Blog
AWS re:Invent 2016 Blog
by Mike Small
In the last week of November I attended the AWS re:Invent conference in Las Vegas – this was an impressive event with around 32,000 attendees. There were a significant number of announcements at this event; many were essentially more of the same but bigger, better based on what their customers were asking for. It is clear that AWS is going from strength to strength. AWS announced many faster compute instances with larger amounts of memory optimized for various specific tasks. This may seem boring - but these announcements were received with rapturous applause from the audience....
Blog
Democratized Security
by Mike Small
At the AWS Enterprise Security Summit in London on November 8 th , Stephen Schmidt, CISO at AWS gave a keynote entitled “Democratized Security” .  What is Democratized Security and does it really exist?  Well, to quote Humpty Dumpty from the book Alice in Wonderland “When I use a word it means just what I choose it to mean—neither more nor less."  So, what Mr. Schmidt meant by this phrase may or may not be what other people would understand it to mean.  This is my interpretation. The word democracy originates in ancient Greece and where it...
Blog
Be careful not to DROWN
by Mike Small
On March 1 st OpenSSL published a security advisory CVE-2016-0800 , known as “DROWN”. This is described as a cross-protocol attack on TLS using SSLv2 and is classified with a High Severity. The advice given by OpenSSL is: “We strongly advise against the use of SSLv2 due not only to the issues described below, but to the other known deficiencies in the protocol as described at https://tools.ietf.org/html/rfc6176 ” This vulnerability illustrates how vigilant organizations need to be over the specific versions of software that they use. However, this is easier...
Blog
ISO/IEC 27017 was it worth the wait?
by Mike Small
On November 30 th , 2015 the final version of the standard ISO/IEC 27017 was published.  This standard provides guidelines for information security controls applicable to the provision and use of cloud services.  This standard has been some time in gestation and was first released as a draft in spring 2015.  Has the wait been worth it?  In my opinion yes. The gold standard for information security management is ISO/IEC 27001 together with the guidance given in ISO/IEC 27002.  These standards remain the foundation but the guidelines are largely written on the...
Blog
Why Governance Matters to IT Security
by Mike Small
MetricStream, a US company that supplies Governance, Risk and Compliance applications, held their GRC Summit in London on November 11 th and 12 th .  Governance is important to organizations because of the increasing burden of regulations and laws upon their operations.  It is specifically relevant to IT security because these regulations touch upon the data held in the IT systems.  It is also highly relevant because of the wide range of IT service delivery models in use today. Organizations using IT services provided by a third party (for example a cloud service...
Blog
AWS Security and Compliance Update
by Mike Small
Security is a common concern of organizations adopting cloud services and so it was interesting to hear from end users at the AWS Summit in London on November 17 th how some organizations have addressed these concerns. Financial services is a highly regulated industry with a strong focus on information security.  At the event Allan Brearley, Head of Transformation Services at Tesco Bank, described the challenges they faced exploiting cloud services to innovate and reduce cost, while ensuring security and compliance.  The approach that Tesco Bank took, which is the one...
Blog
Building a Cyber Defence Centre: IBM’s rules for success
by Mike Small
According to GCHQ , the number of cyber-attacks threatening UK national security have doubled in the past 12 months. How can organizations protect themselves against this growing threat especially when statistics show that most data breaches are only discovered some time after the attack took place? One important approach is to create a Cyber Defence Centre to implement and co-ordinate the activities needed to protect, detect and respond to cyber-attacks. The Cyber Defence Centre has evolved from the SOC (Security Operation Centre). It supports the processes for enterprise security...
Blog
Real Time Security Intelligence (RTSI)
by Mike Small
Organizations depend upon the IT systems and the information that they provide to operate and grow. However, the information that they contain and the infrastructure upon which they depend is under attack. Statistics show that most data breaches are detected by agents outside of the organization rather than internal security tools. Real Time Security Intelligence (RTSI) seeks to remedy this. Unfortunately, many organizations fail to take simple measures to protect against known weaknesses in infrastructure and applications. However, even those organizations that have taken these...
Blog
And all for the want of a nail
by Mike Small
On Friday morning (October 23 rd ) I was preparing for my lecture on software vulnerabilities to the final year degree students at the University of Salford when I heard the news of the of the TalkTalk data breach .  Now this is not about that breach in particular – it is important to wait until the detailed investigation is complete before drawing conclusions.  However that breach provided me with an example of the high level of responsibility now borne by the CISO.  Using the story as an example I asked the students how they would like to explain to the press and...
Blog
Getting the Cloud under Control
by Mike Small
Many organizations are concerned about the use of cloud services; the challenge is to securely enable the use of these services without negating and the benefits that they bring. To meet this challenge it is essential to move from IT Management to IT Governance. Cloud services are outside the direct control of the customer’s organization and their use places control of the service and infrastructure in the hands of the Cloud Service Provider (CSP). The service and its security provided cannot be ensured by the customer – the customer can only assure the service through a...
Previous
2 3 4 5 6 7 8 Next