Over the last several years, a lot of big brains have been working on the problem of what “secure cloud” should actually mean. And they’ve spent a lot of time producing a lot of documentation—and a lot of big, complex diagrams that attempt to address every possible aspect of the cloud and how to make it “secure.”
Unfortunately, an older XKCD cartoon aptly describes the result:
Panel 1: There are 10 competing standards
Panel 2: We should figure out how to unify them all. Great idea!
Panel 3: There are 11 competing standards
And, as anyone who’s been around for a while knows, this is the general way our industry solves problems. I’ve done it. You’ve probably done it, and the majority of vendors out there have certainly done it.
However, if what the last 7-14 days (depending on where you are) has shown me, we might be faced with what we’ve seen as a new “coronanormal” environment where we’re all desperately trying to avoid killing each other, video-bombing our partners and kids’ video conference calls, and seriously wishing we’d opted for that large property in the countryside where we could all stretch our legs when we needed it.
Like everything, there’s good and bad in all this. While all of these current woes are both taxing our patience and our Internet infrastructure, without those cloud services a lot more of us are using a lot more often, things would’ve simply ground to a halt.
So, I’m going to hazard a guess that as more travel lockdowns take place…and more countries close their airspace like the UAE did today…if business still wants to get done, a lot more decisions about in-house vs. cloud services are going to get revisited.
And when that happens…it’s going to be even more critical than it was before that we somehow get our collective crapola together when it comes to not only talking about “the could” as this mythical entity hanging in the ether…
…but also as and how we truly make it an extension of our enterprise—and that means as part of our security policies too.
In a lot of the work I’ve done over the last few years, pretty-much every one of our clients and customers has a pet reference architecture for cloud. And most of those architectures have evolved quite dramatically over that same period as the sheer number of products have multiplied and made it possible to do more and more – and sometimes with more (or less) control – in someone else’s datacenter.
But from what I’ve seen, people still have one of two major problems:
- they still focus too much on the technology vs. what’s actually being delivered, and/or
- they get overwhelmed with the overall complexity of the existing, published cloud reference architectures when they try and put them to practical use.
To address this, I decided that the entirety of the upcoming April edition of our print newsletter, Security Sanity™ would talk about how to find the right balance between the technology and the business-enabling functionality of various cloud offerings and try to illustrate how to untangle some of the complexity behind popular cloud models from CSA, Microsoft and NIST that I’ve seen come up the most in our client work.
The objective of the April issue is to help you better integrate your cloud solutions and approach into your existing enterprise security program so you can more easily demonstrate where you’re doing the right thing. Once you’ve done that, you’ll then be able to use that same information to drive any necessary changes in both your enterprise security approach or your existing cloud provider agreements.
But you’ll only get the April issue delivered to your door* assuming that you’ve ensured you’re subscribed by the end of the month, next Tuesday at 11:59pm US/Eastern. In the event that you’re sitting on the fence and the $97 subscription charge isn’t processed before that time, your subscription will start with the May issue, and you’ll have missed out on April’s Cloud Security Bonanza.
And you can only ensure you’re subscribed by visiting this page:
…clicking the big yellow button at the bottom, entering your card details, and receiving the email confirmation that say’s you’re in.
If you’re completely happy with your approach to integrating cloud security into your existing policies, your enterprise security program and feel you’re free of DevOps silos, then you can probably give this one a miss. As always, it’s up to you to decide what’s important and how you grow your skills as a security leader—with or without COVID-19.
Andrew S. Townley
Archistry Chief Executive
* If the global supply chain for postal and courier deliveries does somehow grind to a halt during all this craziness, rest assured, I’ll make a plan where you won’t miss the issue as a result.