Over 20,000 people from all over the world descended on Las Vegas this week for Amazon’s completely sold out AWS re:Invent 2015 show. They came for many reasons, education, networking, great food, music and entertainment. But most importantly, they came because of AWS’s leadership and relevancy in this world of software-centric businesses driving continuous innovation and rapid delivery cycles, leveraging modern day public cloud infrastructures like AWS.
On the second day of the event, I had the opportunity to sit through an afternoon session titled:
If You Build It, They Will Come: Best Practices for Securely Leveraging the Cloud.
Security expert and industry thought leader Joan Pepin, who has over 17 years experience in policy management, security metrics and incident response – as well as being the inventor of SecureWorks’ Anomaly Detection Engine – gave the presentation.
There is no doubt that cloud computing is reshaping not only the technology landscape, but also the very way companies think about and execute their innovative processes and practices to enable faster, differentiated and more personalized customer experiences. And a path to operating in the cloud securely and confidently requires a new set of rules and a different way of thinking. This was at the heart of Joan’s session – helping security practitioners adapt to this paradigm shift and creating a pathway to securely leveraging the cloud with confidence and clarity.
Securing Your Future
“We are in the middle of a mass extinction. The world we are used to living, working and operating in is going to disappear over the next ten years. It’s already well underway. We are seeing the mass extinction of traditional Datacenter, of Colocation and of being our own infrastructure providers,” said Pepin.
I expect a new mantra will be echoing through corporate boardrooms around the globe in the not too distant future: “Friends don’t let friends build datacenters.”
Joan suggests that the future – and how one secures it – is going to be very different from the past and what most people are doing in the present. She knows this first hand, because she is living this every day, running Sumo Logic’s state-of-the-art advanced analytics platform that ingests over 50TB of data and analyzes over 25PB – daily!
Joan passionately states: “The future is upon us. The cloud is the wave of the future: the economics, the scalability, the power of the architecture, security built-in from inception. It’s inevitable. If we are not prepared to adapt our thinking to this new paradigm, we will be made irrelevant.”
There are boxes, inside boxes, inside boxes. And security people had very little to do with the design on those boxes. Throwing in a few FWs and IDS/IPSs into the box was how things used to be done. This is not the way to build security into a massively scalable system, with ephemeral instances. That is not a way to make security fractal so as you expand your footprint, security goes along with you. In this new paradigm, security has a greater opportunity to be much more involved in the delivery of the service and design of the architecture and be able to take security to a completely different level so that it is embedded in every layer of the infrastructure and every layer of the application.
“Do I really need to see all the blinking lights of the boxes to be secure? Too many decisions are being made emotionally, not rationally.”
Operationally, security organizations need to change their thinking and processes from traditional data center-centric models (aka “Flat Earth” thinking) to new, more statistical models. AWS presents this giant amorphous blog of power, with APIs, elasticity, configurability and infrastructure as code. Security is now embedded into all that automation and goodness. As you expand, as you grow, as you change, the security model stays the same and weaves itself throughout your cloud infrastructure.
“This was my world is round moment” said Pepin. “I have seen the light and will never go back. My CISO friends in more traditional companies are envious of what we have been able to achieve here at Sumo Logic – the ability to ingest, index, encrypt, store and turn the data back around for searching in 30 seconds – this is generations ahead of the market. It is how the cloud of tomorrow works today!”
Joan provided a number of practical and insightful best practices that security professionals should follow in thinking about cloud security:
- Less is More: Simplicity of design, APIs, interfaces, and data-flow all help lead to a secure and scalable system.
- Automate: Think of your infrastructure as code-based – it’s a game changer; Test, do rapid prototyping and implement fully automated, API-driven deployment methods; Automate a complete stack
- Do the Right Thing: Design in-code-reuse and centralize configuration information to keep attack surface to a minimum; Sanitize and encrypt it; Don’t trust client-side verification; enforce everything at every layer.
- Defense in Depth: Everything. All the Time
- Achieve Scale by Running POD Model
- Use Best-of-Breed Security Stack: IDS, FIM, Log Mgt., Host Firewall.
To watch Joan’s video, please select this link: AWS re:Invent 2015 | (SEC202) Best Practices for Securely Leveraging the Cloud
For more information on Sumo Logic’s cloud-native AWS solutions please visit AWS Integrations for Rapid Time-to-Value.