I have to admit on the morning before the South Africa lockdown – which I just discovered was apparently intended to be booze-free, since all sales of alcohol will also be suspended for 21 days – I was in a bit of a corona funk. I know others have it a lot worse than I do, so just like security, everything is context-specific…
…but still. We’re heading towards the end of week 2 of only one person leaving the house, kids at home without school, and now the official 21-day lockdown strikes, Cinderella-style, at the stroke of midnight tonight.
And I felt a bit like a car with a dead battery. The starter motor’s kinda making an effort, but the engine just wasn’t gonna kick over and bring the ol’ beast to life.
Grrrrr….rrrRRRRrrrr….rrrRRRRrrr….click, click, click.
So, after exhausting my usual bag of tricks, I was inspired by a Law360 email, of all things, to do a bit of a search for some blues. And, I gotta say…after about 30-45 minutes of some classic B.B. King footage, Eric Clapton, John Lee Hooker, Etta James, Muddy Watters, Big Mamma Thornton with a sprinkle of Carlos Santana on top was just the thing to jolt a little energy and enthusiasm into what I needed to do today.
Now, maybe you might not be into the blues, but if we’re gonna get through all this coronavirus crap that keeps piling and piling and piling on, you’re gonna need to find that go-to for you that does the trick and zaps you outta any kinda low-energy funk you might be feeling.
Because that “oxygen” in that mask the airlines tell you to put on first before you help others may come in many forms, so it’s always to have a secret stash of whatever it is for you stockpiled for when you need it.
As you might’ve guessed from the subject of today’s email, I’m gonna be vamping on a classic Muddy Waters tune called “Long Distance Call” that’s actually pretty apropos for the notifications our SOC teams are likely to get from our cloud security monitoring controls. I mean, what they want to hear are the softwly-whispered sweet nothings of their lover’s voice, telling them everything’s alright, isn’t it?
But sometimes….just sometimes…you’re likely to pick up that receiver and hear those fateful words…
“Another mule be kicking in your stall.”
Which, even if you don’t realize that the meaning behind it is that you’re being cheated on, isn’t going to make you very happy. Your cloud…the darling to whom you’ve entrusted the deepest secrets of your enterprise…or maybe, it’s just the mundane, operational minutiae…only you know for sure.
Either way, it’s bad news.
So the challenge for any cloud-forward organization is keeping all those other mules outta your precious cloud. And, failing that, making sure you get that call that’s gonna tell you about it as fast a possible—and with enough information to allow you to do something other than just having that sinking feeling in your soul that your baby just don’t love you no more.
The quintessential question remains constant: How?
How are you going to make sure that not only do you get that call…but that you get that call at the right time, and under the right circumstances? Or, better yet, how are you going to prevent that call from ever being made in the first place?
There are actually a few different ways to answer those questions, depending on how much time, skill and experience you might have. You can start from a blank sheet of paper and figure out everything you need in the cloud…
…you can just blindly apply all of your enterprise security policies, standards and configuration requirements on your cloud service providers…
…or you can take some kind of middle ground and start from one of the published reference architectures that will help keep you from hopefully reinventing the wheel…get kudos and pats on the back for following recognized “best practice”…and theoretically have everything you need laid out in front of you with all the racing stripes and sequins you would ever need.
Unfortunately, the thing about answering one question is that it often leads you to ask about a dozen more, and in the whole process, you’re gonna need to figure out which reference architecture you might want to evaluate, whether it’s open or close, and then whether you’re actually going to be able to usefully put it to work in anything other than 6-18 months of detailed investigation, evaluation and profiling.
And often, even if you pick a reference architecture totally aligned to the platforms you’re already using…
…you’re still going to end up needing to whip up some super glue of your own in order to make sure it’s firmly attached to all the right business objectives, programs and performance measures.
If you’re thinking it sounds like it isn’t easy – or even if you’ve been there, done that, and have a dresser full of t-shirts – you know that it isn’t easy at all. And, often, it can be downright difficult.
So that’s why in the upcoming April edition of the printed, posted and plopped on your front porch Security Sanity™ newsletter, I’m going to take you through what I do to normalize, slice, dice and standardize the cloud reference architectures from CSA, Microsoft and NIST so you will…
- know what it takes to do it yourself
- see what the end result is going to look like, and
- have the confidence that whatever you’re doing is traceably linked to the business, isn’t overwhelmingly complex and can be used to guide day-to-day security decisions from strategy to operations.
Now, maybe you’re thinking that’s a tall order, and you might be right. Maybe it isn’t possible. Maybe it isn’t necessary, and maybe it won’t make one iota of difference in the effectiveness and speed with which your security team can support and enable the business projects that walk through your door.
I guess you’ll just have to make a decision about whether it’s worth subscribing before the deadline to get it at the end of the month using this link or not:
In the meantime, I’ll be getting busy figuring out the booze rationing schedule over the next 21 days based on whatever inventory I might have in the house. That’s the thing about cooking a lot. You kinda get accustomed to being able to enjoy a glass of wine or two as a reward for your labor—and to ease the digestion, of course… 😉
Stay safe and as well and as sane as you can through all this. I’m afraid we’re just getting started, and that that Easter target is gonna whoosh on by just like many a project delivery milestone we’ve all heard about before. But we can always hope for the best, while we hunker down and prepare for the worst…
…because, after all, isn’t that what we do every day as security professionals anyway?
Andrew S. Townley
Archistry Chief Executive