security
Mastodon: What you need to know for your security and privacy -
Sound common-sense advice from a well-known security expert
#
I spent a mind-stretching few hours yesterday at the Cloud Security Conference organised by The Cloud Circle.
Summing up the whole day into a few points is hard, but these were the key things I took away:
- Security for the Cloud is mostly “just” security, with a few new architectures and contract models
- Know what data you collect and use, and the associated risks
- Know where your data goes, how it gets there and how it might be exposed
- Cloud delivery usually gives you less control
- But sometimes less control is also less risk
- Different landscapes give you different control & risk profiles (IaaS / PaaS / SaaS)
- The importance of knowing about data location and what jurisdictions apply – remember services are often composites from many sub-providers
- if it’s important to you, talk about it with the vendor and get it in the contract – and involve the legal advisors early
- But don’t expect a custom contract for 5p/hr computing bought on a credit card!
- The importance of standards (but this is still an immature market, so not everything has a standard)
- Plan for something to fail, because it will
- Cloud makes you ask questions you should already be asking
I can say with absolute certainty that I am not doing full service to the depth of presentations – I recommend looking for the slides on The Cloud Circle’s website.
Key References
Some key reference sources cited by one or more speakers
- Security Guidance for Critical Areas of Focus in Cloud Computing v3 published by Cloud Security Alliance
- European Network and Information Security Agency
- Secure Development Lifecycle
- ISO27001, SSAE-16, Vericode
- Fifteen Mobile Policy Best Practices
- Google Apps Security