Monday, October 8, 2018

Native Versus Generic Security Baselines for Cloud

For a while now specific providers (Security Scorecard, BitSight) have provided security benchmarking for a client's ecosystem / vendors.

While that is great, these algorithms have been generic in nature versus taking cloud security nuances (i.e., AWS S3 utilization) into consideration.

To fill that gap, cloud service providers (CSPs) have now added their own benchmarks (e.g., AWS Trusted Advisor, Azure Secure Score) that will baseline a specific account versus the entire cloud ecosystem.

One would think that partnerships, maybe in conjunction with the Cloud Security Alliance's (CSA) Security, Trust & Assurance Registry (STAR) program, would allow cloud consumers to provide a holistic view of one's security maturity.

Wednesday, September 19, 2018

Using AWS X-Ray to Assist in Code Walk-throughs

Fancy a manual code walk-through?  Well, some assistance never hurt...

I leveraged AWS X-Ray to simplify understanding the sources and sinks.  Did it work, yes.  Is it for anything else other than microservices (e.g., ERP / EHR / EMR, trading, AI), not really.

Friday, September 14, 2018

Smart Contract Security

As more orgs look at embracing blockchain there will be a need to assess the security of Smart Contracts, particularly for Ethereum-based blockchains.

Look for vendors to develop solutions, and custom prof svcs firms to cater to this niche.

Sunday, August 26, 2018

Transitioning Technical Professional Service & Payment for Outcomes

With the advent of bug bounties, the transition of healthcare charges aligned to outcomes, and the history of legal services tied to outcomes, there needs to be a transition to technical professional services being aligned to outcomes.

Now, one may argue that FFP "packaged" projects are already tied to outcomes, though those are far & few between.

So, eventually industry should tie compensation to outcomes & we may see a better percentage of efficiencies from the larger consulting firms.

Saturday, August 25, 2018

Cloud Architecture: Build (IaaS) versus Buy (PaaS)

Cloud providers are introducing many new services to their portfolios.  So, organizations now have a decision to make regarding build vs buy.

Here are pros & cons for each:

PaaS / Buy: (pros) time to market, CapEx reductions; (cons) usually multi-tenant, will require skill-set updates, vendor lock-in, OpEx increases

IaaS / Build: (cons) familiar ITSM / ITIL model, CapEx focus, single tenant, existing skill-set, increased portability; (cons) slower agility

Monday, June 25, 2018

Cloud Visibility

With more organizations going to the cloud, with shadow IT, and with GDPR requirements cloud visibility seems to be the latest fad....

Microsoft & Amazon picked up on this several years ago, thus Azure Info Protection (AIP) and AWS Macie but, that does not cover them together or Google / Salesforce / Rackpsace.

So, expect this area to gain traction for several more years...

Saturday, June 23, 2018

Incident Response v.2.0: Partner Office 365 (O365) Compromise

As more ecosystems move to Microsoft's Office 365 it seems necessary to create an IR playbook for O365 compromises.

Said playbook should include proper responses.

Tasks to perform should include:

  • Disabling established trusts
  • Quarantining emails / messages
  • Establishing enhanced security policies / black lists
  • Calibrating monitoring / notification rules

Wednesday, March 21, 2018

Facebook, Cambridge Data Compromise Should Not Surprise Consumers

Facebook is receiving bad press due to compromised consumer data by a Cambridge-based analytics firm for political purposes.

Frankly, this should not be news as social media outlets, and free online services (email, vlogs, blogs), use subscribing advertisers to generate their revenue by selling the (supposed to be anatomized) data.  Said data extraction models have been the point of episodes on shows like Netflix's House of Cards. 

Regardless, the sensitive data is supposed to be masked.  And how obfuscated said data is, is often a matter of debate.

So, the questions is, will the US get serious about data privacy now and / or will consumers migrate from these services in droves?


Friday, February 23, 2018

Metrics for Risk Management & Cybersecurity

A book by the name of How to Measure Anything in Cybersecurity Risk articulates enhanced metrics (versus impact & likelihood) via Bayesian models.

However, sans cyber insurers & actuaries, most risk management / cybersecurity functions struggle with the most simple metrics.  That happens due to a lack of technical key risk indicators (KROs) agreed to by the business.

While quantitative analysis can help derive budgeting priorities, most organizations are simply not mature enough to know the qualitative gaps within their enterprise. 

Friday, February 16, 2018

Hypervisor Replication for Virtualization Security

Vendors like Bracket & BitDefender are rolling out virtualization security solutions meant for hybrid cloud deployment to negate rootkits & chip-based exploits (Spectre, Meltdown).

However, comprehensive coverage / support seems limited & you would think that the big cloud service providers (CSPs: AWS, MSFT Azure, GCP) have hardened their own hypervisors already.

VMware's partnership w/ AWS could pave the way for hardened hypervisors that can lift & shift among on / off prem deployments.