Are You Secure Enough Outside the Cloud?

When I decided to move US Citizenship and Immigration Services (USCIS) into the cloud, I had a number of discussions with others in the federal IT community about cloud security. As the Authorizing Official—the person who had to sign off on the security of each system—for a component agency of the Department of Homeland Security, I felt strongly about the subject. My goal was always to keep raising the bar on our security posture, assuming that we would always be a target of bad actors, sometimes with the sponsorship and resources of a foreign government.

These discussions about cloud security often began with someone asking, “Yes, but is the cloud secure enough?” I always thought this was kind of a strange question. “Secure enough” is not really well defined; the right question, I think, is, “Will our security posture be better in the cloud or in our datacenter?” The answer, to me, was always obvious. The cloud made it possible for us to vastly improve our security posture.

Today, I would turn the question around and ask, “Are you secure enough outside of the cloud?” I believe that most organizations would have to answer, “No.” I strongly suggest that all enterprises—and government agencies—ask themselves this question with an open mind.

In the legacy datacenter, our status quo security approach had many of the problems that all companies, nonprofits, and government agencies face. We believed that too many people had privileged access to our systems. We didn’t patch our software quickly or frequently enough. Stolen credentials could easily lead to a disaster. When our auditors conducted mock social engineering attacks, they always discovered vulnerabilities. Our Security Operations Center (SOC) depended on our employees noticing bad behavior when they looked at a series of displays—we did not have a lot of automated triggers to let us know when something was wrong. Our datacenters were vulnerable to natural disasters, and it was expensive for us to provide Disaster Recovery (DR) capabilities for all of them. And the security posture of each of our systems was only evaluated every two or three years, unless we noticed a problem.

If you don’t think your organization has more or less this same set of security issues, check with your IT security folks.

It’s true that moving to the cloud does not magically solve all of these issues. But it does give you a set of tools that you can use to improve each issue, and a best-in-class secured and reliable infrastructure to build your security on. This is precisely what you need to keep raising the bar on your security posture.

AWS has a shared security model: AWS provides for the security of its platform (the security “of” the cloud) and you are responsible for the security of your applications and how you use the cloud (your security “in” the cloud). To help you secure your applications, AWS provides tools and best practices. For USCIS, this combination was precisely what we needed: we could rely on AWS’s platform security (we could “inherit” the controls that AWS provided), and we could take advantage of the tools AWS provided to apply our expertise and high standards to our applications within the AWS infrastructure.

As to the security of the AWS cloud: at AWS we have designed our infrastructure from the ground up with security in mind. We invest heavily in security and employ some of the world’s top security experts. We have achieved an extraordinary number of security certifications and attestations. AWS meets the needs of the most security-conscious organizations—banks like Capital One, payment systems like Stripe, intelligence agencies like the CIA, and the Department of Homeland Security. By building in AWS, you gain the security controls that have been built into the platform to satisfy all of their requirements and those of all the compliance frameworks. Now—no matter how secure your organization or government agency is—do you think you match this level of expertise and investment? Do you really want to? Or would you prefer to focus on your core mission?

For the aspects of security that the enterprise must ensure, perhaps the most powerful advantage of the cloud is that it supports best practices for application delivery. As we moved to the cloud we also rolled out a comprehensive set of DevOps practices. We began testing every build for security—and in the DevOps world this meant that we could be testing each system hundreds of times a day. We automated the standup of our cloud infrastructure so that there would be no fat-fingering mistakes and so that we could test the security of our infrastructure along with our code. We built reusable microservices for things like identity management, authorization, and audit logging. We began to save large quantities of logging, in some cases even keystroke data, taking advantage of the low cost of storage in the cloud.

To handle some of the security issues I mentioned above, we were able to reduce the number of users with privileged access to zeroby using immutable infrastructure. If a change had to be made to a production environment it was made in source control: the entire system was rebuilt and fully tested, the old instances torn down, and the new instances put in their place. No one needed to touch a running instance. We were able to start patching our systems much more frequently because our automated tests could quickly assure us that the patch wouldn’t break anything, or if it did, what needed to be fixed. Our improved auditing made it possible for us to identify suspicious behavior that might indicate a compromised credential, and in the cloud we could automate more of the detection of security incidents and the response to them.

While I was at USCIS we did not take advantage of all of the security services that AWS offers, some of which were developed after I left the agency. But with AWS we could now automatically enforce policies in production (using, for example, Config Rules), restrict what services a developer or user could use (through Service Catalog, for example), make sure infrastructure was provisioned following our guidelines (Cloudformation Templates), and use machine learning algorithms to detect intrusions (GuardDuty) and protect personally identifiable information (Macie). And these are just a few examples of the power of security in the cloud.

AWS continues to innovate new security tools and provides guidance on how to secure your workloads in the cloud.

So I ask you, now: Are you secure enough outside the cloud?

–Mark
@schwartz_cio
A Seat at the Table: IT Leadership in the Age of Agility
The Art of Business Value
War and Peace and IT: Business Leadership, Technology, and Success in the Digital Age (now available for pre-order!)