When Nothing is Better than Something

Any reasonable information security system consists of two fundamental components: (1) a risk assessment; & (2) controls that minimize those risks.  In this article I want to talk about the risk component of risk assessment & the companies that sell cybersecurity products & services — the controls. Understanding the concept of “risk” is tricky for a …

Microservices: A brief explanation and some Hacking Suggestions

What is a Microservice? Microservices are small, autonomous programs that function as both data producers and data consumers, particularly between service boundaries within a virtualized cloud environment.  100-200 individual microservices might be used to render a single Amazon web page, for example.   Microservices are a new type of vector into secured networked assets. Microservices can be …

The Fundamental Security Concepts in AWS – Part 3 of 3

Note: A modified version of this article was first published in DZone. Welcome back! If you missed Part 2, check it out here. Securing Data at Rest Data at rest includes inactive data that is stored physically in any digital form (e.g. databases, data warehouses, spreadsheets, archives, tapes, off-site backups, mobile devices, etc.). Multiple AWS services provide …

The Fundamental Security Concepts in AWS – Part 2 of 3

Introduction NOTE: A modified version of this article was first published on DZone. Two weeks ago, I presented the first of a three-part examination of security concepts and controls in AWS. We looked at the key security principle of AWS: AWS is responsible for the security of the cloud; you are responsible for security in the cloud. See Figure 1. Figure 1 …

DevSecOps Tools and Processes

Goal: Have an automated, auditable secure CI/CD environment where security controls are transparent to developers and users. To this end, I propose the following: Ensure development, QA, and production servers are configured identically but with different passwords. Ensure that secret information (API keys, passwords, AWS credentials, private  data, PII, etc.) is adequately protected at-rest and …