(SEC203) Journey to Securing Time Inc's Move to the Cloud

© 2015, Amazon Web Services, Inc. or its Affiliates. All rights reserved.

Colin Bodell - Time Inc.

Chris Nicodemo - Time Inc.

Derek Uzzle - Alert Logic

October 2015

SEC203

Journey to Securing

Time Inc.’s Move to the Cloud

Six Benefits of Moving to the Cloud

Trade capital expense for variable expense

Benefit from massive economies of scale

Stop guessing capacity

Increase speed and agility

Stop spending money on running and maintaining data centers

Go global in minutes

Management Objective:

MTC

(Move to the Cloud)

What You’ll Get Out of This Session

Audience Security

FrameworkTime Inc.

experiencePlan to

Succeed

Seek Partners with Experience in AWS

Early Stages of Adopting a New Cloud Platform

1 2 3 4Identify

Security

Disciplines

& Outcomes

Evaluate use

of AWS

Design

Security

Program for

AWS

Implement

Security

Program

Framework for Securely Migrating to the Cloud

1 2 3 4Identify

Security

Disciplines

& Outcomes

Evaluate Use

of AWS

Design

Security

Program for

AWS

Implement

Security

Program


Identify Security Disciplines

• Access management

• Application security

• Data security

• InfoSec governance and oversight

• Network security

• System security

1 Identify Security Disciplines & Outcomes

Identify Desired Security Outcomes

• Standards and processes

• Intrusion detection

• Log collection and correlation

• Vulnerability assessment

• Firewall (security group) rule

management

• Web application protection (WAF)

• 24/7 SOC

• Asset discovery and configuration

auditing

• File integrity monitoring

• Antivirus

1 Identify Security Disciplines & Outcomes

1 2 3 4Identify

Security

Disciplines

& Outcomes

Evaluate Use

of AWS

Design

Security

Program for

AWS

Implement

Security

Program


State of Time Inc. (July 2014)

• Non-cloud deployments

• Co-location, on-premises, and hosted data centers

• Three disparate divisions deployed in AWS

• E-commerce

• Web digital properties

• API-based Social Tracking Tool

• In planning stages

• Magazine subscription

• Internal corporate applications/back-office systems

• Big data compute

2 Evaluate use of AWS

Characteristics of New AWS Adopters

• Infrastructure is already in production

• Dynamic and growing environment

• Autonomy: no central gatekeeper

• Working with traditional security tools that typically do

not transfer well


1 2 3 4Identify

Security

Disciplines

& Outcomes

Evaluate Use

of AWS

Design

Security

Program for

AWS

Implement

Security

Program


Security in the Cloud Is a Shared Responsibility

3 Design Security Program for AWS

Time Inc.’s Strategy

Develop Reference Architectures (Example)








Time Inc.’s Keys to Success

• Conduct risk assessment

• Understand new AWS concepts

• Seek managed security solutions

• Internal partnerships

• Define requirements


Conduct Risk Assessment

• Assured AWS environment was secured

• Performed security assessment on the design and identified

security gaps


Understand New AWS Security Concepts

• New security considerations in AWS

• VPC = New concept of perimeter

• Security groups = Stateful firewall

• AWS CloudTrail = Log AWS activity

• AWS IAM = Fine-grained access

control

• AWS KMS = Encryption key

management


Define Requirements

What are we

protecting?

Application

SystemsNetwork


Time Inc.’s Requirements

Hard Requirements

• Intrusion Detection System (IDS)

• Vulnerability Scanning

• Logging Collection, Correlation and Monitoring

• Web Application Firewall

• 24x7 SOC from Managed Security Service Provider

• AWS account services auditing and compliance

Soft Requirements

• Velocity

• Disparate Groups

• Align with DevOps Model

• Long-Term Strategic Partnership


Security Outcomes/Solutions


OUTCOMES SOLUTIONS

Standards and Processes Time Inc. Security Policy

Intrusion Detection Alert Logic

Log Collection and Correlation Alert Logic

Vulnerability Assessment Qualys

Firewall (Security Group) Rule Management Algosec/Dome9

Web Application Protection (WAF) Alert Logic

24/7 SOC Alert Logic

Asset Discovery and Configuration Auditing Alert Logic

File Integrity Monitoring Tripwire

Antivirus TrendMicro

Seek Managed Security Solutions

Log Monitoring Web Application Firewall

Intrusion Detection System


Products Automation

and Analysis

People and

Processes

Applications

Systems

Networks

Components of a Comprehensive Security & Compliance Solution

IDS

Vulnerability Scanning

Web Application Firewall

Log Management

Threat

Intelligence

Skilled staff capable of:

• Provisioning

• Monitoring

• Configuration and tuning

• Researching incidents and

emerging threats

• Defining remediation steps

Big Data

Analytics

Security

Research


Seek to Partner Internally


1 2 3 4Identify

Security

Disciplines

& Outcomes

Evaluate Use

of AWS

Design

Security

Program for

AWS

Implement

Security

Program


Implement Security Program

• Partnership approach• Business and security team

• Review security framework• Policies

• Reference architectures

• Outcomes mapped to solutions

• Communicate • Webinars

• Wiki/intranet

• Key stakeholders

• Trust but verify• Monitor

State of Time Inc. (Today)

Non-cloud deployments

AWS deployments

• Six disparate divisions deployed in AWS• Web digital properties - 50%

• API-based Social Tracking Tool - 100%

• Internal applications - 35%

• Big data applications - 50%

• Time Inc. UK - 100%

• New acquisitions - 90-95%

• Three in current deployment • Magazine subscriptions

• E-commerce

• Customer service systems


Contact us:

Derek Uzzle

Sr. Sales Engineer

Alert Logic – Booth #209

[email protected]

Chris Nicodemo

Global Application Security and

Architecture

Time Inc.

[email protected]

Visit http://alrt.co/1PkJR01 for additional content

mailto:[email protected]

mailto:[email protected]

http://alrt.co/1PkJR01

Remember to complete

your evaluations!

Thank you!

Technology

(SEC203) Journey to Securing Time Inc's Move to the Cloud