Scaling Quickly & Securely: Achieving Security & Compliance in AWS

On Tuesday, June 21, I teamed up with Scott Ward, Solutions Architect at AWS, and Arup Chakrabarti, Director of Engineering at PagerDuty, to deliver a webinar about scaling quickly and securely in AWS. The discussion was lively enough to keep beach-and-BBQ dreams at bay for an hour or so on a humid Wednesday in Boston.

In case you missed it, I wanted to share a quick recap of what we covered.

Speed and Security Aren’t Opposing Forces

Today’s competitive landscape demands continuous releases and agile development practices in order to stay ahead, and because you’re running fast in the cloud you need to figure out how to apply the same thinking to your security strategy.

The good news, as we explained in the webinar, is that security no longer has to hold back speedy product development cycles in the cloud. You can achieve complete cloud security and compliance without impacting delivery speed, as long as you use the right tools and employ best practices across the board.

During the webinar, the moderator asked this question: Are you using Amazon Web Services?

AWS_Usage.png

Results showed that the vast majority of webinar participants are either current AWS customers or plan to begin using it very soon. That’s not surprising, given that AWS has over 1 million enterprise customers (not to mention tons of smaller ones). 

AWS enables companies of all sizes to take advantage of all the cloud has to offer, chiefly: flexibility, scalability, and cost-effectiveness. The good news is that none of these benefits has to come at the expense of security, and that’s what this webinar was all about.

The Barrier to Change is Lower Than Ever

Many companies are still trying to drag forward the legacy enterprise data model. But the good news, for those who are ready to make the leap to the cloud, is that it has never been simpler to move beyond architectures that no longer have a place in our cloud-centric computing culture.

There are many AWS services, from RDS to S3 to SQS, that enable companies to take the basic functionality of AWS to the next level, building richer functionality in their own apps.  Most companies that have familiarity with these services realize that the benefits to making the move to the cloud far outweigh the difficulties, especially given how low the barriers to cloud adoption are today.

Here’s what we mean by lowered barriers to adoption: It’s possible to make huge business changes, like updating your application architecture continuously based on new functionality, with compressed timeframes. In fact, cloud infrastructure can now not only keep up, but in many cases, can even move faster than the business because infrastructure is no longer constrained by old-world data centers.

We Must Re-Educate Around Security in a Cloud-First World

There is a necessary re-education process for businesses and people who are migrating data to the cloud for the first time, and that was a big topic of discussion during the webinar. A key part of this re-education is explaining (and understanding) that security is no longer just about perimeter defense and prevention. Companies also need to understand what all of their assets are doing and what is taking place within the workload (the source of truth) at all times. This is the best way to detect real threats as soon as they take place.

Along with all the benefits of the cloud have come new areas where it’s possible to accidentally compromise the integrity of your security posture. But solutions like Threat Stack, which employ continuous monitoring and treat the workload as the source of truth, make it possible to track changes across cloud environments, no matter how elastic.

You Must Be Able to Track the Ephemeral

Speaking of elastic, one area of security that is often overlooked is the need to not just catch incidents when they are happening, but to be able to “rewind” the tape and look at instances that may not even exist anymore. Back in the days of “racking and stacking,” companies knew what servers they had and where they were. Now, you might spin up an EC2 instance or cluster to do some data analysis for an hour or two, and then turn it off.

While it’s a huge advantage to be able to scale up and down like this, you also need to have the ability to go back in time to view activity on these instances for the purposes of ensuring compliance, and potentially for security investigations if something has gone awry. Platforms like Threat Stack make this possible, so that the elastic (and thus ephemeral) nature of the cloud doesn’t need to be an obstacle to security.

Software-Defined-Everything is Possible Because of Security

At Threat Stack, everything we do is software-defined, from building to provisioning to maintenance. We can do this securely because services and solutions like AWS and PagerDuty, coupled with our own cloud security platform, give us deep visibility into our environment around the clock.

We employ a “change model” to dealing with security at speed, which means we focus on detecting and responding to changes inside the environment (not just incoming threats). Software-defined-everything is possible because of security visibility and vice versa.

The software-defined nature of the cloud can actually make the job of security employees easier too, because they are able to inject themselves throughout the landscape. They don’t need to figure out how to capture information from switches, routers, and other devices at various layers of the network and try to correlate the data. It’s all tied together.

Even better, integrations with the likes of PagerDuty and Slack enable internal dialogues that empower non-security folks to detect and respond to potential issues, distributing the responsibility for security in a way that is both more efficient and more effective. That’s one of the major ways that DevOps culture has impacted cloud security in a positive way: by coupling power and responsibility, augmented with deep visibility.

And when it’s time for security folks to get in there and investigate, deep audit trails make it possible to track not just whether a user logged in, but what processes they kicked off (and whether it was really them). That means you can give your users a lot of responsibility without worrying about the vulnerabilities that come along with it.

The Cloud Isn’t a Security Issue; It’s a Security Opportunity

A lot of folks, unfortunately, think the cloud introduces a new layer of vulnerability, but we see it as just the opposite. The cloud offers an opportunity to evaluate security requirements and reconsider how we do security. Done right, cloud security can, in fact, be far better and more efficient than its legacy predecessors.

Although the overall focus of security remains the same, in the cloud, security professionals can focus on more strategic initiatives and improve collaboration with Operations and Engineering teams. For example, with AWS, physical infrastructure security is a non-issue, so your teams can focus more on applications and business growth drivers, and less on the underlying infrastructure. That means you can spend more time on the areas that differentiate you and drive value for your organization and less time checking the pipes for leaks.

Moving to the cloud is often part of a company’s effort to be more competitive, but it doesn’t mean you need to sacrifice security — in fact, your security strategy now has an entry point much earlier in your development lifecycle. Continuous deployment and integration, rather than being antithetical to security can, in fact, push organizations toward better security and more complete compliance. That’s one thing that Scott Ward, Arup Chakrabarti, and I unanimously agreed on in the webinar.

Dive Into the Deep End

Believe me, this post is just skimming the surface of the detailed conversation we had. Hungry for more? Here is a link to the deck if you want to dive in headfirst: Scaling Quickly and Securely: Achieving Security & Compliance in AWS.