Designing and Building Application Security and Layering it on top of AWS

As new technologies such as cloud-based infrastructure emerge, it is the responsibility of our Technology & Product Engineering team to ensure that information security and risks are appropriately and sufficiently addressed.

"Time Inc’s compute, storage and network infrastructure is run from company-owned and operated data centers and co-location facilities worldwide"

Amazon is responsible for ensuring its AWS architecture and infrastructure is secure, but the application security layer within AWS is the responsibility of the organization using the service. AWS provides a foundational security infrastructure to protect its shared system and resource platform, essentially PaaS (e.g. high availability, scalability and efficiency). The security controls provided by AWS are reactive in nature. If a customer deploys its applications using default AWS services, there are very limited application security controls in place. Companies take for granted perimeter security in a traditional infrastructure. In an AWS environment, security incident prevention, detection and monitoring are absent in a default set up. This is just a  small piece of a full secure framework and a fully protected resource. It is the sole responsibility of the AWS customer (in this case, Time Inc.) to ensure its resources are protected at every layer.

We refused to take any risk when migrating our systems to the cloud without first understanding the gaps between traditional security and cloud-based infrastructure security. Our Information Security team performed a full gap assessment and quickly came to the understanding that it is not just a  simple one-for-one migration. For example, AWS does not have a conventional firewall or Intrusion Detection System due to the nature of the shared platform. Instead it offers “security groups” and basic logging, neither of which is sufficient for us.

Our Information Security team identified the following gaps in a traditional AWS deployment:

1. Firewalls and Logging

2. Intrusion Detection Systems

3. Intrusion Prevention Systems

4. Denial Of Service mitigation

5. Vulnerability and Event Management

6. Control of Identity and Access Management

7. Data Loss Prevention (DLP)

We mitigated these gaps by modeling our managed security service to the unique risks of the cloud. These included implementing the following:

1. Host-based monitoring and threat detection

2. Host-based log management

3. Web Application Firewalls

4. Vulnerability scanning tools deployed in the cloud

We encountered a significant challenge in the availability and selection of 3rd party consulting organizations with experience in architecting and deploying application security systems on AWS. The ones we identified were invariably much more expensive than prior experience would indicate as appropriate. We identified Control Group who proved to have the necessary expertise with the design of secure AWS deployment mechanisms and the development of security standards. The security standards delivered by New Yorkbased Control Group laid the foundation for our full application security framework. Additionally AlertLogic was leveraged to fill in some of the gaps that existed with monitoring and detection. We employed several other vendors and best-in-breed security tools to round out the entire security framework.

By modeling its managed security service, we were able to successfully put in place the security incident prevention, detection and monitoring required to create a full secure framework and a fully protected resource. As of October 2014, all of our UK sites execute on AWS, their primary cloud hosting provider, as well as about a third of the US sites. The Time Inc. Move to the Cloud project will be completed in 2015, significantly reducing our costs while delivering greater flexibility – all to the benefit of our customers and our business.

Check this out: Top Managed Security Service Companies in APAC