Peter's Griddle

Five elements of cloud security Historically, IT security started with infrastructure security. Just protecting the data center was good enough. But that was before we had data communications. When data started to escape the confines of the data center we needed to protect it. Typically through encryption. Hence we need data security. As the world wide web developed, we saw applications being exposed to it, and frankly, be vulnerable. So that is when application security started to become more important. ...

How cool would it be to let an AI do some of the grunt work in analysing the risk of applications and services. This has the potential to speed up the work of risk assessors. But, does it work in practice? Well, here is an example of AI-assisted risk classification. I downloaded some of the entries in the Dutch algorithm register, which is a public register of systems that use algorithms. For each entry about 30 fields are available, including name, classification, owner, et cetera. Some of the systems in the registry are AI-based. Indeed, we have AI to help check on AI… ...

How to fix the WiFi? How to find a new phone for grandma? Applying technology follows certain rules. However, many people only have an intuitive understanding of these rules. As a result technology is not optimally applied. By understanding how applying technology really works, you can be more effective, more efficient, reduce waste, and overall do a better job. It takes just a few simple steps to improve any attempt at applying technology. We’ll focus on information technology here, though most principles have wider applicability. ...

Who is really doing Zero Trust? Well, the US Air Force is. Here is my summary, with some comments, of their strategy document for the benefit of my Certificate of Competence in Zero Trust (CCZT) learners. In fact, this is an edited version of a conversation we had during one of our classes. You can download the full strategy here, and the current roadmap here, all linked from this page. I think the fundamental first important point about the strategy document is that it exists at all. There is an actual organization of significant size that has a strategy and is implementing it. Many can learn from this. ...

Here is the draft design of the graphic novel version of this book, which may or may not happen..

Building Our Own Cloud Kootwijk: Rethinking Digital Sovereignty In the Netherlands, we are currently engaged in a heated debate about the undesirable dominance of big tech, particularly over a significant portion of the digital infrastructure of the Dutch government. This includes email, file storage, and many other forms of digital storage and processing—most of which are handled by American big tech companies. I am sure a similar debate is going on in many other countries. ...

A diagram should automagically appear here. %% icons from https://iconify.design architecture-beta group api(Storage)[API] service db(database)[Database] in api service disk1(disk)[Storage] in api service disk2(disk)[Storage] in api service server(server)[Server] in api db:L -- R:server disk1:T --> B:server disk2:T -- B:db block-beta in space llm:2 space out in["Prompt"] --> llm["Large Language Model"] llm--> out["Completion"] style in fill:#fff,color:#000,line:#000;stroke-width:0px,color:#000,stroke-dasharray: 5 5 style out fill:#fff,color:#000,line:#000;stroke-width:0px,color:#000,stroke-dasharray: 5 5

A while back, I introduced my take on deployment diagrams for cloud and devops infrastructure. Some of the big points there are: it starts with intuitive drawings. Many people draw these things in similar ways, even without them having formal training. In fact, formal training in architecture diagrams will not necessarily make those drawings easier to understand for the uninitiated. But still. There are good drawings and there are drawings that can be improved. My other big point is that deployment diagrams can be a great tool for security analysis. I am in some conversations with friends at banks who use them. Recently I ran into the following example. Here is an explanation of the difference between VPC and security groups. Great story, but I have some comments on the diagram, which used to come from AWS itself, by the way, but has been removed. ...

Does security in the cloud ever bother you? It would be weird if it didn’t. Cloud computing has a lot of benefits, but also a lot of risks if done in the wrong way. So what are the most important risks? The European Network Information Security Agency did extensive research on that in 2009 already, and identified 35 risk categories. This analysis is used by a number of players in the industry, including certain banking regulators. From those 35, ENISA has selected 8 as the most relevant ones. This article explains them, not in any particular order. (And by the way: ENISA is pronounced as ‘eniesa’, not ‘enaiza’). You can also get the story on my YouTube video. ...

One of the big projects I am working on right now (2006) is directory services for identity management. In these directories digital identities such as loginnames, addresses, access rights, etc. are stored. With an adequately structured directory service, the proper management of access rights becomes a lot easier, which translates into cost savings and better security. Examples of these include the internet’s Domain Name System (DNS) and Microsoft’s Active Directory. A lot of organizations however, have requirements beyond these systems, and for these a wide range of custom solutions are used. ...