Capital One Breach Reaction: You Can Secure Data in AWS!
The recent announcement on the Capital One breach that affected over 100 million people (good detail from Krebs on Security here) is compelling for a number of reasons. One, it was related to data on the Amazon Web Services (AWS) cloud, which cloud nay-sayers will use as fodder for why to keep your data on-premises. Second, the attacker, Paige Thompson, aka 'erratic', was a former Amazon employee. Third, the breach is one of the largest in terms of the amount of personal identifiable information (PII) that was compromised. All of this has made for an interesting story to follow, no question. The facts on data security, however, remain the same: there are vulnerabilities in ANY environment, the cloud is a secure Infrastructure as a Service (IaaS) platform, and security requires a layered approach. Business can match their risk from data loss with effective security strategies in the cloud.
Adopt and Follow an Accepted Security Framework
The security team at PTP favors the NIST Cybersecurity Framework as we assess environments, discuss technologies for hardening, and review processes and solutions for ongoing security and risk monitoring. The framework contains five major sections for consideration: Identify, Protect, Detect, Respond and Recover. Without turning this piece into a NIST framework training, the takeaway is the reduction of risk from a breach comes from implementing process and systems to apply to each area - - identifying critical/sensitive data and it's whereabouts, applying protection policies and technologies that are commensurate with the business risk and budget, having the discipline (previous PTP blog here on the subject) to continually monitor for potential threat, and when an identified breach occurs, to have the appropriate procedures in place to eradicate the breach and recover from the attack. If you are in the AWS cloud or considering the move, AWS has a helpful white paper to review related to mapping their cloud infrastructure to NIST. Check it out here.
The AWS Cloud is the Gartner Leader, Fast-Growing, and Secure
Recent announcements on earnings and growth from AWS showed a continued impressive growth due to adoption. They announced a 37% growth on the cloud business with 2nd Quarter revenue up to $8.38B. A key customer, Slack, a communications provider, announced a commitment to spending at least $250M on AWS over the next 5 years. Similarly, Lyft committed to spending $300M on AWS in the next 3 years and Pinterest committed to spending $750M on AWS in the next 6 years. This growth speaks to the usability and speed-to-market that AWS offers users. Companies that wish to turn Information Technology into a differentiator, advancing application development faster due to eliminating the effort to deploy and manage datacenter and infrastructure. While none of this growth speaks to the security measures for the IaaS and PaaS provided by AWS, the use by such public brands supports the due-diligence to ensure the appropriate protections are in place. On June 25th and 26th AWS hosted its innaugural re:Inforce security conference in Boston, MA. The incredibly well-attended event featured leading security personnel from AWS and customers discussing measures AWS takes to protect and tools it provides uses to aid in data protection. Highlights of the event can be found here.
Your Business, AWS and PTP in the AWS Shared Responsibility Model
AWS has done a great job outlining the cooperative effort between their responsibility of the cloud infrastructure and the responsibility of their customers in what they call the Shared Responsibility Model. While AWS accepts the fundamental security "OF" the cloud, the customer is responsible for their data security "IN" the cloud. As I outlined above with regards to NIST, the policies, procedures, tools and security expertise needs do not go away in the cloud, the needs are simply different. Mis-configurations can occur, poor policies can still be deployed, data may not be encrypted, data segmentation could be inadequate, too many admins can be allowed, and much more. Security in the cloud still requires a layered approach. The "Customer" functions in the graphic above show the elements that require alignment with a security framework such as NIST for proper security and oversight.
Our Mission at PTP - Enable Secure and Compliant Use of the AWS Cloud
Our services help provide the oversight to data inside the AWS cloud. We provide insight, reporting and analysis of cloud configurations, alignment of configurations with security and compliance frameworks such as NIST and HIPAA, scan for vulnerabilities at the OS and application levels, and monitor on a 24x7 basis for security threats, which can be analyzed by the PTP Security Operations Center (SOC). Recognizing that the cloud environment is dynamic and ever-changing, we provide these services on an ongoing basis to be our customers governance extension, escalating issues that require remediation every month. The tools we use in our platform, along with our expert staff are delivered at a low recurring monthly cost, delivering lower risk, critical information for compliance, cost-optimization that's critical for the CFO, and the discipline to execute on our mission every day of every year. Embrace the cloud, make your Information Technology a differentiator for your business, and ensure you have the security oversight that matches your level of risk.