Home > Cloud Computing, Cloud Security, Cloud Security Alliance, CloudAudit, Compliance, DevOps > Hoff’s 5 Rules Of Cloud Security…

Hoff’s 5 Rules Of Cloud Security…

Mike Dahn pinged me via Twitter with an interesting and challenging question:

I took this as a challenge in 5 minutes or less to articulate this in succinct, bulleted form.  I timed it. 4 minutes & 48 seconds. Loaded with snark and Hoffacino-fueled dogma.

Here goes:

  1. Get an Amazon Web Services [or Rackspace or Terremark vCloud Express, etc.] account, instantiate a couple of instances as though you were deploying a web-based application with sensitive information that requires resilience, security, survivability and monitoring. If you have never done this and you’re in security spouting off about the insecurities of Cloud, STFU and don’t proceed to step 2 until you do.  These offerings put much of the burden on you to understand what needs to be done to secure Cloud-based services (OS, Apps, Data) which is why I focus on it. It’s also accessible and available to everyone.
  2. Take some time to be able to intelligently understand that as abstracted as much of Cloud is in terms of  the lack of exposed operational moving parts, you still need to grok architecture holistically in order to be able to secure it — and the things that matter most within it.  Building survivable systems, deploying securable (and as secure as you can make it) code, focusing on protecting information and ensuring you understand system design and The Three R’s (Resistance, Recognition, Recovery) is pretty darned important.  That means you have to understand how the Cloud provider actually works so when they don’t you’ll already have planned around that…
  3. Employ a well-developed risk assessment/management framework and perform threat modeling. See OCTAVE, STRIDE/DREAD, FAIR.  Understanding whether an application or datum is OK to move to “the Cloud” isn’t nuanced. It’s a simple application of basic, straightforward and prudent risk management. If you’re not doing that now, Cloud is the least of your problems. As I’ve said in the past “if your security sucks now, you’ll be pleasantly surprised by the lack of change when you move to Cloud.”
  4. Proceed to the Cloud Security Alliance website and download the guidance. Read it. Join one or more of the working groups and participate to make Cloud Security better in any way you believe you have the capacity to do so.  If you just crow about how “more secure” the Cloud is or how “horribly insecure by definition” it is, it’s clear you’ve not done steps 1-3. Skip 1-3, go to #5 and then return to #1.
  5. Use common sense.  There ain’t no patch for stupid.  Most of us inherently understand that this is a marathon and not a sprint. If you take steps 1-4 seriously you’re going to be able to logically have discussions and make decisions about what deployment models and providers suit your needs. Not everything will move to the Cloud (public, private or otherwise) but a lot of it can and should. Being able to layout a reasonable timeline is what moves the needle. Being an idealog on either side of the tarpit does nobody any good.  Arguing is for Twitter, doing is for people who matter.

Cloud is only rocket science if you’re NASA and using the Cloud for rocket science.  Else, for the rest of us, it’s an awesome platform upon which we leverage various opportunities to improve the way in which we think about and implement the practices and technology needed to secure the things that matter most to us.


(Yeah, I know. Not particularly novel or complex, right? Nope. That’s the point. Just like  “How to Kick Ass in Information Security — Hoff’s Spritually-Enlightened Top Ten Guide to Health, Wealth and Happiness“)

Related articles by Zemanta

Enhanced by Zemanta
  1. August 22nd, 2010 at 21:45 | #1

    I believe there is a patch for stupid, its called the beaker patch….. 🙂 Boom 🙂 Boom (as in Basil brush)

  2. August 24th, 2010 at 07:56 | #2

    "Cloud is only rocket science if you’re NASA and using the Cloud for rocket science." haha. Great stuff.

  3. Candace
    September 8th, 2010 at 08:07 | #3

    When it's all over, explore the Shot Bar Zoetrope (third floor, Gaia Building No. 4, 7-10-14 Nishi Shinjuku; 81-3-3363-0162; homepage2.nifty.com/zoetrope), perhaps the only bar within Tokyo’s 23 wards dedicated to exploring the output of Japan’s distilleries. Yoichi Single Malt 1987 and Suntory’s Hibiki 30 Years Old won the World’s Best Single Malt and World’s Best Blended categories, respectively, at the prestigious World Whiskey Awards. If you are a fan.?!? A tad pricey at 84 yen, but worth a shot. Tradition. Toast the Clouds, maybe? Owner is a cinephile….screens silent films there.

  4. September 28th, 2011 at 07:13 | #4

    whoah this weblog is wonderful i love studying your posts. Stay up the good work! You know, lots of persons are searching round for this information, you could aid them greatly.

  5. October 3rd, 2011 at 20:10 | #5
  1. August 21st, 2010 at 12:58 | #1
  2. August 23rd, 2010 at 15:08 | #2
  3. August 23rd, 2010 at 18:02 | #3
  4. August 25th, 2010 at 09:44 | #4
  5. August 31st, 2010 at 13:16 | #5
  6. October 17th, 2010 at 17:03 | #6
  7. November 3rd, 2010 at 17:15 | #7
  8. July 20th, 2011 at 03:45 | #8
  9. August 1st, 2011 at 16:29 | #9