About the blog
This blog is dedicated to Cloud Computing with a focus on security. Whether you are just starting out with cloud services, apps and APIs, a cloud power user, an architect or developer – this blog is for you.
cloudsecurity.org is an independent Web site, founded by Craig Balding in April 2009.
About the blogger: Craig Balding
I Geek, Therefore I Am
I started out as a system/database administrator after graduating from university with a Systems Analysis degree in 1994. Although the course was fascinating – combining systems thinking, linguistics, technology, sociology and economics – I soon realised it wasn’t fulfilling my inner geek.
Two technology areas did end up grabbing my attention.
“Wow, Check Out Those Unix Wizards!”
I was fascinated by UNIX command line incantations and the seeming wizardry of the guru sysadmins. It got to the point where I would print out man(1) pages at work and take them home to read (hint: never print out the awk man page). This was 1994, and proprietary UNIX platforms were all the rage – in those days, Linux was something that “geeks did at home”.
After 5 years of building, upgrading and administering UNIX and ORACLE systems I was getting restless. The high-end, early generation, SUN Starfire and Sequent NUMA-Q behomeths were amazing but ultimately it was the sysadmin work itself that was I startng to loathe. It was clearly time for a change.
To Catch a Hacker
On a friends’ recommendation I started reading The Cuckoo’s Egg by Clifford Stoll. I was captivated by it, and read it in one sitting. Cliff was working at Lawrence Berkeley National Laboratory in California where compute cycles where accounted for and billed to users. I followed along as he described what happened after the discovery of an unexplained system accounting error of 75 cents, or 9 seconds, of compute time. In his subsequent efforts to monitor and track the corresponding user account, he discovered a major intrusion by a serial system cracker. I won’t spoil it for you here if you haven’t read it, suffice to say it’s a rollercoaster of a story and I felt like I’d just been introduced to a new world.
The next day I went back to the office, found some Web sites describing system “holes” and tried to simulate attacks I thought a “hacker” might try against systems I managed. This turned out to be a humbling, and ultimately, highly motivational experience as I discovered the gaps in my approach.
Opening My Eyes: Taking the Red Pill
I wanted to know more and read every book on security and hacking I could find. My Information Security journey had started and I jumped at the chance to join the internal corporate security team as a UNIX security specialist. This took my understanding of technology to a new time high.
Instead of reading about command line switches, I dedicated myself to learning how the underlying operating system itself functioned. I read about system calls, explored kernel data structures and tested security mechanisms. I made it my mission to understand why systems are vulnerable, how attackers exploit weaknesses and what we can do as defenders to protect, detect and respond to digital assailants.
I got the chance to write about some of this as co-author of “Maximum Security: A Hackers Guide to Protecting Your Network”.
My manager at the time, Tony, was a fantastic mentor and took me the “UNIX geek with a security bent” and moulded me into a security professional. He opened my eyes to the business, policy and people aspects. Thanks to his patience, encouragement and guidance, my view on security widened and I developed a far greater appreciation of what we call “information security”. Without his guidance, I truly believe I wouldn’t be where I am today.
Certs and Perks
Since then I’ve picked up a number of (seemingly obligatory) industry certifications. ISC 2 will tell you I’m a Certified Information Systems Security Professional. I previously held the Certified Information Security Auditor cert from ISACA but stopped paying my dues. The British Computing Society will recall that I’m a Chartered IT Professional. Those are all “nice to have” but ultimately incidental to why I do what I do.
Far more important to me, are the experiences I’ve had and the people I’ve interacted with during a decade of information security practice.
I’ve travelled, seen and done things I dreamt of as a kid. I’ve had the good fortunte to collaborate with some immensely talented people – recognised industry experts that are at the top of their game.
From 2006 I led a global team of technical security professionals covering penetration testing, incident response/forensics and internal consulting. In 2011 I took on a bigger role to build and develop a global in-house Red Team. We perform threat simulations to drive improvements in company wide protection, monitoring and response capabilities. It’s a fascinating mission and helps me stay threat-centric in my thinking.
No More Ground Hog Days: Cloud Computing Security
As an experienced security professional, you soon learn it pays to be one step ahead of management. “Forewarned is forearmed”, as they say.
In early 2009, I kept stumbling across “cloud computing” references and figured my management would ask me about it. The more research I did, the more it dawned on me that this wasn’t just the “same old, same old”. Instead it was strikingly disruptive – with the potential to drastically change the way organisations and citizens consume IT.
The more I thought about it, the more fascinated I became. The so-called ‘clouderati’ were talking about ‘cloud platforms’, “orchestration”, “dynamism” and other expressions that were new to me. It’s easy to tune out when terms like this start getting banded about but I’ve learnt from experience to ask the dumb questions. After all, if you don’t understand what someone is talking about, how on earth are you going to do risk assessment or threat modelling?
Join the Cloud Security Conversation
My natural reaction is to ponder the security issues. Where are the gaps? What does it mean for data privacy? How does it change what we do and how we do it today? And even, how can cloud help the security professional?
I didn’t find many answers on-line. There were no dedicated cloud security resources, so I registered cloudsecurity.org and began writing up my thoughts and bringing together useful links/information in one place. Initially, my hope with this side project (I do have a day job!) was to get other security professionals thinking and discussing cloud security. Since 2013 my aim is broader and more practical. I want to show you how you can use cloud apps, APIs and services “securely” through blog posts, screencasts and maybe even an ebook and/or workshops in the future (but let’s start simple :). Some might interpret this mean I’m a cloud advocate. That’s partly true, but only in so far as its true that I like to look at new technologies from a security point of view and explore how to safely realise the benefits.
Soon after standing up this site, cloud was beginning to go mainstream – the level of media interest was nuts. This became blatently obvious when I was interviewed for the NPR “Good Morning” show – about 4 weeks after starting this blog (!).
My reasons for running this site are partly selfish. Like many in this industry, I’m tired of half-assed “post implementation fixes” — aka “bolting security on” — we can do better than this. I want to help IT and information security professionals avoid such GroundHog Day moments (“oh, crappy implementation again?”).
Update (late 2012)
After a break from blogging and with mainstream cloud and “cloud-marketed” services gaining real traction, my goals for this site changed. Friends and family frequently ask which cloud services, apps and cloud providers I recommend along with how to use them “safely”. Again, I’m not aware of any sites that cover this from a security perspective. Consequently, I decided to broaden the site to address the concerns and practicalities for cloud “users” and developers in addition to security professionals and curious geeks. This means more practical hands-on reviews, HOWTOs and walkthroughs via screencasts. In short: I show you how to select and use cloud apps and services with security in mind.
I also took the decision to run ads and affiliate offers as a way to help pay for my cloud fiddling costs (see my disclosure policy for more).
Beyond the Blog
One useful way to get the word out is talking with people at conferences. I’ve presented at the World Cloud Computing Summit, Black Hat Europe and Brucon. Another way is to get involved with industry cloud security initiatives. I served as an industry expert for ENISA’s Cloud Risk Assessment and was glad to see and join the Cloud Security Alliance. I was also part of the A6 initiative – a group that aims to bring greater visibility and assurance to cloud services.
Get In Touch
I hope you find this site valuable. I’d like to ask your help. If you see something wrong – or something I can improve on – please let me know. Have a look around. What do you want more of? Less of? What’s missing? What concerns do you have about cloud that I might be able to address?