Been a while.. and 2013 plans

I realised it has been getting on for three months since my last blog post.. Getting back into writing posts has been on my mind for a few weeks, but things in life have been extremely hectic recently!  Briefly life has involved getting engaged, planning a rather cool wedding and honeymoon, redecorating an entire house, and not to mention starting a new job.

Work wise I am now a Senior Security Architect for WorldPay which is pretty much exactly the role I have been aiming to get for some time.  As with most roles the first few weeks have been a hectic time of getting to know the company, policies and processes, people as well as rapidly picking up constructive work.

I thought I’d start this years blogs with an overview of some of my plans relating to work and learning for 2013.  Obviously as it’s now nearly the end of February I am using ‘start’ or the year fairly loosely!

So looking ahead for the year, what are my plans / projects for 2013?

1. Complete my Masters project;  Due to everything that has been happening I requested as have been granted an extension until May of this year to complete my project.  I have completed and passed the rest of my Masters, so this is the final piece between me and being awarded the post graduate degree.  With continuing to get to grips with my new role and everything else that is going on, this will be a challenge, but something I need to complete.

2. Improve my knowledge of secure, always available multi-site data centre networking; Network security is one of my key focus areas, and this links nicely with the environment I am currently tasked with ensuring the security of.

3. Continue to lead and contribute to the Cloud Security Alliance Security as a Service working group.  This has become a major project for me that I have been leading for nearly a couple of years now.  This is another one that also ties in nicely with my WorldPay role as I will also be covering cloud security and strategy as one of my responsibilities.

4. Various smaller / side tasks including getting round to taking my TOGAF exam, attending various useful industry conferences such as RSA and Infosec (work budgets permitting of course), along with being successful in my new role and progressing at WorldPay.  This may of course lead to further projects this year depending on the tasks I need to achieve as part of my role, I’ll obviously keep you posted around any of these I can publicly discuss.

I’ll keep you all posted with my progress around these projects / tasks, along with other interesting things that happen during the year.  Hears to a productive and interesting 2013.

K

2012 Update

I had meant to update on how my plans for the year were going around June / July so this is a little late, but I have been pretty busy getting the upcoming Cloud Security Alliance (CSA) – Security as a Service (SecaaS) guidance documents.  These are due for publication at the start of September – watch this space..  It has also taken longer than expected to finalise my Masters project choice, but I think I’ve got there with that one, finally!

In January I listed some goals for the year here;

Some 2012 projects / plans

So where am I with the years goals?

1. Choose a project and complete my Masters.  Project finally chosen and extended project proposal handed in.  My proposed project title is;

‘Increasing authentication factors to improve distributed systems security and privacy’

The plan is to cover the current state of distributed systems authentication and to assess how this could be improved by adding further ‘factors’ to the required authentication.  In this instance factors refer to things like ‘something you know’ such as passwords, ‘something you have’ such as a number generating token, and something you are such as your finger print.  I have completed a project plan outlining how I’ll use the time between now and the hand in date in January 2013, and I’ll keep you posted with progress.

2. Lead / co-chair the CSA SecaaS working group.  While it has been challenging to find the time and keep everyone involved working in the same direction, we are almost ready to release the next piece of work from this research group.  The next publication will be in the form of 10 implementation guidance documents covering the 10 SecaaS categories we defined last year.  These will be released on the CSA web site around the end of August, I’ll post a link once they are available.  This has certainly been a learning experience regarding managing the output of a very very diverse set of international volunteers!

3. Become more familiar with the Xen hypervisor.  I have had limited success with this one, increasing my familiarity with virtualisation and cloud generally, and reading up on Xen.  However I have not had a chance to set up a test environment running the open source Xen hypervisor to get properly acquainted with it.  I’ll be looking to rectify this during October, at which time I’ll provide a run down of my thoughts of this hypervisor’s features and how easy it is to install and configure.

4. Brush up my scripting and secure coding.  Scripting opportunities have been limited this year, and I have not had the tine to create side projects outside of the office due to CSA and Masters related work.  Secure coding, I have reviewed both some code and some development practices against OWASP recommendations and the Microsoft secure development lifecycle (SDLC), so have made some progress in this area and will follow with an update in a future post.

Overall, not as much progress in some areas as I had hoped, but I am reasonably happy with the CSA SecaaS and Master progress, while also holding my own in full time employment.

As mentioned, keep an eye out for the upcoming publication of the SecaaS implementation guidance!

K

MSc Update

Checked today and I have passed the final module – Secure Systems Programming.  I actually did considerably better than I expected and as I had virtually no C/C++ experience prior to this module I’m very pleased!

Nice to make some progress on the first item from my post about plans for the year as well..

Just the project to go, so I’ll definitely complete the Masters this year.  I will post some updates on the project later in the year as that gets started and progresses from around April time.

K

Project suggestions..

So I am currently working on what my MSc project should cover.  As the overall title of the MSc is Distributed Systems and Networks the project should likely incorporate some sort of networked / distributed system.  Given my continued interest in IT Security and the fact one of my favourite modules was actually titled ‘Distributed Systems Security’ I’d also like to incorporate a strong security focus into the project as well.
As I am also working on some cloud security related work for the Cloud Security Alliance I am thinking something ‘cloud’ related would be good as this would bring together aspects of security, obviously distributed systems along with being a very current topic.
The purpose of this post is to garner ideas and suggestions for project content and/or possible titles as I am struggling a little to decide the best and most interesting / useful option.  Likely especially relevant to the guys I am working with on CSA projects, but obviously open to anyone – what areas would you like to see further research in, where could my MSc project and value and insight?
Please feel free to post here or email me with any ideas and suggestions. Many of you have my email, however if you need it; it’s on my LinkedIn profile.  I’ll keep this blog updated with my topic decision and also link to the project once it is complete.
Thanks for your interest – looks like this is going to be an interesting and busy year!
K

Some 2012 projects / plans

Following on from my brief overview of progress during 2011 I thought I would share some of the projects I’ll be undertaking during 2012.  This will give anuone reading this blog an idea of some of the likely content that will appear during this year on top of general thoughts and some book reviews.

1. Complete my masters, which assuming I have passed my most recent module means choosing and completing my project.  Based on the university schedule the bulk of this will be completed between April and September.  Now to decide on a topic!

2. Lead (co-chair) the Cloud Security Alliance – Security as a Service working group through the delivery of the planned implementation guides covering each of the categories detailed in the white paper we published in 2011.

3. Become a lot more familiar with the Xen hypervisor, in addition to the VMWare products in order to better assess virtualisation options for both desktops and servers.  This is for a combination of reasons around expanding my knowledge and better understanding the options around Xen (open source and Citrix variants) and VMWare and the various virtual desktop solutions.  Also with people like Amazon and Rackspace using Xen it must be worth a closer look..

4. Having recently done some study around secure coding I’ve been prompted that I should probably brush up my scripting skills, so I plan to put a little time into Perl this year.

…  Likely a few other things will be added around architecture, potentially some further study / research, databases and security, but these have yet to be finalised and I need to be realistic about what I’ll achieve this year.  I’d rather do less well than try to do too much and not be satisfied with the results!

Expect to see blog posts on the above topics throughout this year, feel free to email or comment if there are any specific areas you would like detailed blog posts on.

K

2011 review

As is often the tradition I thought I would start the year with a couple of posts covering an overview of some key points from the last year, and some planned projects for this year.

As I am sure you have guessed this post will be a brief review of 2011 from a study / career / research perspective.

2011 was a pretty busy year with cloud security research, masters work and finally realising my previous role was no longer offering much/any challenge; culminating in moving to a new role at the end of the year / start of 2012.

From a study perspective I completed two more MSc modules;

– Wireless mobile and ad-hoc networking

– Secure systems programming

Assuming I pass the secure systems programming module (final piece of coursework was completed 9/1/12) there is ‘just’ the project left to complete in order to finish my masters.

Also on a Study front I achieved a couple of certifications;

– ISSAP (Information Systems Security Architecture Professional).  This is a secure architecture addition to the CISSP (Certified Information Systems Security Professional).

– British Computer Society Enterprise and Solutions Architecture certificate.

So all in all a successful and reasonably productive year from a study / certification perspective, especially if I have managed to pass the secure coding module!

From a career perspective I has been looking around within my previous company for a little while but decided that I was stagnating in my previous role so it was time to look outside in order to move on.  The good news is I was successful, being offered a considerably improved role as a Senior Systems Architect with Canada Life that I started 3/1/12.  I’ll update on how this is going and any non propriety technologies / projects I am working on in upcoming posts.

From a research / general learning perspective 2011 was the year of the cloud.  As anyone who has read this blog knows I have been very involved in work defining Security as a Service (SecaaS) with the Cloud Security Alliance, chairing the research group on this topic.  This has resulted in a paper being published and SecaaS being added as a new domain to the CSA guidance.

I’ll follow this post with one detailing some of my plans and projects for 2012.

K