The Journey to Publish Security Architecture for Hybrid Cloud
The files for the Security Architecture for Hybrid Cloud book have finally been handed over to the O’Reilly production team. Let’s look back at how the book came about.
The journey for the book began twenty-five years ago when a team from the US came to help me develop a course to reskill IT specialists into security architects. We developed the course Method for Architecting Secure Solutions (MASS) which was run world-wide but after five-six years the delivery ended due to other priorities.
Then seven years ago, I was part of a team that was given the challenge of developing a degree module for the MSc in Cyber Security Engineering at the Warwick Manufacturing Group on the University of Warwick campus. We wanted to offer a unique module with practical delivery insights from industry that would prepare students to architect cyber security controls into information systems. The Enterprise Cyber Security module was born, using an updated version of the principles we developed for the MASS class.
The module structure was built using a set of lectures and team exercises delivered over a week. The cohort was given a case study, and each team was asked to create an artifact, a diagram or table, for an exercise that would then build into a final security solution. At the end of the week, each team presented their final solution back to the class and instructors. This enabled the students to practice what they learned and quickly receive feedback to improve their architectural thinking. An individual written assignment, based on the case study, was given to students for the module assessment.
After delivering the class for the University of Warwick, we then went on to deliver the same class to IBMers worldwide in face-to-face sessions in the UK, USA, Sweden, and India. We used the same structure of lectures and teamwork but delivered it in a compressed three and a half days. As the pressure of costs increased, we changed to a virtual class lasting three days that left the learners with a set of practical techniques and artifacts to apply in their client projects.
In 2019, I then had the opportunity to apply for the UK Royal Academy of Engineering Visiting Professor scheme with the University of Surrey, which had expressed an interest in working with me. We applied but weren’t successful but the university wanted to continue with the proposal to run a module for the MSc in Cyber Security with an extended version of the course, including group and individual assignments written and marked by me. The course is run in 3-hour sessions over 10 weeks in the same format of a lecture, team exercise, and instructor feedback that we’ve successfully used before.
The architecture of the platforms used to host workloads were changing to be hybrid cloud architectures, where there is a mix of shared responsibilities and security policies guiding the required security controls. In 2022, we rewrote the course with a hybrid cloud use case and added new techniques and artifacts to support the complexity of the new architectures.
At the end of 2023, we had two UK universities delivering the module as part of their UK NCSC-certified MSc Cyber Security degrees and completed training for over 1000 IBMers and MSc students.
I kept on getting feedback—we want to know more! Where is the book? Fair enough, so what should the format be? This was not an insignificant piece of work that would need to be completed outside my standard working day. I wanted to deliver a publication that would get the least amount of resistance (no extended reviews), would be high quality and hit the widest audience to make the biggest impact. I decided it needed a publisher that would promote the book and help deliver a high quality publication.
But was there really an interest outside of IBM? I had already applied to speak at the RSA Conference in 2023. The idea was to present the method to the world in my session, Architecting Security for Regulated Workloads in Hybrid Cloud. With a packed session, there was immense interest and afterwards, I had attendees asking how they could help make the method public and the feedback confirmed it was important to make it available to a wider audience.
I had started the conversation with O’Reilly and proposed a book based on the structure of the existing classes. To get high-quality content, it needed the help of more than one author, so Carsten Horst and Stefaan Van daele joined the team to write the book. By July 12, 2023, we had signed a contract with O’Reilly to write an “Animal” book and gained agreement from IBM to write the book.
Today, we’ve handed the content over to the O’Reilly production team who will perform the detailed editing, redraw the diagrams in standard format and finish off the format. We are looking forward to getting our hands on a physical book in the next few months.
I will be speaking at RSA Conference again this year on security architecture. So, where next? For me, I will be semi-retiring from IBM at the end of June to continue teaching the degree module at the University of Surrey and see where publishing the book takes me. You can get more information and updates on the companion website https://securityarchitecture.cloud/
