Summary: The Cloud Horizon

By Adrian

Two weeks ago Rich sketched out some changes to our Friday Summary, including how the content will change. But we haven’t spelled out our reasons. Our motivation is simple. In a decade, over half your systems will be in some cloud somewhere. The Summary will still be about security, but we’ll focus on security for cloud services, cloud applications, and how DevOps techniques intertwine with each. Rather than rehash on-premise security issues we have covered (ad nauseum) for 9 years, we believe it’s far more helpful to IT and security folks to discuss what is on the near horizon which they are not already familiar with. We can say with certainty that most of what you’ve learned about “the right way to do things” in security will be challenged by cloud deployments, so we are tuning the Summary to increase understanding the changes in store, and what to do about them. Trends, features, tools, and even some code. We know it’s not for everybody, but if you’re seriously interested, you can subscribe directly to the Friday Summary.

The RSA conference is next week, so don’t forget to get a copy of Securosis’s Guide to the RSA Conference. But be warned; Mike’s been at the meme generator again, and some things you just can’t unsee. Oh, and if you’re interested in attending the Eighth Annual Securosis Disaster Recovery Breakfast at RSA, please RSVP. That way we know how much bacon to order. Or Bloody Marys to make. Something like that.

Top Posts for the Week

• CSA Summit at RSA Conference

• Docker Containers as a Service walkthrough

• Scheduling SSH jobs using AWS Lambda

• Transparency and Auditing on AWS

• Introducing custom authorizers in Amazon API Gateway

• S3 Lifecycle Policies, Versioning & Encryption: AWS Security

• AWS Basic Security Checklist

• CloudWatch Logs Subscription Consumer + Elasticsearch + Kibana Dashboards

• Securely Accessing Customer AWS Accounts with Cross-Account IAM Roles

• Red Hat Brings DevOps to the Network with New Ansible Capabilities

• Introducing the Fastly Security Speaker Series

• Account Separation and Mandatory Access Control

• Customizing CloudFormation With Python

• Tidas: a new service for building password-less apps

• NXLog Open Source Log Management tool

• Why the FBI’s request to Apple will affect civil rights for a generation

• Staying on top of the DevOps game in 2016

• Continuous Web Security Testing with CircleCI

• Spotify Moves Itself Onto Google’s Cloud–Lucky for Google

• Continuous Delivery and Effective Feature Flagging with LaunchDarkly – AWS Startup Collection

• Design Patterns using Amazon DynamoDB

• Using Amazon API Gateway with microservices deployed on Amazon ECS

• Continuous Delivery and Effective Feature Flagging with LaunchDarkly – AWS Startup Collection

• 8 Common AWS Security Issues – and How to Fix Them

• Using Roles to Secure Your Environment: Part 2

• Automate EBS Snapshots using a Lambda function

• Attending RSA in San Francisco? Visit the AWS Pop-up Loft for Security Talks!

• Amazon CTO On Encryption: “Evil Players Will Get Access To These Backdoors”

• IBM previews new tools for developing with Swift in the cloud

Tool of the Week

This is a new section highlighting a cloud, DevOps, or security tool we think you should take a look at. We still struggle to keep track of all the interesting tools that can help us, so if you have submissions please email them to info@securosis.com.

Alerts literally drive DevOps. One may fire off a cloud-based service, or it might indicate a failure a human needs to look at. When putting together a continuous integration pipeline, or processing cloud services, how do you communicate status? SMS and email are the common output formats, and developer tools like Slack or bug tracking systems tend to be the endpoints, but it’s hard to manage and integrate the streams of automated outputs. And once you get one message of a particular event type, you usually don’t want to see that event again for a while. You can create a simple web console, or use AWS to stream to specified recipients, but that’s all manual setup. Things like Slack can help with individuals, team, and third parties, but managing them is frankly a pain in the ass. As you scale up cloud and DevOps processes it’s easy to get overwhelmed. One of the tools I was looking at this week was (x)matters, which provides an integration and management hub for automated messages. It can understand messages from multiple sources and offers aggregation to avoid over-pinging users. I have not seen many products addressing this problem, so I wanted to pass it along.

Securosis Blog Posts this Week

• Firestarter: RSA Conference – the Good, Bad, and the Ugly.

• Securing Hadoop: Technical Recommendations.

• Securing Hadoop: Enterprise Security For NoSQL.

Other Securosis News and Quotes

• I posted a piece at Macworld on the FBI vs. Apple that has gotten a lot of attention. It got linked all over the place and I did a bunch of interviews, but I won’t spam you with them.

We are posting our whole RSA Conference Guide as posts over at the RSA Conference blog – here are the latest:

• Securosis Guide: Training Security Jedi

• Securosis Guide: The Beginning of the End(point) for the Empire

• Securosis Guide: Escape from Cloud City

Training and Events

• We are giving multiple presentations at the RSA Conference.

  • Rich and Mike are giving Cloud Security Accountability Tour

  • Rich is co-presenting with Bill Shinn of AWS: Aspirin as a Service: Using the Cloud to Cure Security Headaches

  • David Mortman is presenting:

    • Learning from Unicorns While Living with Legacy

    • Docker: Containing the Security Excitement

    • Docker: Containing the Security Excitement (Focus-On)

    • Leveraging Analytics for Data Protection Decisions

  • Rich is giving a presentation on Rugged DevOps at Scale at DevOps Connect the Monday of RSAC

• We are running two classes at Black Hat USA:

  • Cloud Security Hands-On (CCSK-Plus)

  • Advanced Cloud Security and Applied SecDevOps