I spent a mind-stretching few hours yesterday at the Cloud Security Conference organised by The Cloud Circle.
Summing up the whole day into a few points is hard, but these were the key things I took away:
Security for the Cloud is mostly “just” security, with a few new architectures and contract models Know what data you collect and use, and the associated risks Know where your data goes, how it gets there and how it might be exposed Cloud delivery usually gives you less control But sometimes less control is also less risk Different landscapes give you different control & risk profiles (IaaS / PaaS / SaaS) The importance of knowing about data location and what jurisdictions apply – remember services are often composites from many sub-providers if it’s important to you, talk about it with the vendor and get it in the contract – and involve the legal advisors early But don’t expect a custom contract for 5p/hr computing bought on a credit card! The importance of standards (but this is still an immature market, so not everything has a standard) Plan for something to fail, because it will Cloud makes you ask questions you should already be asking I can say with absolute certainty that I am not doing full service to the depth of presentations – I recommend looking for the slides on The Cloud Circle’s website.
Some key reference sources cited by one or more speakers
Security Guidance for Critical Areas of Focus in Cloud Computing v3 published by Cloud Security Alliance European Network and Information Security Agency Secure Development Lifecycle ISO27001, SSAE-16, Vericode Fifteen Mobile Policy Best Practices Google Apps Security