I managed to get to the Amazon Web Services in the Enterprise event earlier this week. It was a well attended event, with an audience predominantly suited and enterprisey in appearance. Despite an equipment failure (dodgy projector), which necessitated some juggling around with the schedule, I think Amazon managed to get their messages across with respect to the way that their services are currently being used to generate real business value. As ever with these kinds of events, it was the customer presentations that generated the most interest as far as I am concerned. Vendor presentations are fine and dandy but I’m much more interested in what real organisations are doing and the lessons that such organisations have learned during their initial experiences. The presentation from Bob Harris of Channel 4 was particularly encouraging – especially the statement that AWS is now their default platform of choice for web facing applications; C4 projects now need to justify any decision not to use AWS. Bob also provided an interesting anecdote of a senior technical architect from a major SI making a particularly ill-informed comment regarding the security implications of using S3. Lesson here is to be even more diligent than usual when choosing your SI if working in the cloud space. I will admit to a vested interest here :-).
Overall, I think the message that most people will take away from the event is that the AWS platform is maturing and that confidence is increasing amongst enterprises that tricky issues such as compliance and security can be managed. The other message that AWS clearly wanted to get across is that early adopters are likely to obtain a substantial competitive advantage over their more timid competitors due to increased agility and speed to market. We’ll have to see how that one plays out…
Subscribe to:
Post Comments (Atom)
4 comments:
Regarding security the keyword is managed. Easier said than done when you need a real sense of security, rather than just theatre.
Completely agree. I think the trick has to be to ensure that all involved have a realistic view of the risks, any mitigations that can be provided and, crucially, the residual risk. The relevant authority then needs to decide whether the benefits of adopting a cloud model outweigh any increase in residual risk. Similar to the usual approach but I think there needs to be a greater emphasis on transparency and, frankly, honesty!
But do we really understand the risks of a risk based approach?
I could see this conversation getting circular very quickly :-)
I believe that the success of a risk-based approach is very dependent on the methodologies chosen and the experience of the practitioner.
So do you go along with Donn Parker's arguments in his ISSA paper?
(http://www.issa.org/Library/Journals/2006/May/Parker%20-%20Replacing%20Risk-Based%20Security.pdf)
I tend to agree that many quantitative risk assessments are worthless (from a security perspective) as the numbers are often not particularly well-founded or useful, especially if you start to consider the error bars! That said, they can be useful communications tools if you believe that the ends (increased security investment) justify the means (dodgy statistics).
Personally, I certainly see the value in more qualitative risk assessment methodologies (including IS 1) that give you a feel for the risks in context but which don't attempt to attach some arbitrary monetary value.
Hmmm... Looking at the length of this comment I should probably just post something on risk-based security :-)
Post a Comment