Making sense of the Cloud-buzz: what quick wins are available to establish Business and Security value?
The conversation was kicked off by guest speaker Steve Deakin, Head of Development and Operations at Lloyds of London, discussing his experiences of Cloud and the client perspective. Next followed Nick Robinson, Systems Engineering Manager at Palo Alto Networks, who provided a view of real world innovations and shared Cloud success stories that he has seen from his clients across EMEA.
Here is a high level summary and description of the quick wins that were discussed:
- Learn -> Hack -> Iterate
Horizon Scanning & DevOps with an AGILE mind-set
- Microsites and Micro services that are already trialled, tested and robust from an architecture and security perspective - this enables one to rapidly deploy new products and services, websites etc. with security peace of mind.
- Serverless - just focus on writing codes and you can make changes in microseconds! It is easy to deploy, low cost, gives you more time to focus on UX and is more efficient for developers by ensuring you are keeping code backed up and in a secure environment.
- Grid Data Analyst - overcome floods and complexity of big data and unlock the power of analytics with the right data in the right place.
- OWASP Top 10 - whilst the threat landscape remains consistent year on year, everyone should make sure they are aligned to the latest as it evolves. Assuming the top 10 remains unchanged or that changes are incremental such as low priority to action, can lead to vulnerabilities. www.owasp.org
- NCSC - The National Cyber Security Centre is an organisation of the United Kingdom Government that provides advice and support for the public and private sector on how to avoid computer security threats. www.ncsc.go.uk
- Ethical Hacking - this should be continuously implemented - leverage Pen testers and vulnerability scanning as much as possible in order to follow best practices and processes - Learn -> Hack -> Iterate.
- Social Engineering was also discussed, not so much as a quick win due to the complexity (get the simple things right first) however, advised to leverage Pen testers to protect your business from bad actors that use social engineering tactics.
- Multi Factor Authentication – we discussed how this is a very low hanging and important measure to put in place. Leverage MFA to 1) require individuals to provide two or more authentication factors to confirm their identity for online transactions or to gain access to corporate applications, networks and servers and 2) insight and reports on the user's activity. Identity (IAM) and Privilege Access Management (PAM) were also mentioned as a further way to secure your business.
- Security Information and Event management (SIEM) - leverage SIEMS as a means to log attacks. An IT Service Provider can provide an important layer of service to proactively manage, monitor and report on what the SIEM is seeing on a 24/7 365 basis.
- Security Operation Centre (CSOC) - further to SIEM, a CSOC can strengthen your security posture and enable you to be more proactive in your approach - https://www.exponential-e.com/advanced-monitoring-and-management
- Cloud Patterns are a widely used concept to describe solutions to reoccurring problems - for building reliable, scalable, secure applications in the cloud. Best examples are as follows;
- Azure https://docs.microsoft.com/en-us/azure/architecture/patterns/
- AWS https://aws.amazon.com/architecture
- Building out centralised repository for enterprise data, for tasks such as reporting, visualization, analytics and machine learning - leveraging cloud partners to build out big data solutions.
A debate for another day
- DevOps and Open Source software is and will continue to be the main target for bad actors, they hold the code (the crown jewels). Should such resources have locked or unlocked internet access? On one hand it offers flexibility and agility, on the other it is more locked down and has a stronger argument from a security perspective.
#Azure #AWS #CloudPatterns #Cybersecurity #OWASP #NCSC #DevOps #HorizonScanning #EthicalHacking #Digital Transformation