For Crying out Cloud

Abstract

Is your business moving into the Cloud? Is it thinking of moving into the Cloud? Or is it already in the Cloud, but perhaps hasn’t yet matured the security of what it has in the Cloud? The presenters work for a multi-brand organisation where their applications and over 9 petabytes of personal data are in the Cloud. However, up until September 2018, no-one owned or managed the security of AWS across the business. This was a problem and risk that needed to be rectified! When one of the presenters joined the business in May 2018, within a number of months he had seen a major gap and decided to take on this responsibility and build a team to progress the security of the org. This presentation is a rundown of that journey so far, what was discovered, our goals and learnings (injecting our normal humour into our talk!) and providing the audience with tangible information to take away to help on their cloud journey. Regardless of the role or the skill set of the audience member, they will leave with an understanding of what it is like at the coal-face of a major internet business running their applications and storing their data in the Cloud.

Outline

We will cover the following topics in our talk / presentation flow:

  • Background of both of our careers (brief)
  • What both presenters found when they joined and why they decided to take on the role (a lack of any ownership of Cloud Security, brands using differing processes, ineffective tooling, visibility and reporting, departing members of staff with considerable cloud knowledge, little automation, basic errors being made, lack of documentation, out of date documentation as soon as it is created ‘threat modelling as code’, complexities of how a multi-brand org actually consumes AWS, mapping out of architectures, compliance challenges)
  • Implementing the Cloud ‘basics’ before doing the cool stuff! What did we do first? Why did we choose to do those things? How we have worked to culturally change an already cloud-first business to become a cloud-first, security-first business
  • What problems we’re trying to solve; 3/6/12 months strategies/objectives and beyond
  • ‘Compliance As Code’ and our journey to get there. What we still have to do.
  • Challenges/Learnings - info the audience take away as tangible advice. What might we do differently?

Stu Hirst

@stuhirstinfosec

Stu is currently the Head Of Cloud Security at Photobox Group (which includes Moonpig, PosterXXL in Munich, Greetz! and Hofmann). He was instrumental in building Skyscanner’s Security team from 2015-2017, having led them to the final of SC Magazine’s Security Team Of The Year 2017. He has previously worked in security at The Trainline and was part of the Cyber Leadership Team at Capital One UK. He has twice been nominated as a finalist for Cyber Evangelist Of The Year at the Scottish Cyber Awards and runs one of Scotland’s leading Tech Meet Ups; Security Scotland. Stu has appeared at numerous leading Security events such as InfoSec Europe, Cloud Expo Europe and Future Of Cyber Security.

 

Tash Norris

Tash is a Senior Cloud Security Engineer at Photobox Group (which includes Moonpig, PosterXXL in Munich, Greetz! and Hofmann). She is currently building tools and processes to automate all the things/ make the Cloud more secure. Previously Tash was a threat modelling engineer in financial services, she continues to contribute to threat modelling projects and resources via OWASP and other community events.
Tash is also on the review panel for DevSecCon, an OWASP contributor and an avid advocate for Women in Tech/Cyber, appearing at various tech and security events and meet-ups to talk about both technical and behavioural topics.