Copy data software is becoming much more prevalent and could be a replacement for many data protection products. But is it? Do copy data solutions provide data protection or just movement of data around the cloud? That is really the crux of the discussion. Is having multiple copies of data out in the cloud sufficient for data protection, or do we need more?
Running a secure hybrid cloud with an on-premises 100% virtualized environment does not make one ready for web scale. Nor does using a hyperconverged infrastructure (HCI). Even if the hybrid cloud is IaaS, we are still talking about something that needs to scale to billions of transactions per day. Web scale, to me, is billions of queries and transactions. That scale is not seen by many applications. Nearly every cloud service is web scale, as cloud services do hit those numbers; however, individual tenants may not be.
Part of a security professional’s job is to do research on possible breaches and attacks. Some try to do this in a vacuum, others share data and information, and still others read reports generated by companies in the know. The granddaddy of such reports is the Verizon DBIR. Where are the reports related to our industries? Do they exist? What other reports exist?
How many of you went through your security awareness training for the year? Did it consist of a simple slide show with a quiz at the end—a slide show that covered not even a tenth of your full security requirements and was about as memorable as the rock you went by this morning? Yes, you passed the quiz (as they gave you the slide deck to review); now you are done with security training for the year. This approach to security training is a load of fecal matter, a useless waste of time that teaches no one anything. It is time for a change!
At InfoSec World 2016 in Orlando, I will be speaking on a model for securely moving to or developing for the cloud. A good model tells you not only what to consider when developing for the cloud, but also what surrounds that application. Knowing what surrounds the application is often required when moving to the cloud. As such, we combine them into one model that covers the basics necessary for a secure cloud deployment of any application.
A secure agile cloud development procedure to produce cloud-native and other applications starts first with a process. (See video at end of this article for a secure process.) This process defines how code created by a developer eventually makes it through to production and customer use. I have found that many companies do not even have such a process, or they have a very short process that primarily comprises the developers doing everything, including testing and security bits within their own little worlds. Since the same developer who wrote the code is testing and performing security, there are not enough eyes on the code to see all potential attacks.
Continue reading Secure Agile Cloud Development