AWS re:Invent 2015 recap

Despite returning from AWS re:Invent over two weeks ago, many of us are still recovering from a fun but exhausting conference. With half our team green to re:Invent and the other half veterans of the conference, the shock and awe of an intensive schedule of boot camps, technical and marketing sessions, networking, manning our booth, and of course swag gathering never ceases to amaze. With nearly 20,000 attendees descending on Las Vegas’ Sands Expo Center for the conference, the opening reception in the expo hall on Tuesday was, to put it bluntly, two hours of pure insanity. Thousands of attendees pour into the hall for free booze and all the best swag. For those working the booths this time is overwhelming at first but over time exhibitors settle into a frantic flow of controlled chaos. The rest of the week in the expo hall is just as exciting and, personally speaking, I enjoy my time in the booth. In the moment it is all at once physically tiring and mentally energizing. Being on your feet for hours on end is exhausting, but hearing the AWS stories of other attendees and addressing their security concerns is uplifting. In the weeks and months following the conference, I am able to reflect on my time there, the conversations and experiences that were had, and it ultimately helps to drive my work.

What we learned at re:Invent
While at re:Invent we are afforded the opportunity to talk with organizations of all sizes in all sectors about the security consulting services MindPoint Group offers. It’s no surprise that our focus at re:Invent is centered around the cloud and how our unique skill set and expertise in both security and cloud gives us the capacity to solve problems for our customers. What we saw this year at the conference was a sea of cloud technology vendors with some form of the word “secure” on their marketing material. Many of the attendees we spoke with on the floor would ask us how our product can secure their cloud applications. The answer, of course, is that we aren’t selling a product; we are a pure play cyber-security consulting services company. Our product is the expertise of our people. I didn’t get to visit every single booth, but from what I saw MindPoint Group is one of the few companies that can offer cloud security expertise, without being tied to a set of products.

One thing that I have noticed each year at the conference is that small and large organizations in the private and public sectors are facing very similar challenges. From startups to the largest Federal agencies, there are many common themes in cloud computing. This is no different when you talk about securing the cloud.

Changing hearts and minds…
“I want to use the cloud but (internal security, auditors, leadership) keeps asking if its secure.”
Regardless of the role the individual played at their organization, this was a concern that was voiced from many other vendors and participants alike. Application developers, infrastructure engineers, System administrators, and CTO’s all had similar issues while convincing concerned stakeholders in their organization that moving to the cloud does not mean compromising an organization’s security posture. It’s actually quite the contrary; often times moving to the cloud from on-premise systems or physical data centers can afford organizations much better security, higher reliability, and better return on investment. However, the concerned stakeholders are correct in their caution. It is much easier for an organization to lose control of their systems in the cloud. In a physical data center new systems require new hardware. On-premise virtualization technology changed that significantly and the threat of virtual machine sprawl is very real. The cloud brings an even bigger increase in flexibility. The cloud makes it possible to spin up an almost unlimited number of new systems with a few API calls, and auto-scaling means machines spin up when they are needed then disappear when they are no longer required. This world brings a very real threat to the security of your systems and data. Moving to the cloud without proper due diligence in planning, rules, controls, and an overarching vision as to how it will all work is both foolish and irresponsible. Not moving to the cloud because stakeholders are unsure of how to ensure security controls are applied to the environment can also be foolish and irresponsible. MindPoint Group can help you solve these problems by;

  • Speaking intelligently about the realities of cloud security;
  • Helping your team put the necessary rules, controls, and tools in place;
  • Assessing your existing security program or the security of your cloud providers;
  • Performing penetration testing and application code reviews.

How do I secure it?
“How can we implement effective security for our applications in the cloud?”
There is no cookie cutter answer to this question. No company has a golden gun which can magically secure the cloud and any company claiming to offer such a product is undeniably selling a false bill of goods. The approach to secure cloud utilization varies depending by use case. Tactics like code review, encryption, third party assessments, training, continuous monitoring, application security, vulnerability assessments, and penetration testing will improve your security posture. But just as is the case with on premise security, the best security programs incorporate a holistic approach to security through a well planned and consistently executed defense in depth strategy.

My devs said it was secure but I’m not so sure…
“How do we ensure the rules and controls that we’ve mandated are being implemented?”
Hiring a company to perform an independent assessment of your organizations security posture is responsible, regardless of whether or not you specifically are concerned that teams are not following the rules. Third party assessments are necessary and enable a company to get outside perspective on their policies and procedures and their enforcement of those procedures. The goals of your company will drive what type of third party assessment fits best; whether it’s a SOC 3, ISO 27000, or a FedRAMP assessment. These and other assessments will provide your organization with valuable insight necessary to ensure that your system is secure.

I secured it but the Federal Government still won’t buy it
“How can we sell our IaaS, PaaS, SaaS, cloud offering to the Federal government?”
As a cloud service provider seeking to enter the Federal market, your services are required to be compliant with FedRAMP. We have recently written several blog posts and whitepapers on the how and why of FedRAMP which you can read for more insight.

Contact the MindPoint Group Cloud Security team today to find out how we can help you realize your ambitions in the cloud.

Email: info@mindpointgroup.com
Cloud Security: www.mindpointgroup.com/services/cloud-security/
Application Security: www.mindpointgroup.com/services/application-security/
Managed Security Services: www.mindpointgroup.com/services/mss/
FedRAMP Services: www.mindpointgroup.com/services/FedRAMP-services/