Cloud Security Alliance UK Chapter

Our Chapter Annual General Meeting (AGM) was held last week, kindly hosted by Trend Micro. With respect to Chapter business, the following outcomes were noted: Lee Newcombe - elected to Vice-Chair Lewis Troke - elected to Director of Research Paul Simmonds - elected as General Board Member. Each appointment lasts for two years. It was encouraging how many of the attendees expressed an interest in two of our other positions - Director of Events and Director of Communications - and so we hope to be able to fill those positions shortly.  The more observant amongst you will note that we currently have only a Vice-Chair as no-one was nominated for the role of Chair - Lee Newcombe (your author :)) will deputise whilst we await a candidate willing to put themselves up for election as Chair. It was a positive interactive session with some great content being presented by knowledgeable practitioners. Many thanks to Dave Walker of AWS for a fantastic technical session on using Lambda to auto...

One of the things we're keen to do here is to share lessons learned by those who are actively implementing cloud services.  As such, I'm pleased to offer the opportunity to contribute guest articles sharing cloud security war stories to this blog.   Our first guest author is Francesco Cippolone of NSC42 who has kindly taken the time to write up a number of thoughts relating to identity on the Office 365 platform.  His article can be found below - thanks Francesco! Let me start by saying that by no means am I a pure authentication expert nor a Microsoft expert. As many of you, I'm on the journey to the cloud and learning as I go. Please provide any feedback or any contribution to the article so as to make it as accurate as possible. Identity and Access management with O365/Azure A few weeks ago, I had a conversation with a colleague about identities in Office 365 and the discussion lead to the various nuances of where the identities are located. I have to admit, with...

Integration and portability – either working across multiple cloud providers or else shifting workloads from one provider to another – remain amongst the trickier areas of cloud strategy and security.  Different business strategies and priorities will drive different approaches.  For example, if you take the view that service resilience is your primary concern then the idea of placing all your eggs in one basket, even one as well made as AWS or Azure, may be anathema.  This can then drive architectures that must either split components across multiple cloud providers so as to reduce impact of compromise (including outages) or to use a secondary cloud provider to provide contingency in the event of a failure of your primary supplier.  If you’re going to support portability (the ability to shift workloads between cloud providers) then you need to avoid lock-in which can drive you towards containerisation such that you can take your encapsulated infrastructure from one ...

One of the projects we currently have underway in the UK chapter relates to the provision of guidance tailored towards small businesses. Cloud offers start-ups and small businesses the IT capabilities they need to compete with more established organisations but it is unlikely that such firms will have dedicated security teams tasked to secure such capabilities.  This project aims to provide pragmatic insight to help those asked to secure cloud services in small businesses to close some of that gap.  Here's an update from Andy Camp who is running with this project... Update Version 4.0 of the CSA Security Guidance for Critical areas of Focus in Cloud Computing is a 152 page document full of extremely useful information. This document is however difficult to interpret and onerous to implement for the majority of Small and Medium Enterprises (SME’s) who constitute over 99% of businesses in the UK and whose turnover (2014 Figures) represents 47% of the private sector turnover in t...

As I’ve blogged previously, we have a number of research projects currently underway under the auspices of the UK Chapter.    One of those projects relates to cloud integration.    The cloud integration project is being led by John Arnold and John has kindly produced the below text as an example of where that project is heading.  Issues involved in cloud integration  Identity.  Users (both privileged and end users) need to access cloud services as easily as on-premises services.  Ideally, we need to achieve the following: Single administration – users don’t need to be administered separately for each cloud service.  Privileges in cloud based services can be accessed by mapping to a common identity store. Single credential – users don’t need to manage their credentials separately for each cloud service Single session – users don’t need to log on separately for each cloud service. Security monitoring.  The enterprise SOC needs to receive f...

Cloud is no longer new.   It’s not been new for a few years now.  I spent the first few years of my time working in cloud security saying “next year will be the year of cloud”.   I’m not saying that any more.   If my client interactions are anywhere near indicative of the wider environment (and working for one of the Big 4, I’d like to think that they are!) then 2015 was the year of cloud.    I saw many clients, including previously reluctant multi-nationals and financial services organisations, moving live workloads to the cloud.   They’d been dabbling with test and development for a while but last year seemed to represent a step change in acceptance of the use of cloud for the hosting of live services.    So what does this have to do with research?   Well, lots of the guidance I see out there still seems to be fairly high level and theoretical rather than pragmatic and based on the harsh lessons that can come from building cloud serv...

One of the things that we, as a UK chapter, are keen to deliver to our members is some local flavour to the comprehensive but generic guidance produced by the wider global Cloud Security Alliance.    To that aim, I thought it worthwhile to highlight some of the local, UK-specific, sources of security guidance to help out those of you either already working in the cloud or else exploring the potential for future cloud-based delivery of services.     Whilst aimed very much at the Public Sector, the Cloud Security Principles and associated cloud security guidance published on Gov.uk offers a considerable amount of pragmatic guidance to those looking to adopt cloud services.      The landing page for a variety of guidance documents can be found here:   https://www.gov.uk/government/collections/cloud-security-guidance   One, more hard to find, Government source of guidance relates to the security assertions that cloud providers looking to del...