Security operations to consider when migrating to cloud.

Written by Phil Cadell, Solution Architect.

Posted June 5, 2019

Security is arguably the most important aspect to consider when migrating to the Cloud

There are many reasons that businesses nowadays look to migrate some (if not all) of their on-premise IT workloads into the cloud - the promise of unlimited scalability, increased management efficiency, high availability and reduced cost in the long term.  These promises are real, tangible and realisable, however, it is a long journey to reach those goals and there are many aspects along the way that must be considered; one of these aspects and arguably the most important is security.

How do you know your most valuable data and systems are secure and how do you mitigate the possibility of data breaches while operating in a public cloud environment?

When looking at the security of any given IT system, there are several aspects that need to be considered:

  • Physical security - who has physical access to the infrastructure?
  • Network security - who can communicate with the infrastructure?
  • Operating system security - who can access the underlying operating system running critical business applications?
  • Application security - who can gain access to the critical business application?
  • Data security - what information can be accessed within the critical business application?

The answers to these questions should be easily answerable in an IT environment wholly-and-solely controlled by your company.  With the cloud being public and operated by an external provider, the answers to those questions get more difficult to answer.  It becomes a shared responsibility between you and the cloud provider to secure the workloads and make sure your company isn’t headlining for the wrong reasons.

AWS Shared Responsibility Model

Enter the AWS Shared Responsibility Model.  AWS has a well-documented operating model, known as the Shared Responsibility Model, which is foundational to their cloud offering.  In brief, it outlines that AWS is responsible for securing the physical infrastructure and environments running their cloud along with the systems that enable the AWS platform and services to operate as configured; this is security of the cloud. You, the customer, are responsible for configuring the AWS services for your workloads; this is security in the cloud. This is where a qualified AWS Cloud Managed Service Provider like Itoc can help.  

By deciding to run your workloads on AWS, you are receiving a base level of protection out-of-the-box.  AWS infrastructure is compliant against leading industry security frameworks such as SOC 2, ISO27001 and PCI-DSS Level 1.  When it comes to your applications, Itoc has the expertise to assist you in securing your workloads on AWS in accordance with any regulatory compliance standards or frameworks you may need to meet.

Most of the major security frameworks are holistic in that they apply to an IT system as-a-whole and what this means is that under the AWS Shared Responsibility model, AWS is partially responsible for compliance and so is your company.  Take for example PCI-DSS: AWS has certified their infrastructure and the systems that operate it in-line with the applicable PCI requirements.  There are also other requirements in the standard that are applicable to your company such as patching of servers, continual monitoring of firewalls and scanning of systems to aid compliance.  It is this sort of continual compliance work that an AWS Cloud Managed Service Provider like Itoc can assist with.

AWS Well-Architected Review

When assisting customers in migrating their workloads to the cloud and meeting their compliance requirements, one of the tools that qualified AWS MSP’s can use is the Well-Architected Review.  As a qualified provider of Well-Architected Reviews, Itoc can assess your infrastructure and workloads against the AWS Well-Architected Framework, which covers:

  • Operational Excellence
  • Security
  • Reliability
  • Performance Efficiency
  • Cost Optimisation

Each of these pillars has a number of core design best-practices that, if your workload is aligned with, will assist you in realising your goals for moving to the cloud.  The common thread between each of these pillars is automation.

Automation

Automation inherently provides a degree of change control and ensures repeatable, deterministic outcomes across different environments. AWS presents all infrastructure through API’s, allowing any action that can be manually performed through the console to also be performed by an automation system via an API call.  Ability to easily automate infrastructure operations and configurations is one key advantage of cloud systems over traditional IT environments and is emphasised in the security pillar of the AWS Well-Architected framework.

AWS themselves rely on massive amounts of automation to operate their platform and so do AWS Cloud Managed Service Providers like Itoc, who manage and maintain infrastructure for multiple customers; it’s fundamental to operating large scale infrastructure in a cost effective manner.  For companies wanting to scale and be more cost effective, it is a large decision and effort to move to the cloud and it requires additional skills to those used to administer and maintain a traditional IT environment - a wrong decision early on can create a snowball of tech debt down the road.  

Cloud Acceleration

Itoc has assisted many customers in moving their workloads to the AWS cloud and over the course of many engagements, has created a Well-Architected Cloud Acceleration Program.  It is comprised of four key phases and guides our customers into the cloud, ensuring that their workloads are operating in a secure cloud environment, designed around best practice.  The environments are setup to meet any compliance requirements the customer may have and ensures they can seamlessly scale and operate in a cost effective manner. With the addition of an Itoc Cloud Managed Service, we can further assist our customers in ensuring their environments and workloads remain available, performant and compliant.

Phil Cadell

Solution Architect

Secure operations in the Cloud.