V
V
Vyacheslav Smirnov2014-10-06 21:51:23
Microsoft
Vyacheslav Smirnov, 2014-10-06 21:51:23

What guides or courses would you recommend to an administrator to strengthen the protection of a cloud service?

There is a service that uses the Microsoft technology stack (Windows Server, SQL Server, IIS). The service is well protected. Knowledge and technologies about how this protection is arranged, and how complete it is, are stored in the heads of several specialists.
To expand and consolidate the knowledge of specialists, it is necessary to think about what to recommend for study, what to allocate more resources for. Ultimately, they will decide for themselves, but it is necessary to make an initial recommendation.
To set the order of study, as well as the order of registration of knowledge in the form of technologies (small documents with basic principles and settings + links to specific product manuals), I looked at:
- a list of 10 risks for cloud applications: https://www.owasp .org/index.php/Category:OWASP_Clo...
- some courses from www.microsoftvirtualacademy.com
- administration course programs from https://www.microsoft.com/learning/ru-ru/windows-s...
- manuals and checklists for various software products.
This list may not be complete. If you were asked what courses you would like to take, what books would you need to buy to expand your knowledge and strengthen the protection of a trusted service? What would you choose?
Or so.
You have already configured service. A new employee comes to you. In what order will you tell him how to maintain, control and increase security?
Start with a backup, how is it done, how is it encrypted / decrypted, and where is it stored?
Or from architecture, isolation, duplication, redundancy?
...
Suggest an idea. Recommend an article, approach, guide, framework, or certification program.

Answer the question

In order to leave comments, you need to log in

1 answer(s)
B
brutal_lobster, 2014-10-07
@polarnik

You need to look at ISO 27001/27002 and Cobit. Maybe a little NIST SP800-144 (and other SPs).
Or to courses on providing integrated information security / a master class of a consultant of some kind. Frameworks and standards are still hard to read. It is even more difficult to successfully adapt (or at least somehow effectively apply) for yourself.
Documenting the current state of affairs is good, but it doesn't give the full picture.
And the literacy of protecting the service is a myth :) Especially if the information about it is sacred and depends on a couple of employees.
Start working at a high level in parallel - set goals, draw up a security policy, some basic general regulations. Define and improve the process of managing/securing your service.
The employee must first be introduced not to the technologies used and specific control measures, but to the process itself.

Didn't find what you were looking for?

Ask your question

Ask a Question

731 491 924 answers to any question