Security in the cloud

The cloud provides unparalleled flexibility and agility. However a high rate of change and poorly-understood risk in a shared-responsibility, multi-tenant environment can lead to insecurity: malicious bad-actors can steal your customers' data. However, poorly-defined or misunderstood boundaries between your operations teams and your cloud provider can be just as problematic. Human error and operational neglect are catastrophic threat actors.

We help you to instigate controls that reduce both cybersecurity and operational risk, utilising infrastructure-as-code to increase velocity while ensuring repeatability and testability. We work with and within teams to build a culture of secure-by-design. From PoC, to development, through stand-ups, and helping to manage and control technical debt, we can leverage agile and lean ways-of-working to make real and lasting improvements to security posture.


Security across organisations

Managing security risk across organisational boundaries can be challenging. It is often important to work closely with suppliers to build the relationships needed to identify risk. We can also work with penetration testers, providing the resulting threat-models and guardrails to quantify, record, mitigate, and reduce risk.

Healthy governance processes can ensure that threats and their associated controls are owned by internal stakeholders, so that risk is kept within the thresholds appropriate for wider business strategy and compliance needs. Often the risk owner will most appropriately be a product owner who can help prioritise remediation or mitigation. Conversely, control owners are responsible for ensuring controls are functioning as intended.

The software supply chain is increasingly exploited. We are happy to work with our clients to shift security controls left through the supply-chain, ensuring that both infrastructure and application code is screened well before release into production.


Coherent strategies, standards, guardrails and patterns

Many organisations are already on a journey, with initiatives to improve security and adapt ways-of-working underway.

We can help to deliver existing security strategies, through the creation of standards, guardrails and patterns, review existing standards where change is outflanking them, or recommend an over-arching strategy to help drive and prioritise security improvements and capabililities.


Balanced pragmatic improvements, prioritised by risk

Threat-modelling identifies threats arising from components and attack surfaces. These can then be composed to examine aggregate risk and prioritise security improvements where they matter most.

We are pragmatic: sometimes the best control is one that the team are already familiar with, and where innovation is needed, it should use languages, technologies and approaches that are familiar, minimising operational cost for the organisation, and reducing cognitive friction for the team.


We're here to help

You can call us on +44 20 3337 3012 today to discuss your current challenges and how we can best help, or email us at help@hanscombe.net.