Some 2012 projects / plans

Following on from my brief overview of progress during 2011 I thought I would share some of the projects I’ll be undertaking during 2012.  This will give anuone reading this blog an idea of some of the likely content that will appear during this year on top of general thoughts and some book reviews.

1. Complete my masters, which assuming I have passed my most recent module means choosing and completing my project.  Based on the university schedule the bulk of this will be completed between April and September.  Now to decide on a topic!

2. Lead (co-chair) the Cloud Security Alliance – Security as a Service working group through the delivery of the planned implementation guides covering each of the categories detailed in the white paper we published in 2011.

3. Become a lot more familiar with the Xen hypervisor, in addition to the VMWare products in order to better assess virtualisation options for both desktops and servers.  This is for a combination of reasons around expanding my knowledge and better understanding the options around Xen (open source and Citrix variants) and VMWare and the various virtual desktop solutions.  Also with people like Amazon and Rackspace using Xen it must be worth a closer look..

4. Having recently done some study around secure coding I’ve been prompted that I should probably brush up my scripting skills, so I plan to put a little time into Perl this year.

…  Likely a few other things will be added around architecture, potentially some further study / research, databases and security, but these have yet to be finalised and I need to be realistic about what I’ll achieve this year.  I’d rather do less well than try to do too much and not be satisfied with the results!

Expect to see blog posts on the above topics throughout this year, feel free to email or comment if there are any specific areas you would like detailed blog posts on.

K

2011 review

As is often the tradition I thought I would start the year with a couple of posts covering an overview of some key points from the last year, and some planned projects for this year.

As I am sure you have guessed this post will be a brief review of 2011 from a study / career / research perspective.

2011 was a pretty busy year with cloud security research, masters work and finally realising my previous role was no longer offering much/any challenge; culminating in moving to a new role at the end of the year / start of 2012.

From a study perspective I completed two more MSc modules;

– Wireless mobile and ad-hoc networking

– Secure systems programming

Assuming I pass the secure systems programming module (final piece of coursework was completed 9/1/12) there is ‘just’ the project left to complete in order to finish my masters.

Also on a Study front I achieved a couple of certifications;

– ISSAP (Information Systems Security Architecture Professional).  This is a secure architecture addition to the CISSP (Certified Information Systems Security Professional).

– British Computer Society Enterprise and Solutions Architecture certificate.

So all in all a successful and reasonably productive year from a study / certification perspective, especially if I have managed to pass the secure coding module!

From a career perspective I has been looking around within my previous company for a little while but decided that I was stagnating in my previous role so it was time to look outside in order to move on.  The good news is I was successful, being offered a considerably improved role as a Senior Systems Architect with Canada Life that I started 3/1/12.  I’ll update on how this is going and any non propriety technologies / projects I am working on in upcoming posts.

From a research / general learning perspective 2011 was the year of the cloud.  As anyone who has read this blog knows I have been very involved in work defining Security as a Service (SecaaS) with the Cloud Security Alliance, chairing the research group on this topic.  This has resulted in a paper being published and SecaaS being added as a new domain to the CSA guidance.

I’ll follow this post with one detailing some of my plans and projects for 2012.

K

 

Cloud Security Alliance; Security Guidance v3 released

The Cloud Security Alliance (CSA) has released the long awaited version 3 of the ‘Security Guidance for Critical Areas of Focus in Cloud Computing’.  This is the first update to the guidance since version 2.1 was released in 2009 and is a major overhaul bringing the guidance up to date in the new and fast moving world that is ‘cloud’ computing.

In addition to updating all of the existing domains of the guidance, there has been the addition of Domain 14 – Security as a Service (SecaaS), this is the domain I have contributed extensively to and has it’s basis in the white paper I co-chaired the publication or a few months ago.

As an overview version 3 comprises of the following domains in the context of cloud security;

Section I. Cloud Architecture

–          Domain 1: Cloud Computing Architectural Framework

Section II. Governing in the Cloud

–          Domain 2: Governance and Enterprise Risk Management

–          Domain 3: Legal Issues: Contracts and Electronic Discovery

–          Domain 4: Compliance and Audit Management

–          Domain 5: Information Management and Data Security

–          Domain 6: Interoperability and Portability

Section III. Operating in the Cloud

–          Domain 7: Traditional Security, Business Continuity, and Disaster Recovery

–          Domain 8: Data Centre Operations

–          Domain 9: Incident Response

–          Domain 10: Application Security

–          Domain 11: Encryption and Key Management

–          Domain 12: Identity, Entitlement, and Access Management

–          Domain 13: Virtualization

–          Domain 14: Security as a Service

The guidance can be freely downloaded from the CSA website here;

https://cloudsecurityalliance.org/research/initiatives/security-guidance/

It is relatively long, but covers a lot of what you need to know about cloud security and things you need to consider if you are planning to move your data to a ‘cloud’ type service.

K

SecaaS overview webinar – recording available

For anyone interested there is a recording of the webinar session available from the Credant website here;

https://credantevents.webex.com/credantevents/lsr.php?AT=pb&SP=EC&rID=4463592&rKey=a659de63f39288e9

 

It’s a little dry as it was mostly me presenting, but there is an overview of cloud and Security as a Service.

Happy viewing and feel free to ask any questions!

If you want to get involved in the work we are doing around Security as a Service check out;

https://cloudsecurityalliance.org/research/working-groups/secaas/

K

SecaaS overview webinar with Credant

For anyone who would like an overview of;

– What the ‘Cloud’ is

– Who the Cloud Security Alliance is and their mission

– What Security as a Service (SecaaS) is

– The work of the SecaaS working group so far and what is coming up

I am presenting a Webinar in association with Credant tomorrow (10/11/2011) at 1pm Central US time / 7pm UK time.

To register for this event please follow this link;

https://credantevents.webex.com/credantevents/onstage/g.php?t=a&d=668393321

This should be an interesting event, and there will be a Q&A session included should there be anything you want to know about Security as a Service, the CSA or Credant that we don’t cover in the pitch.

For those not familiar with them Credant are one of the leaders in Data Protection.  From their website they describe themselves as;

Your Trusted Data Protection Experts

We help you protect critical corporate data by mitigating the risk of data breaches and managing the complexity of securing data with a single, management framework. Our Data Protection Platform comprehensively addresses the unique security challenges of your enterprise organization’s data to ensure you’re compliant.

Our comprehensive Data Protection Platform helps you control, manage and protect data holistically at your enterprise organization from endpoints to servers, to storage, to applications and in the cloud.

For further details or to contact them Credant can be found here;

http://www.credant.com/

For reference I am in no way affiliated with Credant and the opinions expressed both here and in tomorrows presentation are 100% my own.

If you have data to be protected I would recommend checking Credants solutions out.

K

 

 

 

Cloud Security Alliance Security as a Service white paper press release

Can be found here;

https://cloudsecurityalliance.org/csa-news/csa-issues-first-secaas-white-paper/

 

I know I have mentioned this work already, but this is the official press release from the Cloud Security Alliance for the Security as a Service Categories of Service 2011 white paper.

Exciting for me as I actually wrote much of the release as well as my roles contributing to the paper and managing the groups work as one of the co-chairs.  Big thanks to Zenobia at Zag Communications for bringing the press release together.

K

 

Cloud Security Alliance – Security as a Service

For those interested in cloud security options, I am currently on the steering committee for the Security as a Service (SecaaS) working group.  In this instance I mean how cloud computing can be used to secure everything, including cloud and non cloud based IT, rather than how to secure cloud computing (paraphrased from Jim Reavis).

If you are not familiar with the Cloud Security Alliance I suggest you check out their site, it is a great resource for all things cloud security related and can be found here;

http://www.cloudsecurityalliance.org/

The purpose of the specific SecaaS working group is to;

 – Identify consensus definitions of what security as a Service means

 – Categorise the different types of Security as a Service

 – Provide guidance to organisations on reasonable implementation practices

The site specific to the SecaaS work can be found here;

http://www.cloudsecurityalliance.org/secaas.html

Proposed timelines for the work we produce are for;

 – Categories of service to be defined by late April.

 – Draft SecaaS Guidance, mid-May.

 – SME Guide, mid-July.

 – Final Draft SecaaS Guidance, mid-September.

This should be a great piece of work so I will keep you updated with our progress.

K