A Review of the Best News of the Week on Cloud Security, DevOps, AppSec

The Battle for the Cloud Has Not Even Started Yet (Gartner Blog Network, Sep 20 2017)
I sat with a client yesterday who asked me a question about cloud. The question was innocuous enough: “If I had a choice, why would I build anything, if I can get it in the cloud?” It was a fair question. But was it the right question?

Microsoft Introduces Azure confidential computing (Microsoft Azure Blog, Sep 14 2017)
Microsoft spends one billion dollars per year on cybersecurity…They announced a new collection of features and services called Azure confidential computing. Put simply, confidential computing offers a protection that to date has been missing from public clouds, encryption of data while in use. This means that data can be processed in the cloud with the assurance that it is always under customer control.

The 6 phases of adopting cloud security practices (CSO Online Cloud Security, Sep 20 2017)
Enterprise organizations tend to follow a standard sequence as they secure cloud-based workloads and integrate cloud and existing security controls.

Sponsored by LogRhythm
SIEM Magic Quadrant
Gartner Positions LogRhythm in SIEM Leaders Quadrant for 5th Consecutive Year. Get the report

Google, Spotify Build Open-Source Community for GCP Security (Dark Reading, Sep 15 2017)
Google and Spotify today announced they’ve been developing security tools to help businesses protect projects on the Google Cloud Platform (GCP). The tools are now available in an open-source community called Forseti Security, which is open to all GCP users, the companies report.

How a cloud server nearly released IP at a major manufacturing company (Darktrace Blog, Sep 18 2017)
From customer data breaches to lost IP – subtle cloud vulnerabilities can have devastating consequences. The company was using a third-party cloud server to store files containing product details and sales projections. The files on the server and the root IP were gated with a username and password. After entering their credentials, however, the files contained on the server were left unencrypted.

Cloud-Focused Firms Earn High Marks for Software Security in BSIMM8 Report (Threatpost, Sep 20 2017)
Businesses that are cloud-focused tend to run the most secure software, while the healthcare sector is struggling the most when it comes to accomplishing the same goal, according to the BSIMM8 Report.

How to Query Personally Identifiable Information with Amazon Macie (AWS Security Blog, Sep 20 2017)
In August 2017, AWS launched a new security and compliance service called Amazon Macie. Macie uses machine learning to automatically discover, classify, and protect sensitive data in AWS. In this blog post, Chad Woolf demonstrates how you can use Macie to help enable compliance with applicable regulations, starting with data retention.

HashiCorp and Google expand collaboration, easing secret and infrastructure management (Google Cloud Platform Blog, Sep 19 2017)
Google has released a number of Terraform modules that make working with Google Cloud even easier. These modules let you quickly compose your architectures as code and reuse architectural patterns for resources like load balancing, managed instance groups, NAT gateways and SQL databases. The modules can be found on the Terraform Module Registry.

Introducing managed SSL for Google App Engine (Google Cloud Platform Blog, Sep 14 2017)
Google announced the beta release of managed SSL certificates at no charge for applications built on Google App Engine. This service automatically encrypts server-to-client communication — an essential part of safeguarding sensitive information over the web.

More secure hybrid cloud deployments with Google Cloud Endpoints (Google Cloud Platform Blog, Sep 13 2017)
“Increasingly, our customers use Google Cloud Endpoints to authenticate and authorize calls to APIs rather than (or even in addition to) trying to secure them through networking. In fact, providing more security for calls across a hybrid environment was one of the original use cases for Cloud Endpoints adopters.”