Summing up the whole day into a few points is hard, but these were the key things I took away:
- Security for the Cloud is mostly “just” security, with a few new architectures and contract models
- Know what data you collect and use, and the associated risks
- Know where your data goes, how it gets there and how it might be exposed
- Cloud delivery usually gives you less control
- But sometimes less control is also less risk
- Different landscapes give you different control & risk profiles (IaaS / PaaS / SaaS)
- The importance of knowing about data location and what jurisdictions apply – remember services are often composites from many sub-providers
- if it’s important to you, talk about it with the vendor and get it in the contract – and involve the legal advisors early
- But don’t expect a custom contract for 5p/hr computing bought on a credit card!
- The importance of standards (but this is still an immature market, so not everything has a standard)
- Plan for something to fail, because it will
- Cloud makes you ask questions you should already be asking
I can say with absolute certainty that I am not doing full service to the depth of presentations – I recommend looking for the slides on The Cloud Circle’s website.
Some key reference sources cited by one or more speakers
- Security Guidance for Critical Areas of Focus in Cloud Computing v3 published by Cloud Security Alliance
- European Network and Information Security Agency
- Secure Development Lifecycle
- ISO27001, SSAE-16, Vericode
- Fifteen Mobile Policy Best Practices
- Google Apps Security
Steve Plank, Microsoft
Rashmi Knowles, RSA
James Snow, Google
Mark Webber, Osborne Clarke
George Anderson, Webroot
Kris Meulemans, Mozy
The Cloud Circle
I’ve been to a few events organised by The Cloud Circle, and I whole-heartedly recommend them. The events are sponsored, and free for delegates. The organisers are pretty good at keeping speakers relatively agnostic and avoiding overt sales pitches, regardless there are always a good mix of vendors, so with care you can pick out the common threads.
The delegates are a good mix, and I always learn something from the questions from the floor.