Monday, October 8, 2018

Native Versus Generic Security Baselines for Cloud

For a while now specific providers (Security Scorecard, BitSight) have provided security benchmarking for a client's ecosystem / vendors.

While that is great, these algorithms have been generic in nature versus taking cloud security nuances (i.e., AWS S3 utilization) into consideration.

To fill that gap, cloud service providers (CSPs) have now added their own benchmarks (e.g., AWS Trusted Advisor, Azure Secure Score) that will baseline a specific account versus the entire cloud ecosystem.

One would think that partnerships, maybe in conjunction with the Cloud Security Alliance's (CSA) Security, Trust & Assurance Registry (STAR) program, would allow cloud consumers to provide a holistic view of one's security maturity.

Wednesday, September 19, 2018

Using AWS X-Ray to Assist in Code Walk-throughs

Fancy a manual code walk-through?  Well, some assistance never hurt...

I leveraged AWS X-Ray to simplify understanding the sources and sinks.  Did it work, yes.  Is it for anything else other than microservices (e.g., ERP / EHR / EMR, trading, AI), not really.

Friday, September 14, 2018

Smart Contract Security

As more orgs look at embracing blockchain there will be a need to assess the security of Smart Contracts, particularly for Ethereum-based blockchains.

Look for vendors to develop solutions, and custom prof svcs firms to cater to this niche.

Sunday, August 26, 2018

Transitioning Technical Professional Service & Payment for Outcomes

With the advent of bug bounties, the transition of healthcare charges aligned to outcomes, and the history of legal services tied to outcomes, there needs to be a transition to technical professional services being aligned to outcomes.

Now, one may argue that FFP "packaged" projects are already tied to outcomes, though those are far & few between.

So, eventually industry should tie compensation to outcomes & we may see a better percentage of efficiencies from the larger consulting firms.

Saturday, August 25, 2018

Cloud Architecture: Build (IaaS) versus Buy (PaaS)

Cloud providers are introducing many new services to their portfolios.  So, organizations now have a decision to make regarding build vs buy.

Here are pros & cons for each:

PaaS / Buy: (pros) time to market, CapEx reductions; (cons) usually multi-tenant, will require skill-set updates, vendor lock-in, OpEx increases

IaaS / Build: (cons) familiar ITSM / ITIL model, CapEx focus, single tenant, existing skill-set, increased portability; (cons) slower agility

Monday, June 25, 2018

Cloud Visibility

With more organizations going to the cloud, with shadow IT, and with GDPR requirements cloud visibility seems to be the latest fad....

Microsoft & Amazon picked up on this several years ago, thus Azure Info Protection (AIP) and AWS Macie but, that does not cover them together or Google / Salesforce / Rackpsace.

So, expect this area to gain traction for several more years...

Saturday, June 23, 2018

Incident Response v.2.0: Partner Office 365 (O365) Compromise

As more ecosystems move to Microsoft's Office 365 it seems necessary to create an IR playbook for O365 compromises.

Said playbook should include proper responses.

Tasks to perform should include:


  • Disabling established trusts
  • Quarantining emails / messages
  • Establishing enhanced security policies / black lists
  • Calibrating monitoring / notification rules