Slide 2
Slide 2 text
Software developer and
product manager
Co-founded UK
Government Digital
Service
Deputy CTO, UK
Government
Digital leadership,
technology and security
advisor
James Stewart |@jystewart | [email protected]
Slide 3
Slide 3 text
@jystewart
Why do we
worry so much
about cloud
security?
Slide 4
Slide 4 text
https://www.wired.com/story/github-ddos-memcached/
Slide 5
Slide 5 text
@jystewart
“Hackers stole a total of £130bn from consumers in
2017, including £4.6bn from British internet users,
according to a new report from cybersecurity firm
Norton.
The most common crimes were generally low-
tech, such as attempts to trick individuals into
revealing their personal information through bogus
emails with generally low costs to victims.”
https://www.theguardian.com/technology/2018/jan/23/cybercrime-130bn-stolen-
consumers-2017-report-victims-phishing-ransomware-online-hacking
https://us.norton.com/cyber-security-insights-2017
Slide 6
Slide 6 text
@jystewart
“Why does everyone
who works in
government become
obsessed with security?”
Slide 7
Slide 7 text
@jystewart
It’s all about
trust and
competence
Slide 8
Slide 8 text
@jystewart
https://scotthelme.co.uk/protect-site-from-cryptojacking-csp-sri/
Slide 9
Slide 9 text
@jystewar
https://insidegovuk.blog.gov.uk/2016/11/15/incident-report-gov-uk-dns-outage/
Slide 10
Slide 10 text
@jystewart
Why do we
worry so much
about cloud
security?
Slide 11
Slide 11 text
No content
Slide 12
Slide 12 text
@jystewart
Cloud
represents
change
Slide 13
Slide 13 text
@jystewart
In using cloud we
have to
acknowledge that
responsibility is
distributed
Slide 14
Slide 14 text
@jystewart
"the risk of the new
should seem
negligible compared
to the urgency of
change”
https://www.linkedin.com/pulse/reducing-risk-cloud-overcoming-
status-quo-bias-mark-schwartz
Slide 15
Slide 15 text
@jystewart
Any change
requires
cultural
shifts
Slide 16
Slide 16 text
GDS
Slide 17
Slide 17 text
No content
Slide 18
Slide 18 text
@jystewart
1. Data in transit
protection
2. Asset protection and
resilience
3. Separation between
users
4. Governance
framework
5. Operational security
6. Personnel security
7. Secure development
8. Supply chain
security
9. Secure user
management
10. Identity and
authentication
11. External interface
protection
12. Secure service
administration
13. Audit information for
users
14. Secure use of the
service
Slide 19
Slide 19 text
No content
Slide 20
Slide 20 text
@jystewart
So first
Slide 21
Slide 21 text
@jystewart
Understand
your
context
Slide 22
Slide 22 text
@jystewart
Identify
your
assets
Slide 23
Slide 23 text
@jystewart
Consider
your
threats
Slide 24
Slide 24 text
@jystewart
Harness the
whole
team
Slide 25
Slide 25 text
@jystewart
Start from
the end
Slide 26
Slide 26 text
https://www.schneier.com/academic/archives/1999/12/attack_trees.html
Slide 27
Slide 27 text
@jystewar
Practice,
practice,
practice
https://gdstechnology.blog.gov.uk/2015/02/06/running-a-game-day-for-gov-uk/
Slide 28
Slide 28 text
@jystewart
But what
about cloud?
Slide 29
Slide 29 text
@jystewart
Focus on
identity
Slide 30
Slide 30 text
@jystewart
1. Data in transit
protection
2. Asset protection and
resilience
3. Separation between
users
4. Governance
framework
5. Operational security
6. Personnel security
7. Secure development
8. Supply chain
security
9. Secure user
management
10. Identity and
authentication
11. External interface
protection
12. Secure service
administration
13. Audit information for
users
14. Secure use of the
service
Slide 31
Slide 31 text
@jystewart
Emphasise
observability
Slide 32
Slide 32 text
@jystewart
Build quality
in
Slide 33
Slide 33 text
@jystewart
Make change
easy
Slide 34
Slide 34 text
Help everyone
understand their
context
Slide 35
Slide 35 text
https://www.gov.uk/design-principles & https://www.flickr.com/photos/psd/9104280608/
Slide 36
Slide 36 text
@jystewart
“If security
doesn't work for
people, it doesn't
work”
- Emma W from NCSC
https://www.ncsc.gov.uk/blog-post/cyberuk-2017-people-strongest-link