Author Archives: Michael Yung

About Michael Yung

Michael possessed over 30 years of experience in Information Technology with focuses on complex application development, database technologies and IT strategy. He also spent the last 20 years in Internet technology, eCommerce development / operations, web usability, computer security and Public Key Infrastructure technologies.

AWS Cloud Security

Going to Vegas for the Amazon Re:Invent event is one of the best ways to learn about Cloud Computing and Cloud security. And the second best of course is to just browsing the slide decks or videos of the event, from your office or home. So here you go, fresh from the Internet, the course 206 of the security track – “Security of the AWS Cloud”.

And don’t forget to follow up with the slide decks of “AWS Cloud Security” and “Security and Compliance

Enjoy !!

To cloud or not to cloud ?

If you ask the above question to the various cloud services providers, I am sure their answers are “Definite yes”.

If you ask the same question to end users, their answers may end up like “I really don’t care.”. And for the question again to business owners, their answers will probably are “May-be’s” because seriously no one really reveals all the cloud benefits, implementation pros and cons to them.

To IT professionals, however, we will probably provide a vague answer – “It depends.”. The long form of the answer is – “It depends on the maturity of the cloud market, technology and whether the solution available today can match your budget, quality requirements, and expected service level. More importantly, whether cloud technology and solutions can help your company to improve competitive advantage.”

That’s exactly what Cloud Security Alliance (CSA) and Information Systems Audit and Control Association (ISACA) did in a recent survey to answer part of the question – what is the maturity of the cloud technology and market, now ? A collaborative project by CSA and ISACA , the Cloud Market Maturity study provides business and IT leaders with insight into the maturity of cloud computing.

The study also reveals that cloud users in 50 countries were least confident about the following issues (ranked from least confident to most confident):

  1. Government regulations keeping pace with the market (1.80)
  2. Exit strategies (1.88)
  3. International data privacy (1.90)
  4. Legal issues (2.15)
  5. Contract lock in (2.18)
  6. Data ownership and custodian responsibilities (2.18)
  7. Longevity of suppliers (2.20)
  8. Integration of cloud with internal systems (2.23)
  9. Credibility of suppliers (2.30)
  10. Testing and assurance (2.30)

None of these findings are really a surprise, I suppose, however it is important to conduct such project because it helps us to understand how the cloud market will change over time, and how it advances from infancy to full maturity.

Do check out the press release and the full report to understand more about the findings, or you can check out the following infographics – the whole report in one picture.

4 key questions about your security programme

If you are the CISO of your organization and implementing a security programme, what questions shall you ask yourself to help realizing a successful programme rollout ? No, it is not about what software to use, what hardware to install, what process to put in place or even what vulnerabilities you are going to remediate or mitigate. In fact, they are:

  1. Are we doing the right things ?
  2. Are we doing them the right way ?
  3. Are we getting them done well ?
  4. Are we getting the benefits ?

Four simple questions about your security programme, all about the business results – but not technology, schedule, and resources. Four questions about the reality such that your company can make informed decision. In addition, each of the four questions can be further elaborated, for examples:

Are we doing the right things ?

  1. What technology, processes are proposed ?
  2. For what business outcome ?
  3. How do the deliverables within the programme contribute ?

Are we doing them the right way ?

  1. How will it be done ?
  2. What is being done to ensure that it will fit with other current or future capabilities ? (e.g. Business / Operational / Technical capabilities)

Are we getting them done well ?

  1. What is the plan for doing the work ?
  2. What resources and funds are needed ?

Are we getting the benefits ?

  1. How will the benefits be delivered ?
  2. What is the value of the security programme ?

You shall answer all the questions based on relevant, current accurate business-focussed information. By that time, I am sure, you will find that to have a successful security programme, it is no longer depending on the technology, process and policy only, but also an investment that has an enormous impact on creating and sustain business value.