Monthly Archives: April 2014


Tom Nicholls from the British Standards Institute joins me today on a podcast talking secure cloud best practices, governance and the Cloud Security Alliance STAR programme that the BSi is now not only endorsing but promoting heavily to sit alongside ISO standards.

   Listen to the show via iTunes our RSS feed or click here

Alessandro Pirelli who heads up the Open Hybrid Cloud team here at Red Hat gave an impassioned presentation on his take on what the industry needs to understand to succeed and how Red Hat wants to help you get there.

If you have time make sure you sit through this video, it might be the smartest thing you do all week.

This evening I've been working my way through changes and modifications on the beta of version 3.1 of the Cloud Security Alliance CCM controls. Version 3.0 is the current shipping version of this living breathing bible of cloud security goodness. Recently I was in Amsterdam with Jim Reavis and his crew at the CSA Securecloud Conference, and I'll be out in the US at the annual CSA Congress in the fall. Whilst there I recorded a podcast with Jim that I will bring out midweek this week.

Regularly I talk at conferences expressing why the CSA CCM matrixes are one of the most powerful Swiss Army tools an IT practitioner can have when approaching a governance exercise in any facet of private, public or open hybrid cloud. Crossing business verticals allowing an organisation to be able to consider pressures of location and data type, workload or platform. This then allows you to make weighted decisions around application migration, infrastructure deployment and the isolation of services or provisioned platform services.

As the audit community continue to hone and document how they are are assessing technical and actual risk in on premise cloud, a contracted out public cloud or hybrid elastic combination of the two.

As 3.1 emerges and becomes the new defacto standard I will bring more information as to how best to adopt it, for now please point your browsers at the current shipping version of the matrix which you will find here.

Ten days ago I did a podcast with Richard Clarke, ABC News Cyberterrorism correspondent and advisor to the White House and three former US presidents. Little did I know that three days later the world would react to the release of the information around the OpenSSL vulnerability now known as Heartbleed.

To get a podcast with Richard is a bit of a coup. He doesn't speak to very many media outlets in the IT space and certainly not with the reach and the focus around Cloud that I have. Since I put it on air almost 30,000 folk have listened to it and it's started conversations and featured in articles about who knew what within intelligence agencies and the NSA about who knew what and when they became aware.

My feeling is - does it matter ? I would hope, as a peace appreciating freedom appreciating citizen of the modern world that the agencies out there react and work in a manner that is forward thinking and communicative. Indeed all my own personal experience having worked in intelligence and in defence is that they are stretched, badly paid and badly appreciated and rely on relationships with industry just to tread water. I find it very hard to believe that the question who knew what when where is relevant to us going to Cloud.

More the question is on you the deployer, the architect, the developer to ensure you use a certified OS, you have a patch strategy, you own your reporting and your logging and you make sure you understand and breathe governance. Understanding blended control matrixes that allow you to own your footprint in public private or open hybrid cloud mated to a risk environment that conforms to your appetite or GRC tables.

Richard went on the record without being prompted - on my microphones - stating for a fact that mandated US Government behaviour was to patch and interact unless there was a massive stated case with interagency ministerial support to behave otherwise. I took him at his word and I'm no doubt many would argue otherwise. I looked him in the eye and that is genuinely good enough for me.

You can listen in to the podcast via iTunes or Stitcher or you can follow the link to the direct download / stream below and make your own mind up.

   You can listen to or download the show here