How AWS puts companies in control with a security-first cloud framework

It’s a matter of control

A leading practice security model starts with a basic realization: As cloud and multi-cloud frameworks take shape, rethinking security is a necessity. Tools, resources, and systems that offered adequate protection in the legacy world aren’t equipped for the cloud. 

Business and IT leaders increasingly recognize this. For instance, 31% of respondents from our latest CIO Imperative webcast reported that governance challenges represent a moderate to extreme barrier to realizing the value of the cloud. In addition, 25% reported that integration with existing systems is a challenge.

There’s good news, however. Although security in the cloud (or securing your cloud-first workloads) may seem daunting, a more advanced cybersecurity framework doesn’t require a complete security reboot. That’s because cloud delivers a highly modular, flexible and automated security model. It also eradicates barriers that have traditionally got in the way of business results.

For instance, within the legacy model, dedicated IT or security specialists handled tasks such as setting up identities, authentication and encryption as they arose. Alas, manual processes are time-consuming and they introduce human error. This approach can also cause performance drag — particularly as groups look to spin up new initiatives. 

By contrast, in the newer model, teams configure their environments with built-in cloud security mechanisms that boost protection without people noticing their presence. This confirms that the proper security configurations are in place. When a group spins up new architectures or solutions, strong security protections already exist. Amazon Web Services (AWS) in particular gives developers a suite of security tools. They include:

• AWS Cognito. Cognito delivers easy-to-use and highly automated, yet secure, authentication based on specific roles and resources. It controls access to back-end data from the web or an app.
• AWS Security Hub. Security Hub delivers a security posture management service with an embedded console that offers visibility into more than 140 categories. With built-in AWS Foundational Security Best Practices and automation, alert aggregation and a pass/fail view into resources, organizations can confirm that they are adhering to standards for everything from Virtual Private Cloud (VPC) flow logs and Elastic Load Balancing (ELB) to encryption at rest and in motion.
• AWS Control Tower. Control Tower offers a simple yet powerful way to set up pre-packaged controls that govern and secure a multi-account AWS environment. It delivers a landing zone based on blueprints of leading practices. Control Tower can be tailored to fit an organization’s exact needs. It offers a pre-packaged group of guardrails for security, compliance and operations. As a result, distributed teams can provision new AWS accounts quickly, while a CISO, IT and others can know that all accounts align with centrally established company-wide policies.

Good intentions won’t get the job done. It’s essential to have foundational security controls in place — and services that AWS offers make this possible. When an organization identifies key security risks and builds in testing and security controls, a leading practice approach becomes possible. 

Suddenly, there's no need to hash passwords and manually configure an array of processes. There’s no need to map identities in legacy and cloud systems. Silos vanish, security gaps disappear, and a highly secure framework emerges. 

How can AWS cloud take security to a higher level 

Make no mistake — this advanced framework doesn’t happen by chance. A starting point is to recognize that security is now everyone’s job — from software developers and IT administrators to line of business users and the C-suite. As a result, there’s a need to balance a technology foundation with cultural and practical changes.

Here are four crucial steps in building a cloud-native security model:

Step 1: Know your risks

It’s critical to understand what risks exist and what the damage could be, if an intrusion, breach or malware attack takes place. In order to achieve strategic alignment, a CSO or CISO have to identify the right security platform and tools and understand how to configure them for cloud-first security. In addition, employees have to understand security expectations in order to drive consistent and effective adoption.

Step 2: Adopt the right technology platform

It’s critical to embed security into systems rather than allowing it to become an afterthought or knee-jerk response. Today, major cloud providers offer powerful products and services that easily plug into cloud platforms. These tools — including some that are included at no additional cost — can help simplify and automate a myriad of tasks. AWS, for example, offers security plug-ins for identity and access control; malware scanning; data discovery, classification and protection; key management; auditing; and automated security checks.

An added benefit to this cloud-centric model is that it’s possible to adopt and implement tools over time. This means that your organization can get up to speed with one or two cloud security tools and expand from there. What’s more, this approach promotes the idea of embedding security early on and then building systems and capabilities around it. Consequently, security actually drives business transformation.

Step 3: Cultivate a security culture

You’ve heard it before: Initiatives succeed through a combination of people, processes and technology. The people part of this equation is critical. The broad and complex nature of enterprise security means that software development teams, mobile app engineers, web designers, database custodians, CMOs and other business groups have to all play a role. In fact, these groups have to work with security teams to design and manage processes.

How can an organization instill the right security values and inspire this level of collaboration? It starts with policies, runbooks and standard operating procedures. But it also includes cross-training, certifications, hackathons and other types of games and contests that give them an opportunity to put their security knowledge to the test. This is particularly important for developers and others on DevOps teams. As organizations shift-left–meaning they adopt a shared information culture — and look to adopt DevSecOps, an always-on security mindset is paramount. When this is combined with a focus on addressing critical skill sets, it’s possible to install critical guardrails — and pivot quickly as conditions warrant.

Step 4: Build a bridge between the CIO and CISO

Leading practice cloud security doesn’t just happen. It’s a byproduct of strong and committed leadership. Nowhere is this more apparent than in the CIO and CISO relationship. In many cases, there’s a need to rethink roles, responsibilities and tasks. For example, an organization should confirm that teams are in sync and built for speed, investing in people, and continually adapting and updating processes and workflows as both business conditions and clouds change and evolve.

These executives can confirm that the technology matches security needs, the organization is adopting security controls in a consistent way across clouds and applications and that employees are all on the same page. This approach also facilitates cross-pollination of ideas across groups and teams, addresses pockets of resistance and enables that, in the end, everyone and everything is on track.

It's essential to recognize that cloud introduces ways to fundamentally improve security — while accelerating business innovation and transformation. Organizations that establish a strategic foundation built on testing, visibility, automation and alignment move into the realm of cloud-native or cloud-first security controls are oftentimes far better equipped to navigate today’s business and cybersecurity challenges. With end-to-end visibility, monitoring and control, the burden of security evaporates and an organization can adopt a leading practice business framework.