Tuesday, August 25, 2020

Dont Replicate Your Data Center Setup in the Cloud

 A multitude of corporate IT/Cyber departments attempt to replicate their network architecture in the cloud.  Unfortunately, that is not the way to go regarding cloud transformation.  When organizations use the cloud it makes the most sense to leverage native solutions as much as possible.

While trusting cloud service providers (CSP) completely is not prudent, many CSPs have matured their services, especially security-centric solutions.  With that said, if there are any doubts/concerns, the most pragmatic choice is to leverage enterprise data protection solutions before data is migrated to the cloud.  Said solution could negate concerns about a CSP's data handling procedures.

Wednesday, August 12, 2020

Are SOC2 / ISO 2700x / HITRUST Attestations Enough for PaaS / SaaS Providers

 The short answer is, not alone.  Attestations outside of penetration testing reports, or the ability for an org (that desires to provision said provider's services) to run a vulnerability scan, are not acceptable.

As an individual who has provided internal security assessments, as well as many external, the scope of attestation much too often is extremely limited in scope.  Therefore, these reviews do not provide an adequate benchmark of security &/or privacy compliance or posture.

So, kick the proverbial tires; while not requiring an expensive onsite audit....


Friday, August 7, 2020

Well-Architected Frameworks for Cloud Service Providers (CSP)

 CSPs now have created thought leadership for architecting cloud-based workloads:

Amazon (AWS): https://docs.aws.amazon.com/wellarchitected/latest/framework/wellarchitected-framework.pdf

Microsoft Azure: https://azure.microsoft.com/en-us/blog/introducing-the-microsoft-azure-wellarchitected-framework/

Google (GCP): https://cloud.google.com/architecture/framework

Oracle (OCI): https://www.oracle.com/cloud/architecture-center.html

AWS Lambda, Serverless Function-as-a-Service (FaaS), Primer

AWS paved the way via FaaS years ago.  However, I have yet to find a succinct, aggregation of best practices on how to use & deploy these solutions.  So, here you go: