I spent a mind-stretching few hours yesterday at the Cloud Security Conference organised by The Cloud Circle.
Summing up the whole day into a few points is hard, but these were the key things I took away:
- Security for the Cloud is mostly “just” security, with a few new architectures and contract models
- Know what data you collect and use, and the associated risks
- Know where your data goes, how it gets there and how it might be exposed
- Cloud delivery usually gives you less control
- But sometimes less control is also less risk
- Different landscapes give you different control & risk profiles (IaaS / PaaS / SaaS)
- The importance of knowing about data location and what jurisdictions apply – remember services are often composites from many sub-providers
- if it’s important to you, talk about it with the vendor and get it in the contract – and involve the legal advisors early
- But don’t expect a custom contract for 5p/hr computing bought on a credit card!
- The importance of standards (but this is still an immature market, so not everything has a standard)
- Plan for something to fail, because it will
- Cloud makes you ask questions you should already be asking
I can say with absolute certainty that I am not doing full service to the depth of presentations – I recommend looking for the slides on The Cloud Circle’s website.
Key References
Some key reference sources cited by one or more speakers
(more…)
One ex-colleague points to a CIO Magazine article about another – Paul Cheesbrough’s decision to migrate users at the Daily Telegraph from MS Office to Google Apps.
It’s an interesting choice, one I’ve pushed people to think about, and I can identify with the collaboration benefits that Paul has identified. But will it suit all of his users?
The key thing to remember about cloud apps is that you don’t control the storage of your data, and you often don’t control the circumstances in which it gets released.
From conversations I’ve had with other people in the newspaper industry, I would imagine that by the nature of newspapers some of their staff will be in parts of the world where their activities will be unpopular, and where some of those documents or emails could get them into the way of all sorts of harm.
So how robustly would the provider (in this case Google) resist a law suit from the people who want to know what a paper has on them? Especially if that’s a government or a multi-national with deep pockets?
Shared bookmarks for del.icio.us user Synesthesia on 2007-09-07
- Google Library:Keywords: googleapps, googlelibrary, books
- 10 Micro-Blogging Tools Compared:Keywords: blogging/technology, socialsoftware
- SlySoft AnyDVD:
AnyDVD works in the background to automatically remove the copy protection of a DVD movie as soon as it’s inserted into the drive, allowing you then to backup the movie using a DVD backup tool such as CloneDVD and CloneDVD mobile. You can also remove t
Keywords: DVD
- You’re invited to the Delicious Preview:Keywords: del.icio.us
- Jericho Forum “Commandments” (pdf):
The Jericho Forum commandments define both the areas and the principles that must be<br>observed when planning for a de-perimeterized future. Whilst building on “good security”, the commandments specifically address those areas of security that are ne
Keywords: jerichoforum, deperimeterisation
- The Long Tail: The Black Wire and the White Wire:
Chris Anderson (“The Long tail”) on a symbolic pair of network cables in his office, and some thoughts from me on why it isn’t the right way forward.
Keywords: mycomments, deperimeterisation, JerichoForum
- CoScripter:
CoScripter is a system for recording, automating, and sharing processes performed in a web browser such as printing photos online, requesting a vacation hold for postal mail, or checking bank account information. Instructions for processes are recorded an
Keywords: firefox/extensions, scripting, coscripter, via:jonudell