Ever feel like a deer-in-headlights? This is Preventing Deer In Headlights. (PDIH)

Commercial: New classes: CISSP,

PDIH:  Xaas What are the upfront hidden costs ?

I really like the idea of turning services into consumable on demand, rather than building infrastructure. But there is an underlying cost that most senior leaders are ignoring.

Who? What? Where? Why? When? How?

Startups shove everything in the cloud and then slap a label of Thing as-a-Service (XaaS) on it. Then the startup uses their secret sauce to make it cheaper. Lastly, the startup offers us a free “14-day trial”.  Sure.  Then comes the FIRST hidden cost…

In order to take advantage of the new service and see if it will work with our business processes, we must get the data together for importing. Then, how long does it take us to understand all of the components of the new service? And how much time and effort do we spend learning interfaces and relating these to other services that we already own? How do we convey the complexity to the rest of the business? Finally, how many of us can get all this done in 14 days? These are nontrivial costs.

SUPPORTING LINK: CSA STAR https://cloudsecurityalliance.org/star/

Solution or STEPS

  1. Convince the vendor to give us 45 days.
  2. Give the vendor a list of business requirements.
  3. Specifically ask them to prove that their security matches our policy.
  4. Require a CSA STAR report.

Impact on security?

Knowing all the dependencies of a product that is outside of our control or for that matter, outside the control of the startup is difficult at best — especially when it’s in the cloud. Knowing the security dependencies between each one of these components is impossible in 14 days.

As a security person, it is my responsibility is to dig down into each one of the sub-components, each API, and each container upon which XaaS is created.  This is the SECOND hidden cost.

The technology people and the sales people of that startup do not want to tell us how it is done they just want us to buy it. Asking them how the security of this particular tool works, getting a straight answer, and comparing that security profile to our policy will take a lot more than 14 days. How can we do this?

This is what we will talk about on Thursday. Come be a part of cybersecurity. Don’t be a deer-in-headlights.

Can’t make it?

If you are a past student, you will have access to the recordings. Links

CPEs – Yesssss!

Most CPE requirements have both a validation step and an audit-able requirement. We do both for our past students. Free. You must login. Use this link ONLY if you are a past student who has been given audit-able access. https://www.vmlt.com/mod/url/view.php?id=14166

I hope you attend – it will be fun.

CommercialCISSP starts this Saturday October 27, 2018-  Cloud Security starts Nov 5 ; please tell your friends! To see other start dates you can go to: https://www.expandingsecurity.com/calendar/

Categories: Learning