Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

(SEC203) Journey to Securing Time Inc's Move to the Cloud

4,315 views

Published on

"Learn how Time Inc. met security requirements as they transitioned from their data centers to the AWS cloud. Colin Bodell, CTO from Time Inc. will start off this session by presenting Time’s objective to move away from on-premise and co-location data centers to AWS and the cost savings that has been realized with this transition. Chris Nicodemo from Time Inc. and Derek Uzzle from Alert Logic will then share lessons learned in the journey to secure dozens of high volume media websites during the migration, and how it has enhanced overall security flexibility and scalability. They will also provide a deep dive on the solutions Time has leveraged for their enterprise security best practices, and show you how they were able to execute their security strategy. 

Who should attend: InfoSec and IT management.

Session sponsored by Alert Logic."

Published in: Technology

(SEC203) Journey to Securing Time Inc's Move to the Cloud

  1. 1. © 2015, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Colin Bodell - Time Inc. Chris Nicodemo - Time Inc. Derek Uzzle - Alert Logic October 2015 SEC203 Journey to Securing Time Inc.’s Move to the Cloud
  2. 2. Six Benefits of Moving to the Cloud Trade capital expense for variable expense Benefit from massive economies of scale Stop guessing capacity Increase speed and agility Stop spending money on running and maintaining data centers Go global in minutes
  3. 3. Management Objective: MTC (Move to the Cloud)
  4. 4. What You’ll Get Out of This Session Audience Security Framework Time Inc. experience Plan to Succeed
  5. 5. Seek Partners with Experience in AWS
  6. 6. Early Stages of Adopting a New Cloud Platform
  7. 7. 1 2 3 4 Identify Security Disciplines & Outcomes Evaluate use of AWS Design Security Program for AWS Implement Security Program Framework for Securely Migrating to the Cloud
  8. 8. 1 2 3 4 Identify Security Disciplines & Outcomes Evaluate Use of AWS Design Security Program for AWS Implement Security Program Framework for Securely Migrating to the Cloud
  9. 9. Identify Security Disciplines • Access management • Application security • Data security • InfoSec governance and oversight • Network security • System security 1 Identify Security Disciplines & Outcomes
  10. 10. Identify Desired Security Outcomes • Standards and processes • Intrusion detection • Log collection and correlation • Vulnerability assessment • Firewall (security group) rule management • Web application protection (WAF) • 24/7 SOC • Asset discovery and configuration auditing • File integrity monitoring • Antivirus 1 Identify Security Disciplines & Outcomes
  11. 11. 1 2 3 4 Identify Security Disciplines & Outcomes Evaluate Use of AWS Design Security Program for AWS Implement Security Program Framework for Securely Migrating to the Cloud
  12. 12. State of Time Inc. (July 2014) • Non-cloud deployments • Co-location, on-premises, and hosted data centers • Three disparate divisions deployed in AWS • E-commerce • Web digital properties • API-based Social Tracking Tool • In planning stages • Magazine subscription • Internal corporate applications/back-office systems • Big data compute 2 Evaluate use of AWS
  13. 13. Characteristics of New AWS Adopters • Infrastructure is already in production • Dynamic and growing environment • Autonomy: no central gatekeeper • Working with traditional security tools that typically do not transfer well 2 Evaluate use of AWS
  14. 14. 1 2 3 4 Identify Security Disciplines & Outcomes Evaluate Use of AWS Design Security Program for AWS Implement Security Program Framework for Securely Migrating to the Cloud
  15. 15. Security in the Cloud Is a Shared Responsibility 3 Design Security Program for AWS
  16. 16. Time Inc.’s Strategy
  17. 17. Develop Reference Architectures (Example) 3 Design Security Program for AWS
  18. 18. Develop Reference Architectures (Example) 3 Design Security Program for AWS
  19. 19. Develop Reference Architectures (Example) 3 Design Security Program for AWS
  20. 20. Develop Reference Architectures (Example) 3 Design Security Program for AWS
  21. 21. Time Inc.’s Keys to Success • Conduct risk assessment • Understand new AWS concepts • Seek managed security solutions • Internal partnerships • Define requirements 3 Design Security Program for AWS
  22. 22. Conduct Risk Assessment • Assured AWS environment was secured • Performed security assessment on the design and identified security gaps 3 Design Security Program for AWS
  23. 23. Understand New AWS Security Concepts • New security considerations in AWS • VPC = New concept of perimeter • Security groups = Stateful firewall • AWS CloudTrail = Log AWS activity • AWS IAM = Fine-grained access control • AWS KMS = Encryption key management 3 Design Security Program for AWS
  24. 24. Define Requirements What are we protecting? Application SystemsNetwork 3 Design Security Program for AWS
  25. 25. Time Inc.’s Requirements Hard Requirements • Intrusion Detection System (IDS) • Vulnerability Scanning • Logging Collection, Correlation and Monitoring • Web Application Firewall • 24x7 SOC from Managed Security Service Provider • AWS account services auditing and compliance Soft Requirements • Velocity • Disparate Groups • Align with DevOps Model • Long-Term Strategic Partnership 3 Design Security Program for AWS
  26. 26. Security Outcomes/Solutions 3 Design Security Program for AWS OUTCOMES SOLUTIONS Standards and Processes Time Inc. Security Policy Intrusion Detection Alert Logic Log Collection and Correlation Alert Logic Vulnerability Assessment Qualys Firewall (Security Group) Rule Management Algosec/Dome9 Web Application Protection (WAF) Alert Logic 24/7 SOC Alert Logic Asset Discovery and Configuration Auditing Alert Logic File Integrity Monitoring Tripwire Antivirus TrendMicro
  27. 27. Seek Managed Security Solutions Log Monitoring Web Application Firewall Intrusion Detection System 3 Design Security Program for AWS
  28. 28. Products Automation and Analysis People and Processes Applications Systems Networks Components of a Comprehensive Security & Compliance Solution IDS Vulnerability Scanning Web Application Firewall Log Management Threat Intelligence Skilled staff capable of: • Provisioning • Monitoring • Configuration and tuning • Researching incidents and emerging threats • Defining remediation steps Big Data Analytics Security Research 3 Design Security Program for AWS
  29. 29. Seek to Partner Internally 3 Design Security Program for AWS
  30. 30. 1 2 3 4 Identify Security Disciplines & Outcomes Evaluate Use of AWS Design Security Program for AWS Implement Security Program Framework for Securely Migrating to the Cloud
  31. 31. Implement Security Program • Partnership approach • Business and security team • Review security framework • Policies • Reference architectures • Outcomes mapped to solutions • Communicate • Webinars • Wiki/intranet • Key stakeholders • Trust but verify • Monitor
  32. 32. State of Time Inc. (Today) Non-cloud deployments AWS deployments • Six disparate divisions deployed in AWS • Web digital properties - 50% • API-based Social Tracking Tool - 100% • Internal applications - 35% • Big data applications - 50% • Time Inc. UK - 100% • New acquisitions - 90-95% • Three in current deployment • Magazine subscriptions • E-commerce • Customer service systems 2 Evaluate use of AWS
  33. 33. Contact us: Derek Uzzle Sr. Sales Engineer Alert Logic – Booth #209 duzzle@alertlogic.com Chris Nicodemo Global Application Security and Architecture Time Inc. Chris.Nicodemo@timeinc.com Visit http://alrt.co/1PkJR01 for additional content
  34. 34. Remember to complete your evaluations!
  35. 35. Thank you!

×