In addition to my keynote at Agile India 2018 I led a more focused session on cloud security as a precursor to my full day cloud security workshop.
I focused the first part of the talk on understanding the change that cloud migration represents for many large organisations. I talked about status quo bias where risks of what we have today are never considered as serious as the risks of what’s new, even if the new ways of doing things creates new opportunities. A shift in technology requires a commitment to changing culture.
I used the UK government experience of introducing a new classification scheme, and new principles, but also actively demonstrating a deep commitment to security as manifested in much more visible and inclusive threat modelling, and some of the techniques Michael and others include in their book on Agile Application Security.
Beyond the purely cultural, I drew out four particular areas of emphasis for those looking to secure their cloud work:
- Focus on identity
- Emphasise observability
- Build quality in
- Make change easy
To wrap it all up and bring it back to culture and people I quoted Emma W from NSCS (as I often do):
You can find a video of the session on youtube