The phenomenal draw of AWS re:Invent – the event was sold out with over 9000 attendees from organizations of all sizes and industries – confirmed many things about the adoption of AWS in particular and cloud computing in general. Mainstream adoption of cloud infrastructure has begun (with or without IT endorsement), mission-critical applications are being created and/or migrated to these agile platforms, and the leading cloud companies are working with Amazon and a new generation of cloud security vendors to stay ahead of the security and compliance challenges on AWS.
Here are the top 3 security takeaways we came away with at AWS re:Invent.
1. Make Cloud Consumption Easier (and eliminate shadow IT)
Cloud computing is a reality in the mainstream enterprise whether the IT team likes it or not. AWS adds as much new infrastructure every single day as the entire Amazon business had when it was a $7B business. Aiding this growth is the growth of shadow IT in the cloud arena. NASA’s Jet Propulsion Laboratory presented on their difficulties on reigning in their developers who had over 50 AWS accounts, 80 IAM users, and hundreds of resources. Many attendees we spoke to at the conference had similar experiences.
Historically, IT has been the choke point for developers. Developers have been using the cloud on their own for years to bypass corporate policy in order to get work done. IT and operations groups continue to forget that their job is enablement. Instead of putting the brakes on cloud usage, a team inside JPL’s Office of the CIO made cloud consumption easier and more secure. Similar to how many corporate IT organizations tried to put a full out stop to smartphone usage and failed, doing so for the cloud will equally #fail. Embrace the cloud, leverage your cloud developers and evangelize secure use of cloud resources.
2. Amazon Works to Shore Up Its Side of The Shared Responsibility Model
We’ve been hearing about the shared responsibility model for years. The concept simply means that the vendor and the customer both share responsibility in ensuring the security of systems running in the cloud. When working with an IaaS vendor, the customer needs to understand their role in the information security ecosystem. For example, Amazon manages the security of their facilities, employees, the network and the virtualization infrastructure. The customer has a responsibility to build, maintain and monitor the security of their operating systems, applications and logical access.
Recently, Amazon stepped up their role within the security chain by offering additional services such as CloudHSM and the brand new CloudTrail announced last week at AWS re:Invent. CloudHSM is intended to help solve the disk and data encryption requirements of data at rest by providing a SafeNet appliance managed by, but not accessible by Amazon. The newly announced CloudTrail offering provides historical logging of access and actions inside your AWS accounts that is sure to delight auditors and governance requirements. While Amazon continues to bolster its side of the shared responsibility model, customers still need to take an active role in ensuring the security of their work loads. For more on the shared responsibility model and how it impacts compliance mandates like PCI, read this whitepaper.
3. 2014 Will Be The Year of Cloud Governance
One sign that a market is maturing within security groups is when both the analysts and technology managers start discussing governance of a system. James Staten of Forrester Research presented a good talk that included some highlights of cloud governance requirements that included:
Policy based administration of systems, account, access to data
Oversight of risk management, access controls and audit
Cost management and optimization
Orchestration of systems inclusive of corporate policy.
Similar to information security in general, there is still a large road to pave in creating and automating security governance in the cloud. For the most part, only the large enterprises will have the resources available to perform holistic and meaningful governance models. For most other companies, they will focus on the basics of risk management and put a keen eye to cost optimization. The need to automate security controls and compliance monitoring will allow limited IT resources to handle the ongoing security and compliance demands of complex, dynamic SaaS hosting environments.