You will never be 100% secure on any platform, but you have to be 100% prepared. AWS gives us the environment to be 100% ready as we complete our move to the cloud. 
Keith O’Sullivan Vice President, Global Information Security, Time Inc.

One of Colin Bodell’s first tasks as Time Inc.'s new CTO was to undertake an IT inventory. What he saw was a cause for concern for a media company trying to serve and grow a worldwide customer base of 120 million unique annual visitors to its digital properties. The company had 15 data centers, including 10 collocated facilities and another 5 under its direct control.

“We had all of these data centers and a lot of held capital. We were unable to rapidly scale, and we were beholden to third parties. Getting new hardware on board was complicated and time-consuming,” Bodell says. “We didn’t want to be in the data center business anymore. We wanted our staff to focus on content, editorial, video—telling stories and connecting readers with news, business, and celebrities. I wanted to remove from the entire system anything that distracts from that.”

Time decided to get out of the data center business by going all-in with Amazon Web Services. It embarked on an aggressive plan to move all brands, such as InStyle, World Soccer, and Woman & Home, to the AWS cloud by the end of 2015; gradually close down data centers; and migrate customer-facing websites and corporate apps to AWS. Its plan also included re-architecting mainframe applications to move them off the on-premises systems.

Moving to AWS was not just about adopting new technology. The project presented an opportunity to rethink, renew, and reinforce security controls to match the highly distributed environment and processes of the cloud, such as DevOps and agile development, and to greatly accelerate deployments of new services and application features.

“When companies move to the cloud, many still use standards commonly applied to traditional data centers,” says Keith O’Sullivan, vice president of global information security. “A lot of existing security technology doesn’t really apply to the cloud, so we had to learn how to map data center standards to what we wanted to accomplish on AWS.”

Time’s top security priority was protecting confidential customer information, particularly the databases containing information on 45 million credit cards used by consumers to purchase its products.

“We’re very serious about protecting our customers’ personal information. It’s essential for maintaining trust,” O’Sullivan says. “When we started planning how to move our apps to the cloud, we reexamined how PCI—payment card industry—compliance would work. When you leave a traditional data center, DevOps teams can forget that they’re now working with infrastructure as code, not traditional on-premises systems.”

Time reviewed all of its applications, evaluating what security approach would work for each application based on the data it contains and the compliance standards attached to it. For example, websites with no entry fields were simple to move because they don’t interact with customer information. But subscription pages, where customers supply personal and financial information, must meet stringent security standards.

Time is part of an early wave of large organizations that are making major commitments to cloud computing, including all-in migrations. As a result, O’Sullivan says, IT managers must carefully examine the options available for their particular processes and applications to ensure that their organizations’ security policies and practices remain in place during the cloud migration. Time did this by conducting a gap analysis.

“We identified the security disciplines in place under our legacy system, and we then compared that with what we would need to operate in the AWS cloud,” O’Sullivan says. “For example, in evaluating PCI, about 200 requirements must be satisfied. Fortunately, with AWS we could access the right set of security products and procedures.”

AWS provides a high level of cloud security for enterprises, including a multitiered defense strategy of network firewalls, web application firewalls, identity management, and robust encryption options. In addition, AWS supports enterprise-level PCI protection. Time worked with AWS Professional Services on broad security issues as well as a new, cloud-based PCI framework using PCI DSS Level 1. That standard specifies best practices and security controls designed to prevent credit card fraud for service providers processing more than 300,000 transactions annually.

The company also worked with AWS Partner Network companies for additional guidance and point solutions. These included AWS Advanced Technology Partner Alert Logic for intrusion detection and scanners for identifying common threats, and AWS Premier Consulting Partner CloudReach, which provided assistance in the overall migration from on-premises data centers to the cloud. Time also worked with AWS Premier Consulting Partner Logicworks on security-oriented DevOps and PCI.

O’Sullivan says a lot of his peers at enterprise organizations remain skeptical about—or simply won’t discuss—cloud security. His response is that enterprises are headed to the cloud, and Time is choosing to stay ahead of the curve so it can leverage the benefits of cloud computing while keeping its data safe.

“With any new technology, security usually follows and is not in front of the tech push,” he says. “At Time Inc. we chose to stay ahead of the tech and build new frameworks for cloud deployments. It also gave my team the chance to work with emerging security technology, which helps retain the amazing talent we have.”

There are other benefits as well. Time foresees saving tens of millions of dollars in IT costs by moving to AWS through a combination of closing or consolidating data center resources, accelerating the delivery of features and products, and improving operational efficiencies. Those cost benefits are already being seen in security.

“Moving to AWS delivers huge cost savings for security," says O’Sullivan. “We’ve already saved $600,000 on managed security services, and the overall savings will be in seven figures if we factor in the costs of hiring and monitoring external companies. We estimate that we’ll cut our security-related monitoring costs between 50 and 60 percent by moving to AWS. We’re already taking those savings and putting the money into other activities, like more detailed and advanced monitoring of internal breaches and data exfiltration.”

O’Sullivan adds that the cost savings and innovation go hand in hand when moving to the cloud, and that IT security departments need to embrace changes that will simultaneously protect information while supporting the business’s success.

“I tell others to never shut down new technology and always be forward thinking on security,” he says. “You will never be 100 percent secure on any platform, but you have to be 100 percent prepared. AWS gives us the tools and access to the right partners to be 100 percent ready as we move to the cloud.”

  • AWS Advanced Technology Partner Alert Logic provides advanced security tools and a 24x7 security operations center that offers expertise to customers seeking to defend against security threats and address compliance mandates.
  • AWS Premier Consulting Partner Logicworks is an enterprise cloud automation and managed service provider that combines highly advanced automation and DevOps capabilities with more than 22 years of IT experience.
  • AWS Consulting Partner CloudReach provides cloud-native systems integration that can support a wide range of AWS solutions for full project and operations life cycles.