Posts

Understanding ISO 27001 certification

A guest blog by Steve Watkins, Director at IT Governance Ltd Even though ISO 27001 is the international standard for implementing an ISMS (information security management system) and is used by thousands of organisations around the globe, it occasionally faces criticism on a number of issues. Those with first-hand experience of ISO 27001 know that, when implemented correctly, it provides a comprehensive guide to managing the information security risks that organisations face. Further, the accredited certification scheme that enables organisations to demonstrate that they conform with the requirements in ISO 27001 offers real benefits to those who understand how to interpret claims of certification appropriately. So, what are the Standard’s critics potentially misunderstanding? This blog takes a look at some of the misconceptions, and explains why ISO 27001 is an appropriate framework for managing your information security. What are the criticisms of ISO 27001 certification? You don’t k...
1 comment
Read more

CSA UK Applying MITRE ATT&CK Cloud and Microsoft K8 Matrix

Image
The Cloud Security Alliance UK chapter is presenting a series of sessions to provide CISO's, Cloud Security Architects, DevSecOps and SOC teams a breadcrumb roadmap of how to apply the recently published (late 2019)  MITRE ATT&CK for the Cloud  and also take influence from Microsoft’s recent Threat matrix on Kubernetes (K8).   We are seeking feedback or additional items you would like us to cover.  The proposed series of sessions will cover:   Session 1: [ Author/Presenter: Stephen Owen] 90 mins planned online 24th June CSA session on "What is MITRE ATT&CK and Cloud" and what benefits it brings to each of the stakeholders  What is  MITRE ATT&CK Enterprise  and  Cloud Where to start How to take advantages of the current  MITRE ATT&CK Cloud  and combining with Microsoft’s K8 Matrix;  Suggested practices to follow targeted to each of the below roles: Cloud Security Architects DevSecOps SOC Team  Cloud/CISO Lea...
1 comment
Read more

An approach to Cloud Centre of Excellence

Image
The UK Cloud Security Alliance chapter asked Stephen Owen, UK Board Director, his opinion on "Going to the Cloud". This video blog is particularly relevant in the current climate while organisations review or start their digital transformation or disruption journeys. In this short video blog ( https://youtu.be/KzXLlJUTYRo ), Stephen describes some of the cornerstones to address some of the fundamentals using the "Cloud Centre of Excellence  Enablement" (CCoE). CCoE should not be seen as a compliance function but an agile process to move fast and save cost. Over the last few years, Stephen has seen a broad spectrum of both several successful and failed attempts, from start-ups to international companies going to the Cloud. Often it’s a combination of several issues that result in failure or late delivery; Missing skill sets Starting too big Lack of experienced Cloud leadership Project Managers adopting Waterfall while DevOps adopt agile Security Architects using on-p...
Post a Comment
Read more

CSA UK Chapter supports Blackout Tuesday

Image
The CSA UK Chapter made the decision to suspend all posting and promoting of our webinar this week in support of Blackout Tuesday.  We are choosing to postpone this event in honour of #blackouttuesday freeing up the time usually dedicated to events and social media for people to educate themselves on the Black Lives Matter movement, fighting against injustice and systematic racism. The CSA UK Board felt that the death of George Floyd and the subsequent inadequate response by the Police and the US government demanded a response. You may ask why a UK organisation with no connection to the matter at hand chooses to act in this way?  We stand in solidarity with our fellow right-minded citizens of all countries; and t he words of  Edmund Burke [1729-97] (in a letter addressed to Thomas Mercer) probably say it better than we could;  “The only thing necessary for the triumph of evil is for good men to do nothing.” The CSA UK Chap...
Post a Comment
Read more

What is hybrid cloud computing?

Image
    (Hybrid) cloud infrastructure is a composition of two or more distinct cloud infrastructures (private, community, or public) that remain unique entities, but are bound together by standardised or proprietary technology that enables data and application portability. National Institutes for Standards in Technology (NIST) While a Hybrid Cloud can take many forms; in essence it means managing two (or more) disparate cloud environments (say private & public) as one, or having management tools in place that let the two (or more) environments be managed and appear as one single environment. Hybrid cloud uses a mix of on-premises, private cloud together with third-party, public cloud services; with orchestration between multiple platforms thus allowing workloads to move between the various cloud environments as computing needs; thus giving businesses greater flexibility and more deployment options. A cloud is hybrid when; You extend an internal web server (that has “burst...
Post a Comment
Read more

The road to the cloud- The story of public versus private

Image
By Dr. Wendy Ng - DevSecOps Security Advisor for Experian A collaboration between Experian and CSA UK Chapter     We are on the cusp of being a quarter of a way through the 21st century and you need to decide. Public or private cloud? But, what do these terms actually mean? Let me help walk you through and hopefully by the end of the article you will have a better idea (or at least you will feel welcomed into the 21st cloud century).  Gartner predicts an exponential growth of cloud services, reaching $370 billion (which is about £200 billion in the UK) by 2020.  Source: Gigabit magazine Early concerns on security implications, of multi-tenanted systems, have essentially been dissipated by improved understanding of responsibility boundaries and controls to achieve company and industry-specific regulatory compliance requirements.  Just about every organisation worth their salt from all sectors; public, private or non-profit, will have had, or is undergoing, large ...
Post a Comment
Read more

Why Cloud Migrations Fail – some practical, key factors from the Trenches

By Dimitri Yates It is widely accepted that cloud computing offers benefits such as agility, flexibility and scale. There is also a shift in the financial model from capex to opex. In order to maximise the benefits offered by the cloud, as well as leverage and properly manage the financial model, changes are required across the organisation, particularly in larger organisations. Changes and plans for changes must be made for the organisational structures and processes (people and processes) as well as the technology which the organisation wishes to migrate into the cloud. Practical experience and challenges observed in large cloud migration projects show that many organisations did not anticipate and were not ready for challenges such as  Impact of the changes to the political climate and organisational structure; Preparing for the necessary changes in organisation behaviour, culture and ways of working Upskilling, training and employee communication. These are non-technical issues...
Post a Comment
Read more