Designing and Building Application Security and Layering it on top of AWS
By Colin Bodell, CTO & EVP, Time.
Before joining Time Inc. as CTO in February 2014, I worked at Amazon for eight years running the Website Application Platform team that included the technology that drives all Amazon Websites. During my time there, I led the team that successfully moved Amazon websites in North America and Europe to Amazon Web Services (AWS). I consider that project highly successful, driving significant cost savings, delivering previously unheard of agility that enabled us to react to traffic spikes and providing valuable feedback to our AWS colleagues to inform how AWS was, and will be, consumed within the enterprise.
Now at Time Inc., the world’s leading magazine publisher, I’m taking my eight years of experience working with cloud-based infrastructure and moving all global Time Inc. websites, mobile technology and IT infrastructure to Amazon Web Services (AWS).
Time Inc’s compute, storage and network infrastructure is run from company-owned and operated data centers and co-location facilities worldwide. I kicked off the Time Inc. “Move to the Cloud” (MTC) initiative in April 2014 with the goal of building a cloud-based infrastructure and migrating all of our digital and enterprise applications to the cloud. Moving to a cloud-based infrastructure will significantly reduce our costs while dramatically improving time-to-deploy. I want Time Inc. out of the data center business and laser-focused on our core media-centric competencies.
The forecast we developed shows that cloud-based infrastructure costs will be ~45 percent less than equivalent services hosted in dedicated and co-location facilities. The process for bringing new hardware online in our data centers can take up to three months to specify, order, receive, rack and commission; cloud based hardware instances can be spun up in as little as 5 minutes.
In preparing for the move to the cloud, we assembled a cross-functional team representing Infrastructure, Information Security, Website Operations and Website and Mobile application owners to collaborate on the program. This team completed the design of the cloud architecture, developed enterprise cloud standards and governance procedures and built a cloud-based infrastructure to host customer-facing and back-office applications. A key area in the preparation was solving for the challenge of designing and building application security and layering it on top of AWS. The effective management of information security risk is a crucial part of our business objectives.
As new technologies such as cloud-based infrastructure emerge, it is the responsibility of our Technology & Product Engineering team to ensure that information security and risks are appropriately and sufficiently addressed.
"Time Inc’s compute, storage and network infrastructure is run from company-owned and operated data centers and co-location facilities worldwide"
Amazon is responsible for ensuring its AWS architecture and infrastructure is secure, but the application security layer within AWS is the responsibility of the organization using the service. AWS provides a foundational security infrastructure to protect its shared system and resource platform, essentially PaaS (e.g. high availability, scalability and efficiency). The security controls provided by AWS are reactive in nature. If a customer deploys its applications using default AWS services, there are very limited application security controls in place. Companies take for granted perimeter security in a traditional infrastructure. In an AWS environment, security incident prevention, detection and monitoring are absent in a default set up. This is just a small piece of a full secure framework and a fully protected resource. It is the sole responsibility of the AWS customer (in this case, Time Inc.) to ensure its resources are protected at every layer.
We refused to take any risk when migrating our systems to the cloud without first understanding the gaps between traditional security and cloud-based infrastructure security. Our Information Security team performed a full gap assessment and quickly came to the understanding that it is not just a simple one-for-one migration. For example, AWS does not have a conventional firewall or Intrusion Detection System due to the nature of the shared platform. Instead it offers “security groups” and basic logging, neither of which is sufficient for us.
Our Information Security team identified the following gaps in a traditional AWS deployment:
1. Firewalls and Logging
2. Intrusion Detection Systems
3. Intrusion Prevention Systems
4. Denial Of Service mitigation
5. Vulnerability and Event Management
6. Control of Identity and Access Management
7. Data Loss Prevention (DLP)
We mitigated these gaps by modeling our managed security service to the unique risks of the cloud. These included implementing the following:
1. Host-based monitoring and threat detection
2. Host-based log management
3. Web Application Firewalls
4. Vulnerability scanning tools deployed in the cloud
We encountered a significant challenge in the availability and selection of 3rd party consulting organizations with experience in architecting and deploying application security systems on AWS. The ones we identified were invariably much more expensive than prior experience would indicate as appropriate. We identified Control Group who proved to have the necessary expertise with the design of secure AWS deployment mechanisms and the development of security standards. The security standards delivered by New Yorkbased Control Group laid the foundation for our full application security framework. Additionally AlertLogic was leveraged to fill in some of the gaps that existed with monitoring and detection. We employed several other vendors and best-in-breed security tools to round out the entire security framework.
By modeling its managed security service, we were able to successfully put in place the security incident prevention, detection and monitoring required to create a full secure framework and a fully protected resource. As of October 2014, all of our UK sites execute on AWS, their primary cloud hosting provider, as well as about a third of the US sites. The Time Inc. Move to the Cloud project will be completed in 2015, significantly reducing our costs while delivering greater flexibility – all to the benefit of our customers and our business.