September 25 - Day 5: Cloud Security & Risk - InformationWeek

InformationWeek is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

IoT
IoT
Comments
September 25 - Day 5: Cloud Security & Risk
You must login to participate in this chat. Please login.

Good Info, terrible recording...

Apprentice

Mike Kail is definitely worth reading.

Author

Thanks of the pointers, yes it is difficult to research every new provider in the market.

Ninja

@Brian.Dean--I think you definitely want a SIEM (Security Information and Event Management) system.  The tricky parts are (a) are you logging everything, (b) are you algorithmically detecting issues across your logs effectively, and (c) are you able to detect improper transmission of your information?

A vendor can help you with most of (a) (but you still have to think through and make sure you really are logging everything), and probably all of (b), and only part of (c).  And you can pay wildly different amounts of money to different vendors for (a)-(c).  That said, I don't have strong enough knowledge of every service that each provider you listed has, so I don't know the answer.

Ninja

Probably the best CIO I'm aware of today is Mike Kail, formerly of Netflix, and now of Yahoo!.  He's a great guy to follow on Twitter (@mdkail), and it's well worth reading interviews with him and speeches he gives.  He completely gets the risk/risk tradeoff of security vs. productivity, and I view him as "one of the good guys" who is doing absolutely everything he can in favor of productivity (and happy employees).  

Ninja

Should security monitoring be outsourced to a company like Norton or would newer security firms like CatBird, Splunk and BrickHouse Security, etc., that use SDN technologies to monitor network activities be a better option?

Ninja

Thank you, this helps a lot!

Ninja

(those prices are per user, not for the whole company!)

Ninja

@Brian.Dean--identity-as-a-perimeter should work anywhere, but the more services you're running, the harder it is to implement.  (However, the more services you're running *without* identity-as-a-perimeter, the more likely you're going to have some significant problems).  One annoyance of mine is that many SaaS providers only put support for your identity service in their most expensive tier, so you end up having to pay a lot for good security.  The webmeeting software we use is around $10/month for the features we need, but is more than 5X that if we want those same features and to hook up to our Active Directory.

Ninja

@Lorna, @Brian.Dean--there are some good services out there that offer intrusion detection/intrusion prevention/log storage and scanning (including human daily reviews), etc.  It's possible to outsource the human-workload-intensive aspects of InfoSec, but you really need to keep control over the policies and implementation.

Ninja

@Brian.Dean--I think that precaution v. cure is difficult.  The problem is that a lot of bad things are done on the precaution end.  I tend to follow these guidelines:

- let employees use the devices they want with unfettered local administrative rights

- log everything, and monitor the logs constantly, including human log review on a regular (preferably daily) basis

- implement every non-invasive strategy possible to limit threats (e.g., intrusion prevention, DNS filtering, email scanning)

- classify information granularly and make sure you're applying least-user-privilege with respect to information

 

Ninja

Does Identity-as-perimeter security work best in VDI or granular environments?

Ninja

@Lorna--I think that the OpenStack-based providers are probably the next in granularity, behind AWS, but it's been about 9 months since I've checked in depth.

Ninja

@Lorna--Auditors definitely ask (and may check, depending upon the audit) about how employees are informed about the infosec policies, how often you do refreshers, and whether you talk about the full range of issues that employees can expose businesses to (e.g., malware, etc)

Ninja

@Brian.Dean--STAR asks a ridiculous number of questions about basically everything.  I actually think that having good answers to all of the questions is the most important aspect for a provider.  Like so much in security, it's really more about showing that you've thought about everything and are making intelligent decisions about all of the various things that can happen in InfoSec.  Here's the link: https://cloudsecurityalliance.org/star/

Ninja

@Lorna, good point, it would be nice to have an automated screen system, with a limited number of false positives.

Ninja

Risk/risk trade-off: would it be safe to say that precaution is cheaper than cure (in terms of security)?

Ninja

It almost seems like job 1 should be finding a breach as fast as possible, because yeah, someone is always going to get in.

Author

If cost was kept out of the equation, what can Target and Home Depot do to prevent future data breaches?  

Ninja

Do more "full service" IaaS vendors, like SoftLayer or RackSpace, offer those granular accounts?

Author

The dark side of DevOps - everything changes all the time.

Author

Do auditors ask about training?

Author

What are some of the important questions that are mentioned in STAR?

Ninja

Sorry for that interruption, everyone: Joe will present the full lecture -- don't worry about missing any content!

Strategist

I think, the HVAC system was used to gain access to the POS system.

Ninja

@LornaGarey - sounds like it is back now? 

Apprentice

@Lorna, I sorry to hear that -- I'm still receiving audio on my browser. You might try refreshing your browser window...

Strategist

Class 1, "Intoduction To Current Cloud Options" -- http://www.informationweek.com/september-16---day-1-introduction-to-current-cloud-options/l/d-id/1297922?piddl_promo=&p_lg_c=

Class 2, "Late To The Cloud? No Problem" -- http://www.informationweek.com/september-18---day-2-late-to-the-cloud-no-problem/l/d-id/1297975?piddl_promo=&p_lg_c=

Class 3, "The Rise of CloudOps" -- http://www.informationweek.com/september-19---day-3-the-rise-of-cloudops/l/d-id/1298013?piddl_promo=&p_lg_c=

Class 4, "Cloud Orchestration" -- http://www.informationweek.com/september-23---day-4-cloud-orchestration/l/d-id/1298015?piddl_promo=&p_lg_c=

Strategist

@Lorna, for some people a box with that information will appear to the right of the "Your Post" box. For the rest, I'll provide links to the first four classes in just a moment.

Strategist

Good Morning/Afternoon Everyone!

Ninja

Hi all -Audio is live! If you don't see the audio bar at the top of the screen, please refresh your browser. It may take a couple tries. When you see the audio bar, if it doesn't start automatically, hit the play button. If you experience audio interruptions and are using IE, try using FF or Chrome as your browser. Many people experience issues with IE. Also, make sure your flash player is updated with the current version. Some companies block live audio streams, so if that is the case for your company, the class will be archived on this page immediately following the class and you can listen then. People don't experience any issues with the audio for the archived version.

Apprentice

Hi all. Kurt, is there meant to be a box w/the previous sessions?

 

Author

Good morning, @thuffer945! It's good to see you here, today.

Strategist

We'd love to have your voice in the class discussion here. To take part, just type your comment or question into the "Your Post" box and then click on the "Post" button below the box. Feel free to introduce yourself before the show starts -- I think you'll find that we're a very friendly learning community here! 

Strategist

Hey, everyone, we're glad you could join us! When the class is scheduled to start, at 2:00 p.m. EDT, an audio player should appear above the "Your Post" window. If it doesn't appear, you might need to refresh your browser until it does. If it appears but doesn't start playing, then you may need to click on the "play" button on the far left of the player. 

Strategist


2020 State of DevOps Report
2020 State of DevOps Report
Download this report today to learn more about the key tools and technologies being utilized, and how organizations deal with the cultural and process changes that DevOps brings. The report also examines the barriers organizations face, as well as the rewards from DevOps including faster application delivery, higher quality products, and quicker recovery from errors in production.
Slideshows
10 Top Cloud Computing Startups
Cynthia Harvey, Freelance Journalist, InformationWeek,  8/3/2020
Commentary
Adding Fuel to the MSP vs. In-house IT Debate
Andrew Froehlich, President & Lead Network Architect, West Gate Networks,  8/6/2020
Commentary
How Enterprises Can Adopt Video Game Cloud Strategy
Joao-Pierre S. Ruth, Senior Writer,  7/28/2020
Register for InformationWeek Newsletters
Video
Current Issue
Enterprise Automation: Do More with Less
In this IT Trend Report, we highlight the benefits of automation and the various tools as enterprises navigate turbulent times, try to do more with less, keep their operations running, and stay on track with digital modernizations.
White Papers
Slideshows
Twitter Feed
Sponsored Live Streaming Video
Everything You've Been Told About Mobility Is Wrong
Attend this video symposium with Sean Wisdom, Global Director of Mobility Solutions, and learn about how you can harness powerful new products to mobilize your business potential.
Sponsored Video
Flash Poll