Cloud, Security and Technology

I've been asked several times as to what are the building blocks to build a secure cloud solution. In my last 2017 blog I revisit the paper I wrote a while back called " 13 Effective Security Controls for ISO 27001 Compliance " and reconsider the 13 security measure that help meet compliance controls. One important update for this blog over the paper, is that I will not look at IaaS services a whole lot. Protecting a OS or VM has been done to death.   IMHO organizations need to get out of the business of managing the health of OS's/VM's and WebServices.  Moving to Containers with an orchestration engines such as Kubernetes , or Platform such as provided by Azure, or AWS is one of the best long term security investments. No more AV, Patching, or Host services maintenance…  The process is to get most companies away from the IT business, and into their core competency with a High tech offering that provide a capability on demand. Moving...

Wow, the PCI DSS blueprints been out for almost 2 months! Time for an update. Our friends in the App Services team recently released a new version of ASE.  and we incorporated it into the blueprint. As of now the Azure PCI DSS blueprint is built with ASE v2. Here's what  ASE v2  App Service environment introduced. Here are the newest features. Faster deployment  Offers a more effective pricing model Built in flow management, no need to build your own worker pools anymore It has 100 workers over the 50 in V1 Twice the memory, and much bigger size for the workers  Hope you have a chance to try it out!

As I spend more time developing work that helps drive cloud adoption I like to be reminded that moving to the cloud is hard!. And understanding Microsoft, or AWS's terminology and responsibilities can be complex in ways that are frequently overlook.  I've addressed shared responsibility when moving to the cloud in my paper shared responsibility in cloud computing , as it's essential to understand the cloud role you take on before you adopt cloud computing. The role of security changes each time you move up the stack from IaaS, to SaaS. And overall your attack surface area may get smaller but your security posture cannot change... you must stay on top of your security effort. In IaaS the role to secure your environment is a bit tougher, as you have to protect data, users, applications, and hosts. That means you own your VM, you have to patch it, run AV/AM, configure it correctly, and monitor the VM -- that's a lot of operational items that are easy to miss, or ...

A while back I worked with a great Architect general guru of secure code. Adam Shostack who is a foremost expert when it comes to threat modeling . He does a great job in help educate us all in how you should plan a secure solution before you build it. A threat model should be seen as a key design element before code is started, similar to a floor plan in a house design. In this blog I wanted to illustrate the value and methods required to build a threat model, and tie it back to work I recently published, Payment Processing Blueprint for PCI DSS-compliant environments which included sample threat model for a cloud based PaaS solution. Wow, that’s great a free starter threat model to an architecture, what else can you ask for? What does it take to create your very own threat model? Think like an attacker, it’s important to see the problem from the attackers point of view when designing, or architecting a solution. For instance that includes thin...

This past bit I've been working on a new set of solutions that expands on work I've done in the past helping people adopt Azure cloud securely. The process has involved an evolution that moved from guidance to automation. I've also written about shared responsibility and what it takes a provider like Microsoft to create a compliance program. But what does it take our customers to use our services and be compliant? The PCI Blueprint is the first of its kind solution, that makes it possible to quickly understand what it takes to build a compliant workload on Microsoft Azure without having to learn the ropes of PCI DSS compliance! I put together a short video that illustrates how easy it is to deploy the solution, and a PCI DSS workbook providing the mapping to controls for the solution (which you can download from the documentation site) What's also really cool is that the solution has a full fledged threat model diagram provided. If you've ever contemplat...