About the blog
This blog is dedicated to Cloud Computing Security from an Enterprise perspective.
cloudsecurity.org is an independent Web site, founded by Craig Balding in April 2009.
Stay up to date, subscribe by RSS or email
About the blogger: Craig Balding
I Geek, Therefore I Am
I started out as a system/database administrator after graduating from university with a Systems Analysis degree in 1994. Although the course was fascinating – combining systems thinking, linguistics, technology, sociology and economics – I soon realised it wasn’t fulfilling my inner geek.
Two technology areas did end up grabbing my attention.
“Wow, Check Out Those Unix Wizards!”
I was fascinated by UNIX command line incantations and the seeming wizardry of the guru sysadmins. It got to the point where I would print out man(1) pages at work and take them home to read (hint: never print out the awk man page). This was 1994, and proprietary UNIX platforms were all the rage – in those days, Linux was something that “geeks did at home”.
After 5 years of building, upgrading and administering UNIX and ORACLE systems I was getting restless. The high-end, early generation, SUN Starfire and Sequent NUMA-Q behomeths were amazing but ultimately it was the sysadmin work itself that was I startng to loathe. It was clearly time for a change.
To Catch a Hacker
On a friends’ recommendation I started reading The Cuckoo’s Egg by Clifford Stoll. I was captivated by it, and read it in one sitting. Cliff was working at Lawrence Berkeley National Laboratory in California where compute cycles where accounted for and billed to users. I followed along as he described what happened after the discovery of an unexplained system accounting error of 75 cents, or 9 seconds, of compute time. In his subsequent efforts to monitor and track the corresponding user account, he discovered a major intrusion by a serial system cracker. I won’t spoil it for you here if you haven’t read it, suffice to say it’s a rollercoaster of a story and I felt like I’d just been introduced to a new world.
The next day I went back to the office, found some Web sites describing system “holes” and tried to simulate attacks I thought a “hacker” might try against systems I managed. This turned out to be a humbling, and ultimately, highly motivational experience as I discovered the gaps in my approach.
Opening My Eyes: Taking the Red Pill
I wanted to know more and read every book on security and hacking I could find. My Information Security journey had started and I jumped at the chance to join the internal corporate security team as a UNIX security specialist. This took my understanding of technology to a new time high.
Instead of reading about command line switches, I dedicated myself to learning how the underlying operating system itself functioned. I read about system calls, explored kernel data structures and tested security mechanisms. I made it my mission to understand why systems are vulnerable, how attackers exploit weaknesses and what we can do as defenders to protect, detect and respond to digital assailants.
I got the chance to write about some of this as co-author of “Maximum Security: A Hackers Guide to Protecting Your Network”.
My manager at the time, Tony, was a fantastic mentor and took me the “UNIX geek with a security bent” and moulded me into a security professional. He opened my eyes to the business, policy and people aspects. Thanks to his patience, encouragement and guidance, my view on security widened and I developed a far greater appreciation of what we call “information security”. Without his guidance, I truly believe I wouldn’t be where I am today.
Certs and Perks
Since then I’ve picked up a number of (seemingly obligatory) industry certifications. ISC 2 will tell you I’m a Certified Information Systems Security Professional. ISACA can confirm I’m a Certified Information Security Auditor and the British Computing Society will recall that I’m a Chartered Information Security Professional. Those are all “nice to have” but ultimately incidental to why I do what I do.
Far more important to me, are the experiences I’ve had and the people I’ve interacted with during a decade of information security practice.
I’ve travelled, seen and done things I dreamt of as a kid. I’ve had the good fortunte to collaborate with some immensely talented people – recognised industry experts that are at the top of their game.
For the past 5 years I’ve focused my energy on penetration testing, incident response and forensics. There is no shortage of challenges and new technologies to understand.
No More Ground Hog Days: Cloud Computing Security
As a security professional, you soon learn it pays to be one step ahead of management. “Forewarned is forearmed”, as they say.
In early 2009, I kept stumbling across “cloud computing” references and figured my management would ask me about it. The more research I did, the more it dawned on me that this wasn’t just the “same old, same old”. Instead it was strikingly disruptive – with the potential to drastically change the way organisations consume IT. The impact on IT departments, architectures, operations and the way we “do security” seemed potentially huge.
The more I thought about it, the more fascinated I became. The so-called ‘clouderati’ were talking about ‘cloud platforms’, “orchestration”, “dynamism” and other expressions that were new to me. It’s easy to tune out when terms like this start getting banded about but I’ve learnt from experience to ask the dumb questions. After all, if you don’t understand what someone is talking about, how on earth are you going to do risk assessment or threat modelling?
Join the Cloud Security Conversation
My natural reaction is to ponder the security issues. Where are the gaps? What does it mean? How does it change what we do today? And even, how can cloud help the security professional?
I didn’t find many answers on-line. There were no dedicated cloud security resources, so I registered cloudsecurity.org and began writing up my thoughts and bringing together useful links/information in one place. My hope with this side project (I do have a day job!) is to get other security professionals thinking and discussing cloud security.
Soon after standing up this site, cloud was beginning to go mainstream – the level of media interest was nuts. This became blatently obvious when I was interviewed for the NPR “Good Morning” show – about 4 weeks after starting this blog (!).
My reasons for running this site are partly selfish. Like many in this industry, I’m tired of half-assed “post implementation fixes” — aka “bolting security on” — we can do better than this. I want to help IT and information security professionals avoid such GroundHog Day moments (“oh, crappy implementation again?”).
Beyond the Blog
One useful way to get the word out is talking with people at conferences. I’ve presented at the World Cloud Computing Summit, Black Hat Europe and Brucon. Another way is to get involved with industry cloud security initiatives. I served as an industry expert for ENISA’s Cloud Risk Assessment and was glad to see and join the Cloud Security Alliance. I’m also part of the A6 initiative – a group that aims to bring greater visibility and assurance to cloud services.
Get In Touch
I hope you find this site valuable. I’d like to ask your help. If you see something wrong – or something I can improve on – please let me know. Have a look around. What do you want more of? Less of? What’s missing?
Feel free to send feedback or just get in touch or follow me on Twitter.
Don’t Miss a Post: subscribe by RSS or email