by Spandas Lui was like a bucket of ice water to the face. I got that initial shock after reading it that forced me to take a minute and think. This poses an interesting question - is cloud security a real concern amongst enterprises seeking to adopt cloud ...or not?
Sometimes, a fellow colleague in the industry hits a point so well it's worth repeating and expanding on it. I'm referring to Dave Shackleford's post title "The Cloud's Low-Rent District". Dave nails the point perfectly discussing positive incentives for Cloud Service Providers (CSPs) and whether they work - or whether another approach is needed, a more negative approach. While I'm participating in the Cloud Security Alliance (CSA) and their efforts to create standards - I think I'd be delusional if I believed every provider will jump on the CSA STAR bandwagon and provide fantastic levels of security to their customers.
One thing I've recently been made painfully aware of is sovereignty issues when it comes to cloud computing. I'm specifically referring to a situation where a consumer organization - let's say for the sake of argument that we're talking about a Canadian company - has restrictions on where it's data and services can physically be in terms of geographical locality. When the IT services you consume become abstracted from something you can physically see and understand, things get a lot more complicated and of course there are a lot more opportunities for failure ...
Working my way back into cloud I'd like to start a series called "The Patchwork Cloud" taking a realistic focus on the use-cases of cloud computing in today's technology and business environments. Over the course of this series I'll highlight many of the challenges and opportunities [both business and technical] that cloud computing presents us with to maximize your benefit and minimize your frustration.
Last night it snowed ... and that ordinarily wouldn't be a problem up here in the great white north, except that I don't think anyone was expecting it. What's worse, I wasn't expecting it. You can imagine my surprise when checking into my hotel room, answering some emails and having a hot tea I stepped out into the hotel lobby only to see nothing by white outside, and a heavy snow falling. OK ...welcome to Toronto I guess, eh? Ahh, Toronto, my second home ...
on camera about the event.
One of the fantastic things about events like this is that real people just like you show up at these events to listen, learn and share with their fellow attendees... and that's absolutely amazing. In a 1-day seminar style trade-show, we managed to bring together some of our biggest partners and industry experts with vast practical knowledge on cloud computing as a key enabler to the enterprise.
Listen to what these guys are saying ... This isn't a typical trade-show, this is definitely one event you're going to want to not miss if you're in one of the cities we're coming to soon.
If you're interested in attending, or have something to share with us, click the above "Master the Cloud" link and come out to Toronto, Vancouver, or Calgary in the next few weeks ...and let's tame the cloud in the land of hockey.
I'll see you out there!
Greetings again from gorgeous, but frigidly cold, Montréal, this post is la deuxième partie to the series from today's events on HP's Master the Cloud series across Canada. The first part can be found here. In a short summary, to wrap up what I've seen on my first day on this tour ... amazing. I've never seen so many technology leaders, recognizable brands and small businesses from the region, show up to hear straight talk on the move to cloud computing. In a word: refreshing. I hope the rest of the cities are like this, because I'm completely excited.
Bonjour de Montréal mes amis!
The sun is shining today in the beautiful and historic town where the temperature is frigid, but the Habs and Cloud Computing are heating up the city. After sitting in on the first set of keynotes I thought I would sit down and put some of my thoughts (and the speakers notes) to paper for the benefit of those of you that haven't been here. Believe me, for a free event - this is well done - and if you can make it out to either Toronto, Vancouver, or Calgary in the coming weeks I highly urge you to get there.