Security and Cloud
Cloud Security. The words seem like they were meant for each other. Through my 20+ year career in IT, I’ve never come across a platform or technology that was so scrutinized for its potential for wreaking security havoc on its users. This despite no major breaches to any of the top tier cloud infrastructure providers. Sure, workloads running on cloud infrastructure have been compromised, but for two main reasons:
- Mis-use of the tools made available to the users
- Vulnerabilities that would exist regardless of the infrastructure platform
But there is just something unnerving about running on shared infrastructure for people who spent their entire career using hardware partitioning as a fail-safe for certain security gaps. I get it. I’ve been there. But I’ve also been on the other side. I’ve seen horror stories of poor processes that allow strangers to wander around data centers with a laptop and access to available ethernet ports patched down to unencrypted private networks. I’ve seen firewalls pumping logs to nowhere. Running a datacenter is hard. Running a datacenter securely is expensive. And doing it consistently takes complete focus. It’s the perfect type of non-differentiating business requirement that begs to be outsourced. And it’s one that benefits from massive scale. From my perspective, the cloud has always been more secure, not less.
But with new platforms comes the need for new policies, new tools, new processes, and new capabilities of the people building and running them.
Best Practice Architecture
Amazon probably figured out long ago that security would be heavily scrutinized, and I’m guessing that was confirmed as AWS started attracting production workloads. AWS released the Well Architected Framework, with one of the pillars being security. This gave guidance to customers on how to best architect on cloud infrastructure with security in mind, along with other pillars like performance efficiency, cost, and reliability. The info is right there for any IT pro to take and learn. But architecting on the cloud is like tiling your bathroom. You can read the book first, and after a few bathrooms, your floor will look great. You just don’t want to have to live with the first bathroom, it will be ugly. The great thing about the cloud is that if you architect poorly, it’s relatively inexpensive to rip and replace. This encourages companies to experiment, fail, and improve, which is a great way to learn.
Well, it’s a great way to learn about performance, scalability, and cost optimization. It’s not so great to learn about security this way. Although fixing an insecure cloud architecture can be very easy, the damage caused by a breach can be irrecoverable for a business.
Why we Value the AWS Security Competency
Based on the reality that security isn’t a thing that you want learn by trial and failure, AWS users see great value in bringing in experts to help their teams. But working with a new partner has its own risks. Are they tiling their first floor?
From my experience, the AWS Security Competency is one of the more difficult competencies to achieve, and rightfully so. It requires irrefutable evidence that the partner not only understands security, but understands how to leverage the unique properties of cloud infrastructure to strengthen the security posture of the workload without losing the benefits that the platform was designed to afford.
Here at Foghorn we’ve been delivering security focused cloud solutions longer than most AWS partners have been partners, and longer than many of them have even existed. As early adopters of the cloud for production workloads, we deeply understand the importance of security, and have honed our skills to deliver highly secure solutions without losing the agility that you need out of your cloud infrastructure. Foghorn is one of only sixteen companies (at the time I write this) to achieve the certification. We are proud to achieve the AWS Security Competency, and look forward to continuing to help companies secure their mission critical workloads.
Are you knee deep in security related architecture decisions? Comment below with your challenge, or just give us a shout, we’d love to help.