UK Chapter Research Update

Cloud is no longer new.   It’s not been new for a few years now.  I spent the first few years of my time working in cloud security saying “next year will be the year of cloud”.   I’m not saying that any more.   If my client interactions are anywhere near indicative of the wider environment (and working for one of the Big 4, I’d like to think that they are!) then 2015 was the year of cloud.    I saw many clients, including previously reluctant multi-nationals and financial services organisations, moving live workloads to the cloud.   They’d been dabbling with test and development for a while but last year seemed to represent a step change in acceptance of the use of cloud for the hosting of live services.    So what does this have to do with research?   Well, lots of the guidance I see out there still seems to be fairly high level and theoretical rather than pragmatic and based on the harsh lessons that can come from building cloud services for real.   My aim as the current Director of Research for the UK Chapter is to shepherd the development of a set of documents that contain proven, useable guidance to help UK businesses adopt cloud safely.   Think genuine lessons learned and achievable solutions rather than exhortations to negotiate a Right of Audit to the data-centres of Amazon, Microsoft and Google…

We now have four different projects up and running.   The four active projects are:

·        Cloud Migration – led by Anish Mohammed

·        Cloud Integration – led by John Arnold

·        Guidance for Small Business – led by Andy Camp; and

·        Guidance for Public Sector Users - led by Owen Sayers.

We are actively seeking volunteers to help the project leaders to develop the content for their specific projects, particularly from those who have experience of delivering secure cloud services at the shop-floor.  Please, step forward and share your lessons learned; let’s move the guidance from theory to practice whilst raising your industry profile at the same time.   Everyone’s a winner!

 

If this is of interest then please drop me a line at my @cloudsecurityalliance.org.uk email address (lee.newcombe) and I’ll put you in touch with the relevant project leads.

Comments

Post a Comment

Popular posts from this blog

CSA UK Applying MITRE ATT&CK Cloud and Microsoft K8 Matrix

Image
The Cloud Security Alliance UK chapter is presenting a series of sessions to provide CISO's, Cloud Security Architects, DevSecOps and SOC teams a breadcrumb roadmap of how to apply the recently published (late 2019)  MITRE ATT&CK for the Cloud  and also take influence from Microsoft’s recent Threat matrix on Kubernetes (K8).   We are seeking feedback or additional items you would like us to cover.  The proposed series of sessions will cover:   Session 1: [ Author/Presenter: Stephen Owen] 90 mins planned online 24th June CSA session on "What is MITRE ATT&CK and Cloud" and what benefits it brings to each of the stakeholders  What is  MITRE ATT&CK Enterprise  and  Cloud Where to start How to take advantages of the current  MITRE ATT&CK Cloud  and combining with Microsoft’s K8 Matrix;  Suggested practices to follow targeted to each of the below roles: Cloud Security Architects DevSecOps SOC Team  Cloud/CISO Lea...
Read more

Understanding ISO 27001 certification

A guest blog by Steve Watkins, Director at IT Governance Ltd Even though ISO 27001 is the international standard for implementing an ISMS (information security management system) and is used by thousands of organisations around the globe, it occasionally faces criticism on a number of issues. Those with first-hand experience of ISO 27001 know that, when implemented correctly, it provides a comprehensive guide to managing the information security risks that organisations face. Further, the accredited certification scheme that enables organisations to demonstrate that they conform with the requirements in ISO 27001 offers real benefits to those who understand how to interpret claims of certification appropriately. So, what are the Standard’s critics potentially misunderstanding? This blog takes a look at some of the misconceptions, and explains why ISO 27001 is an appropriate framework for managing your information security. What are the criticisms of ISO 27001 certification? You don’t k...
Read more

What is hybrid cloud computing?

Image
    (Hybrid) cloud infrastructure is a composition of two or more distinct cloud infrastructures (private, community, or public) that remain unique entities, but are bound together by standardised or proprietary technology that enables data and application portability. National Institutes for Standards in Technology (NIST) While a Hybrid Cloud can take many forms; in essence it means managing two (or more) disparate cloud environments (say private & public) as one, or having management tools in place that let the two (or more) environments be managed and appear as one single environment. Hybrid cloud uses a mix of on-premises, private cloud together with third-party, public cloud services; with orchestration between multiple platforms thus allowing workloads to move between the various cloud environments as computing needs; thus giving businesses greater flexibility and more deployment options. A cloud is hybrid when; You extend an internal web server (that has “burst...
Read more