For a while now specific providers (Security Scorecard, BitSight) have provided security benchmarking for a client's ecosystem / vendors.
While that is great, these algorithms have been generic in nature versus taking cloud security nuances (i.e., AWS S3 utilization) into consideration.
To fill that gap, cloud service providers (CSPs) have now added their own benchmarks (e.g., AWS Trusted Advisor, Azure Secure Score) that will baseline a specific account versus the entire cloud ecosystem.
One would think that partnerships, maybe in conjunction with the Cloud Security Alliance's (CSA) Security, Trust & Assurance Registry (STAR) program, would allow cloud consumers to provide a holistic view of one's security maturity.
Monday, October 8, 2018
Wednesday, September 19, 2018
Using AWS X-Ray to Assist in Code Walk-throughs
Fancy a manual code walk-through? Well, some assistance never hurt...
I leveraged AWS X-Ray to simplify understanding the sources and sinks. Did it work, yes. Is it for anything else other than microservices (e.g., ERP / EHR / EMR, trading, AI), not really.
I leveraged AWS X-Ray to simplify understanding the sources and sinks. Did it work, yes. Is it for anything else other than microservices (e.g., ERP / EHR / EMR, trading, AI), not really.
Friday, September 14, 2018
Smart Contract Security
As more orgs look at embracing blockchain there will be a need to assess the security of Smart Contracts, particularly for Ethereum-based blockchains.
Look for vendors to develop solutions, and custom prof svcs firms to cater to this niche.
Look for vendors to develop solutions, and custom prof svcs firms to cater to this niche.
Sunday, August 26, 2018
Transitioning Technical Professional Service & Payment for Outcomes
With the advent of bug bounties, the transition of healthcare charges aligned to outcomes, and the history of legal services tied to outcomes, there needs to be a transition to technical professional services being aligned to outcomes.
Now, one may argue that FFP "packaged" projects are already tied to outcomes, though those are far & few between.
So, eventually industry should tie compensation to outcomes & we may see a better percentage of efficiencies from the larger consulting firms.
Now, one may argue that FFP "packaged" projects are already tied to outcomes, though those are far & few between.
So, eventually industry should tie compensation to outcomes & we may see a better percentage of efficiencies from the larger consulting firms.
Saturday, August 25, 2018
Cloud Architecture: Build (IaaS) versus Buy (PaaS)
Cloud providers are introducing many new services to their portfolios. So, organizations now have a decision to make regarding build vs buy.
Here are pros & cons for each:
PaaS / Buy: (pros) time to market, CapEx reductions; (cons) usually multi-tenant, will require skill-set updates, vendor lock-in, OpEx increases
IaaS / Build: (cons) familiar ITSM / ITIL model, CapEx focus, single tenant, existing skill-set, increased portability; (cons) slower agility
Here are pros & cons for each:
PaaS / Buy: (pros) time to market, CapEx reductions; (cons) usually multi-tenant, will require skill-set updates, vendor lock-in, OpEx increases
IaaS / Build: (cons) familiar ITSM / ITIL model, CapEx focus, single tenant, existing skill-set, increased portability; (cons) slower agility
Monday, June 25, 2018
Cloud Visibility
With more organizations going to the cloud, with shadow IT, and with GDPR requirements cloud visibility seems to be the latest fad....
Microsoft & Amazon picked up on this several years ago, thus Azure Info Protection (AIP) and AWS Macie but, that does not cover them together or Google / Salesforce / Rackpsace.
So, expect this area to gain traction for several more years...
Microsoft & Amazon picked up on this several years ago, thus Azure Info Protection (AIP) and AWS Macie but, that does not cover them together or Google / Salesforce / Rackpsace.
So, expect this area to gain traction for several more years...
Saturday, June 23, 2018
Incident Response v.2.0: Partner Office 365 (O365) Compromise
As more ecosystems move to Microsoft's Office 365 it seems necessary to create an IR playbook for O365 compromises.
Said playbook should include proper responses.
Tasks to perform should include:
Said playbook should include proper responses.
Tasks to perform should include:
- Disabling established trusts
- Quarantining emails / messages
- Establishing enhanced security policies / black lists
- Calibrating monitoring / notification rules
Wednesday, March 21, 2018
Facebook, Cambridge Data Compromise Should Not Surprise Consumers
Facebook is receiving bad press due to compromised consumer data by a Cambridge-based analytics firm for political purposes.
Frankly, this should not be news as social media outlets, and free online services (email, vlogs, blogs), use subscribing advertisers to generate their revenue by selling the (supposed to be anatomized) data. Said data extraction models have been the point of episodes on shows like Netflix's House of Cards.
Regardless, the sensitive data is supposed to be masked. And how obfuscated said data is, is often a matter of debate.
So, the questions is, will the US get serious about data privacy now and / or will consumers migrate from these services in droves?
TBD....
Frankly, this should not be news as social media outlets, and free online services (email, vlogs, blogs), use subscribing advertisers to generate their revenue by selling the (supposed to be anatomized) data. Said data extraction models have been the point of episodes on shows like Netflix's House of Cards.
Regardless, the sensitive data is supposed to be masked. And how obfuscated said data is, is often a matter of debate.
So, the questions is, will the US get serious about data privacy now and / or will consumers migrate from these services in droves?
TBD....
Friday, February 23, 2018
Metrics for Risk Management & Cybersecurity
A book by the name of How to Measure Anything in Cybersecurity
Risk articulates enhanced metrics (versus impact & likelihood) via Bayesian
models.
However, sans cyber insurers
& actuaries, most risk management / cybersecurity functions struggle with
the most simple metrics. That happens due to a lack of technical key risk
indicators (KROs) agreed to by the business.
While quantitative analysis can
help derive budgeting priorities, most organizations are simply not mature
enough to know the qualitative gaps within their enterprise.
Friday, February 16, 2018
Hypervisor Replication for Virtualization Security
Vendors like Bracket & BitDefender are rolling out virtualization security solutions meant for hybrid cloud deployment to negate rootkits & chip-based exploits (Spectre, Meltdown).
However, comprehensive coverage / support seems limited & you would think that the big cloud service providers (CSPs: AWS, MSFT Azure, GCP) have hardened their own hypervisors already.
VMware's partnership w/ AWS could pave the way for hardened hypervisors that can lift & shift among on / off prem deployments.
However, comprehensive coverage / support seems limited & you would think that the big cloud service providers (CSPs: AWS, MSFT Azure, GCP) have hardened their own hypervisors already.
VMware's partnership w/ AWS could pave the way for hardened hypervisors that can lift & shift among on / off prem deployments.
Subscribe to:
Posts (Atom)