Enterprise Cloud Risk and Security
Thanks to Hoff's tweet earlier today, I watched a presentation titled Enterprise Cloud Risk and Security.Not only is the presentation an excellent use of a slide deck (no narration necessary), but some of the observations that are outlined in it are representative of the thought processes of someone who gets it.
"Fundamentally, engineering is about knowing and respecting the limitations of one's materials. ICT systems are built with software being one of the key materials. And software is thoughstuff. For an engineer of thoughtstuff, the limitations of mathematics and cognitive science are the limitations of the material"
Masterson goes on by arguing that "We need to stop thinking in terms of security and start thinking in terms of health". This argument is based on the premise that any time a fairly simple and controlled solution is scaled up, complexity is introduced that invalidates many of the controls meant to keep it secure.
A little later, Masterson introduces another interesting concept: Redundant Arrays of Independent Clouds (RAIC). Brilliant ;) The simple (and compelling) reason for RAIC is a bit of knowledge derived from biology and in particular, ecosystems: diversity = health.
Issues covering legacy security technologies such as firewalls are also briefly touched upon:
"Concept like 'firewall' embody Russellian assumptions, and are only useful in the small. Instead, consider concepts like quarantine, sterilization chambers, and disinfection, for example."
This is not to say that firewalls cannot be useful, but as we see more and more distribution in our computing infrastructure and our data being spread globally, local perimeters will continue to be necessary, but no longer sufficient.
All and all a very interesting presentation in a novel format, bringing some good things to think about. Go watch it.