Tom Olzak

Archive for the ‘Project Management’ Category

Cloud Security Standards Excuse

In Application Security, Business Continuity, Cybercrime, Project Management, security, Windows 7 on March 23, 2012 at 15:03

I keep reading articles about how the lack of cloud security standards keeps companies away from cloud services. Isn’t this just an excuse? We have security standards for our own organizations… or we should. We also know what is and is not considered best practice. Further, we should by this time understand how trust works and the controls to implement, monitor, segregate, and secure various trust zones. Isn’t the cloud just another trust zone?

Securing the cloud requires the same diligence we use when securing our data centers. The difference lies in oversight requirements. How do we ensure the service provider is achieving the security outcomes we expect? There are cloud service providers that do get it, providing mechanisms for customer oversight, audits, etc. If the provider in your conference room trying to sell her proposal can’t provide the necessary security assurance methods, find someone else..

Don’t use lack of cloud standards to prevent the potential business benefit of hosted infrastructure or applications.

It’s all about business outcomes

In Business Continuity, Project Management, Risk Management, Security Management on April 13, 2009 at 13:57

Interesting stuff in a Kaspersky editorial

Across the variety of orientations which exist within security, outcomes are what counts. Some examples:

  • Compliance officers want to keep the CEO out of jail. All the process in the world is useful because when they’re not, they can talk about their plans for correcting that.
  • Applied Researchers ask “did you pwn it?” They’re concerned with testing a hypothesis, which is “this system resists this type of attack”
  • Law enforcement wants to catch the bad guy (or gal). Much of the friction between civil libertarians and law enforcement comes from a conflict about prioritization of goals.

We’ve focused on process because we have so little data on outcomes. People will talk about their training processes. But when you ask them, did that process work? no one wants to say.

Source: Security is about outcomes, not about process, Adam Shostack, 13 April 2009

Read the rest of this entry »

%d bloggers like this: