Cloud Security Conference – The Cloud Circle

I spent a mind-stretching few hours yesterday at the Cloud Security Conference organised by The Cloud Circle.

Summing up the whole day into a few points is hard, but these were the key things I took away:

• Security for the Cloud is mostly “just” security, with a few new architectures and contract models
• Know what data you collect and use, and the associated risks
• Know where your data goes, how it gets there and how it might be exposed
• Cloud delivery usually gives you less control
• But sometimes less control is also less risk
• Different landscapes give you different control & risk profiles (IaaS / PaaS / SaaS)
• The importance of knowing about data location and what jurisdictions apply – remember services are often composites from many sub-providers
• if it’s important to you, talk about it with the vendor and get it in the contract – and involve the legal advisors early
• But don’t expect a custom contract for 5p/hr computing bought on a credit card!
• The importance of standards (but this is still an immature market, so not everything has a standard)
• Plan for something to fail, because it will
• Cloud makes you ask questions you should already be asking

I can say with absolute certainty that I am not doing full service to the depth of presentations – I recommend looking for the slides on The Cloud Circle’s website.

Key References

Some key reference sources cited by one or more speakers

• Security Guidance for Critical Areas of Focus in Cloud Computing v3 published by Cloud Security Alliance
• European Network and Information Security Agency
• Secure Development Lifecycle
• ISO27001, SSAE-16, Vericode
• Fifteen Mobile Policy Best Practices
• Google Apps Security

Speakers

Steve Plank, Microsoft

Rashmi Knowles, RSA

James Snow, Google

Mark Webber, Osborne Clarke

George Anderson, Webroot

Kris Meulemans, Mozy

The Cloud Circle

I’ve been to a few events organised by The Cloud Circle, and I whole-heartedly recommend them. The events are sponsored, and free for delegates. The organisers are pretty good at keeping speakers relatively agnostic and avoiding overt sales pitches, regardless there are always a good mix of vendors, so with care you can pick out the common threads.

The delegates are a good mix, and I always learn something from the questions from the floor.