"Learn how Time Inc. met security requirements as they transitioned from their data centers to the AWS cloud. Colin Bodell, CTO from Time Inc. will start off this session by presenting Time’s objective to move away from on-premise and co-location data centers to AWS and the cost savings that has been realized with this transition. Chris Nicodemo from Time Inc. and Derek Uzzle from Alert Logic will then share lessons learned in the journey to secure dozens of high volume media websites during the migration, and how it has enhanced overall security flexibility and scalability. They will also provide a deep dive on the solutions Time has leveraged for their enterprise security best practices, and show you how they were able to execute their security strategy.
Who should attend: InfoSec and IT management.
Session sponsored by Alert Logic."
2. Six Benefits of Moving to the Cloud
Trade capital expense for variable expense
Benefit from massive economies of scale
Stop guessing capacity
Increase speed and agility
Stop spending money on running and maintaining data centers
Go global in minutes
7. 1 2 3 4
Identify
Security
Disciplines
& Outcomes
Evaluate use
of AWS
Design
Security
Program for
AWS
Implement
Security
Program
Framework for Securely Migrating to the Cloud
8. 1 2 3 4
Identify
Security
Disciplines
& Outcomes
Evaluate Use
of AWS
Design
Security
Program for
AWS
Implement
Security
Program
Framework for Securely Migrating to the Cloud
9. Identify Security Disciplines
• Access management
• Application security
• Data security
• InfoSec governance and oversight
• Network security
• System security
1 Identify Security Disciplines & Outcomes
11. 1 2 3 4
Identify
Security
Disciplines
& Outcomes
Evaluate Use
of AWS
Design
Security
Program for
AWS
Implement
Security
Program
Framework for Securely Migrating to the Cloud
12. State of Time Inc. (July 2014)
• Non-cloud deployments
• Co-location, on-premises, and hosted data centers
• Three disparate divisions deployed in AWS
• E-commerce
• Web digital properties
• API-based Social Tracking Tool
• In planning stages
• Magazine subscription
• Internal corporate applications/back-office systems
• Big data compute
2 Evaluate use of AWS
13. Characteristics of New AWS Adopters
• Infrastructure is already in production
• Dynamic and growing environment
• Autonomy: no central gatekeeper
• Working with traditional security tools that typically do
not transfer well
2 Evaluate use of AWS
14. 1 2 3 4
Identify
Security
Disciplines
& Outcomes
Evaluate Use
of AWS
Design
Security
Program for
AWS
Implement
Security
Program
Framework for Securely Migrating to the Cloud
15. Security in the Cloud Is a Shared Responsibility
3 Design Security Program for AWS
21. Time Inc.’s Keys to Success
• Conduct risk assessment
• Understand new AWS concepts
• Seek managed security solutions
• Internal partnerships
• Define requirements
3 Design Security Program for AWS
22. Conduct Risk Assessment
• Assured AWS environment was secured
• Performed security assessment on the design and identified
security gaps
3 Design Security Program for AWS
23. Understand New AWS Security Concepts
• New security considerations in AWS
• VPC = New concept of perimeter
• Security groups = Stateful firewall
• AWS CloudTrail = Log AWS activity
• AWS IAM = Fine-grained access
control
• AWS KMS = Encryption key
management
3 Design Security Program for AWS
25. Time Inc.’s Requirements
Hard Requirements
• Intrusion Detection System (IDS)
• Vulnerability Scanning
• Logging Collection, Correlation and
Monitoring
• Web Application Firewall
• 24x7 SOC from Managed Security
Service Provider
• AWS account services auditing and
compliance
Soft Requirements
• Velocity
• Disparate Groups
• Align with DevOps
Model
• Long-Term Strategic
Partnership
3 Design Security Program for AWS
26. Security Outcomes/Solutions
3 Design Security Program for AWS
OUTCOMES SOLUTIONS
Standards and Processes Time Inc. Security Policy
Intrusion Detection Alert Logic
Log Collection and Correlation Alert Logic
Vulnerability Assessment Qualys
Firewall (Security Group) Rule Management Algosec/Dome9
Web Application Protection (WAF) Alert Logic
24/7 SOC Alert Logic
Asset Discovery and Configuration Auditing Alert Logic
File Integrity Monitoring Tripwire
Antivirus TrendMicro
27. Seek Managed Security Solutions
Log Monitoring Web Application
Firewall
Intrusion Detection
System
3 Design Security Program for AWS
28. Products Automation
and Analysis
People and
Processes
Applications
Systems
Networks
Components of a Comprehensive Security & Compliance Solution
IDS
Vulnerability Scanning
Web Application Firewall
Log Management
Threat
Intelligence
Skilled staff capable of:
• Provisioning
• Monitoring
• Configuration and tuning
• Researching incidents and
emerging threats
• Defining remediation steps
Big Data
Analytics
Security
Research
3 Design Security Program for AWS
29. Seek to Partner Internally
3 Design Security Program for AWS
30. 1 2 3 4
Identify
Security
Disciplines
& Outcomes
Evaluate Use
of AWS
Design
Security
Program for
AWS
Implement
Security
Program
Framework for Securely Migrating to the Cloud
31. Implement Security Program
• Partnership approach
• Business and security team
• Review security framework
• Policies
• Reference architectures
• Outcomes mapped to solutions
• Communicate
• Webinars
• Wiki/intranet
• Key stakeholders
• Trust but verify
• Monitor
32. State of Time Inc. (Today)
Non-cloud deployments
AWS deployments
• Six disparate divisions deployed in AWS
• Web digital properties - 50%
• API-based Social Tracking Tool - 100%
• Internal applications - 35%
• Big data applications - 50%
• Time Inc. UK - 100%
• New acquisitions - 90-95%
• Three in current deployment
• Magazine subscriptions
• E-commerce
• Customer service systems
2 Evaluate use of AWS
33. Contact us:
Derek Uzzle
Sr. Sales Engineer
Alert Logic – Booth #209
duzzle@alertlogic.com
Chris Nicodemo
Global Application Security and
Architecture
Time Inc.
Chris.Nicodemo@timeinc.com
Visit http://alrt.co/1PkJR01 for additional content