Yesterday I taught my Cloud Security class at Cloud Identity Summit. In the class we go through the four design patterns that I describe in "Don't Trust. And Verify. A Security architecture stack for the Cloud" think are foundational elements for Cloud security. The four patterns that we focus on are
- Security Gateways
- Monitoring Services
- Security Token Services
- PEP/PDP for Fine grained authorization
These patterns have seen tremendous progress in the past year since my keynote at last year's Cloud Identity Summit
My favorite part of the class is Case Study and Threat model. We break into groups and build threat models similar to these. What I enjoy the most is that in every single class of the many times I have taught this, the people in the class identify different threats, different countermeasures, and different ways to pair threats and countermeasures.
Security isn't one thing, if it was Microsoft, IBM, Google, et al would ship it out of the box. Unfortunately each enterprise needs to do after market work to identify, locate, and integrate countermeasures. As one person in class yesterday mentioned the class "helped pull together ideas and identify missing pieces." This is music to my ears, about the best compliment I can get on my class is when people have a different way of looking at their security problems. We don't have any new security primitives in the last 34 years, but we can always collaborate to find new ways to integrate our security services.
Comments