Securing Cloud Services

One of these times I really must put myself in a position where I don't have to apologise for the tardiness of my posting. Oh well, let's take my general neglect of this blog as read and move on :-)

So why am I posting now, after letting the Diginotar hack, the release of BEAST and all sorts of other interesting security events pass without comment? Mostly because of two of the things that have been keeping me busy over the last few months - security architecture and cloud computing.

I'm very keen on the use of enterprise architecture techniques and methodologies to drive traceability between security risks, security requirements and the delivered components. In my view it's the best way to deliver systems that are as secure as the business stakeholders require them to be - no more and no less. It's also a great way to consolidate security services and drive consistency of approach across an organisation. So one of the things keeping me busy has been preparing the materials needed to expound the benefits of security architecture to our would-be clients. As an example, please take a look at http://bit.ly/n2Ddwa.

Which brings me on to the second thing. For my sins, I have agreed to write a book on securing cloud services. Having become frustrated by the lack of real practical guidance out there, I'm setting out with the intention of helping cloud consumers to design cloud services that meet their security requirements. Obviously there's a limit to the amount of detail that I can cover. I'm targeting architects and designers rather than coders and so there's no Azure or APEX code in there. But I believe that there is a gap in the market for a book that explains how organisations can deliver their security services across the various cloud service models of IaaS, PaaS and SaaS. Am I wrong? I'll guess we'll find out in Q1 2012.