Multi-Tenancy Cloud Security
I recently produced a white paper to explore the risks that concern security practitioners and the security controls that cloud service providers are deploying to address them, particularly in the context of multi-tenancy. The findings are the result of the analysis of views gained from a series of workshops and roundtables held with security practitioners from companies drawn across a range of industry sectors. This has been combined with insights provided by advisory firm consultants with client experience with both cloud service providers and their customers. The end result, according to both the author and many other security practitioners, is that multi-tenant cloud systems can be at least as secure as important types of on-premise system and may in some cases be even more secure. Download the paper in pdf format.
This paper elaborated on an earlier commentary paper from 2011 published in Information Security Technical Report. Abstract: The move to cloud computing is the next stage of an unstoppable trend in the breakdown of the enterprise perimeter, both technically and organisationally. This new paradigm presents a number of security challenges that still need to be resolved but sufficient change in the IT environment has already happened - so that most organisations are working in a transitional state where security exploits are happening across the enterprise boundary. In this situation, the compartmentalisation introduced by migrating to cloud services could result in much improved security. (P G Dorey & A Leite , Commentary:Cloud computing - A security problem or solution? ISTR Volume 16, Issues 3–4, August–November 2011, Pages 89–96)
The move of cyber security risks from standard IT systems into the systems that control physical processes like chemical plants, electricity grids and even our cars, came upon us almost by surprise as we moved into the new millenium. The next phase of embedded systems will be even more dramatic with information security being key to our personal privacy and even physical safety and security as we see pervasive computerisation of medical devices, homes and almost everything we buy and use in the new 'Internet of Things'. I am very active in this field of interest and will be publishing the more public work on this web site when it becomes available. If you have a particular interest in IoT security, please feel free to contact me. My recent short presentation linking IoT security to the Outside-In view is mentioned below.
I have also just (April 2015) produced a paper on IoT security which is available to the LEF membership, but a summary is also more generally available. Ideas, frameworks and methods are also published on www.trustedthings.com
Security Outside-In
Since 2001 I have been fortunate to be amongst those who have been active in making the IT and information security community aware that confidence in security within the corporate network will be increasingly difficult and that we need to move to the protection of data rather than over reliance on the nework perimeter. In the Jericho Forum we pursued the theme of de-perimeterisation and the need for a layered approach. Subsequent experiences of advanced threat showed us that detection was as (if not more) important than security protection and a group of CISOs published their views in an RSA Innovation report.
Cloud services and mobility has continued these themes at a pace, as I discussed at the December 2014 HP Colloqium at Royal Holloway. A copy of my slides can be downloaded. The Leading Edge Forum continue in the work in helping IT teams develop their strategy for externalised IT and I am happy to be able to contribute to this actvity as illustrated in a recent paper.
Security Management Convergence (Holisitc Risk View e.g. Digital and Physical Security)
Over the past decade there has been on and off interest in the subject of security convergence. Studies, articles and two key books have been written together with an alliance programme and a section in a forthcoming International security standard. Opinions in the industry have been split with some saying that the very idea is irrelevant whilst others cite technology convergence between physical access control and IT being the main rationale driving a converged view. In August and September 2011 the ASIS International European Security Convergence committee and The Information Security Awareness Forum conducted a survey of their members to determine how many medium to large enterprises are operating or working towards a converged security strategy. 216 security professionals from across the Physical and Information Security community responded.
Even though the majority of respondents said that their organisations were separate it was clear from individual comments and responses that other approaches were used to promote closer working. The analysis of what is converging showed that 60% are working together on security projects across the enterprise. In fact 39% are working either in the same department or report to a shared executive director with a further 21% collaborating on a variety of security issues. Companies are increasingly seeing the need to develop their thinking on security strategies and perhaps as awareness of cyber threats increases there is a correlating concern for looking at security more holistically. Common reporting, advances in technology and increasing reliance on networked systems will inevitably develop converged relations.