Clearpath’s Blog on IT Infrastructure, Hybrid Clouds and IT Security

AWS re:Invent 2015 Recap – Security, Redundancy, Resiliency and Disaster Recovery, Part 2

Posted by Mike O'Brien on Wed, Oct 21, 2015 @ 12:11 PM

I last wrote about this topic following a widely publicized AWS outage. This time, I am writing following the biggest cloud computing event of the year, AWS re:Invent 2015. Clearpath Solutions Group was proud to again sponsor this exciting and growing event which had over 18,000 people in attendance. There were several big themes to re:Invent this year including the Internet of Things (IoT), DevOps, Big Data and Business Intelligence. Check out the full list of new services and features here. It’s a lot to absorb and the pace of innovation never ceases to amaze me. Despite all the big news, these are my two big takeaways:

Takeaway One - Security and compliance were consistent themes throughout almost every keynote, session and conversation.

AWS introduced three new security focused services on day one at re:Invent. Amazon Inspector is an automated security service that allows you do a quick analysis of EC2 instances and provides a list of common security and compliance issues that should be mitigated. Amazon Inspector includes a database of hundreds of rules which AWS has mapped to common compliance standards such as PCI DSS and vulnerability definitions. These rules are constantly updated by AWS team of security researchers.

AWS WAF is a Web Application Firewall that sits in front of your CloudFront distribution. AWS WAF provides customers the ability to block incoming HTTP/HTTPS requests based on source IP or HTTP header matching.

Finally, AWS added significant security functionality to many services through a new feature called AWS Config Rules. AWS Config Rules helps cloud administrators maintain their security and compliance posture by allowing you to choose from a set of rules based on AWS best practices or create your own custom rules. Examples of pre-built rules include ensure EBS volumes are encrypted, ensure EC2 instances are properly tagged, and that Elastic IP addresses (EIPs) are always attached to instances. This service continuously monitors changes to your AWS environment and includes a dashboard to continually track compliance status.

Takeaway Two - AWS is making it easier than ever to bring your data and workloads data onto their cloud.

Through new services like AWS Database Migration Service, combined with the Schema Conversion Tool, AWS is removing barriers to previously tricky and risky database migrations. This new offering ensures that the source database remains fully operational during the migration. The tool can be used for both one-time data migration into EC2 databases or RDS as well as for continuous data replication.

aws-reinvent-recap-aws-snowballAnother new service called AWS Snowball is an AWS owned ruggedized PC tower sized device, which allows customers to transfer up to a Petabyte of data per week into the AWS Cloud. You order the device through the AWS console, specify which S3 buckets you want AWS to store the data in, and in a few days Snowball will arrive. You plug it in, connect it to your network, configure an IP address, install a small client and download a 25 character unlock code form the AWS console. Then you simply copy up to 50TB of data to each Snowball device. The data is 256-bit encrypted on the host and stored on Snowball in encrypted form.

What does this mean to me?

It’s interesting to me that the tone of conversations and presentations at re:Invent has changed over the last few years. Customers are less hesitant to put critical workloads into the AWS Cloud and AWS is making it easier to do so. Rob Alexander, the CEO of Capital One Bank is going “all in on AWS” in part because, in his words, AWS "enables us to operate even more securely in the public cloud than our own data centers." Capital One is just one example.

Time Inc. is getting out of the data center altogether as they transform into almost an entirely digital business. General Electric is betting big on AWS. GE CIO Jim Fowler said that 9,000 workloads will move to AWS over the next three years, and GE's data center footprint will shrink from 34 locations to just four. "AWS is our trusted partner who's going to run our company for the next 140 years," he added. "For us this is no longer an experiment, this is no longer a test... It's inevitable." Top level executives, not just CIOs or CTOs are attending this event and realizing how the cloud can help transform their business, and for most companies, running data centers is not their business. This is a big change from the days of IT administrators data hugging and fear over security risks posed multi-tenant public clouds.

In conclusion, this does not mean that security is any easier or less important. The fact that security, compliance and resilience all remain such hot topics means that it’s more critical than ever to stay in front of emerging threats and technology trends. This is easier said than done. AWS and other public cloud providers continue to innovate at a blistering pace and the barriers to entry in getting your data into the AWS Cloud continue to fall. It’s almost like AWS wants you to move stuff into their cloud. ☺ Best practices for high availability, security and compliance change almost as quickly as the cloud; and unfortunately, security threats emerge just as quickly.

Many organizations now have a better understanding of the potential of the public cloud. It’s no longer just that by moving to AWS, you can save significant money and reallocate IT resources to strategic projects. While many companies are moving their entire business into the cloud, not everyone is comfortable with letting go of their precious data and applications just yet. A recent Vormetric Data Security Survey shows that 40% of IT decision makers see the cloud as the biggest risk for sensitive data loss. One thing you cannot afford to do is underestimate your responsibility for security, compliance, availability and privacy. The transition to the cloud takes a keen understanding of how to secure and architect cloud environments and applications. AWS provides you all the tools you need to be as secure as you need to be, but your IT organization must understand how to operate in the AWS Security Shared Responsibility Model (see figure below) and how to design and build for high availability (HA).

aws-reinvent-recap-aws-security-shared-responsibility-model

By using best practices HA design and by using a layered security approach that includes encryption, key management, strong access controls and the right security tools and intelligence, your organization can achieve the desired security posture to protect internal and customer data while keeping systems running with the required availability. Having a partner who can help you navigate AWS massive catalog of cloud service offerings (25+ new announced at re:Invent alone) and who has experience with architecting and securing your critical workloads is key to success in the cloud. Schedule a discussion with one of our cloud specialists today and we'll determine how your organization can best leverage AWS for your environment. 

Topics: Best Practices, AWS re:Invent, AWS

Subscribe to Email Updates

Recent Posts

Posts by Topic

see all
Live Chat Support Software