Moving applications and infrastructure to the Amazon cloud takes much of the software and data security responsibility out of enterprise architects' hands. The danger lies in thinking that in-house security measures are not necessary anymore, according to Mark Nunnikhoven, Trend Micro Inc.'s vice president of cloud and emerging technologies. Even with applications in the cloud, there's no big wall around a company's data.
Helping business architects secure cloud applications going on Amazon Web Services is a key mission for Nunnikhoven. He works with AWS users to improve and modify traditional security processes and techniques in order to secure AWS components. In a recent SearchAWS.com interview, he gave advice for architects on responsibilities and tactics for securing business data and applications in the AWS cloud. He also describes Trend Micro's new security support services.
When thinking of application security, what important facts should software pros who are new to AWS development know?
Mark Nunnikhoven: They should understand that they do have responsibilities for security, so they need to understand how AWS security works in the cloud. Fortunately, most DevOps teams realize they will have to focus only on about half of the security points in traditional environments.
In a traditional environment, developers and architects are responsible for everything related to security: facilities, physical security, physical infrastructure, network infrastructure, virtualization infrastructure, operating system, application and application account management. In the AWS cloud, they're only responsible for specific areas, largely the operating system, applications and data. They can spend more time building a much more robust security posture, because AWS takes care of the other pieces. Enterprise architects can make sure that tools match the way they want to operate in the cloud and can optimize processes to make sure they are involving people only when needed. Reducing security responsibility simplifies making intelligent choices in design and tools for securing applications, operating systems and data.
Replicating a data center environment in the cloud is like buying a Ferrari to go to the corner store for milk.
Nunnikhoven: The developer and architect are responsible for securing operating systems, applications and data that run on top of the infrastructure components. Proper account management is very important here. They must make sure to lock down operating systems with additional controls like intruder prevention, anti-malware and integrity monitoring. They secure data using encryption techniques and make sure that your application is designed in a secure manner.
What kind of mistakes do you see enterprise architects make when first deploying resources to the cloud?
Nunnikhoven: The most common and understandable mistake is trying to replicate the same type of environment in the AWS cloud as they had in the data center. That will work from a technology standpoint, but it's not nearly the best deployment option possible. Replicating a data center environment in the cloud is like buying a Ferrari to go to the corner store for milk. It's an obvious waste of money. The AWS cloud provides so much power and flexibility and doesn't require the customer to buy servers, etc.
Another mistake is not automating often enough. The cloud is built for automation, and security measures have to be automated, too. Otherwise, cementing security is going to slow down development and deployment. Also, make sure the security tools are flexible and easy to use, especially for nonsecurity users. Usually, it's a development or DevOps team in charge of cloud applications and not a full-time, in-house security department.
What are the security risks that happen during deployment of legacy apps to AWS?
Nunnikhoven: Traditionally, in an on-premise environment, security is often seen as a blocker. There tends to be a gateway check along the deployment phases that requires security's approval, which usually leads to many adjustments and a lot of manual intervention.
Today, even noncloud applications should be made to deploy in the same manner that the cloud does. We at Trend Micro have APIs behind all products, and we've made them highly scriptable as well as easily automated. So, yes, traditionally deployment was a road blocker, but if you're using tools that have been optimized for AWS, it's not.
Trend Micro released Deep Security as a Service, a set of services and tools specifically for AWS, in late March of this year. What benefits does Deep Security offer application developers?
Nunnikhoven: This security platform combines all the pieces enterprise architects need to fulfill their responsibilities in the AWS shared responsibility model, providing firewall, intrusion prevention, file integrity monitoring, log inspection, anti-malware and other tools. All this runs on a centrally-managed security console.
A cool tool is Deep Security's Pre-Authorized Scanner, which lets enterprise architects do a vulnerability scan without getting permission from Amazon. We've gotten permission, which takes away the permission steps.
We've made it so that the developer and the architect can deploy security with just a single binary agent that's easily automated. We've tailored the product to work how the development team works, while still supporting a security team's tasks.
Learn which tools will help you secure public cloud resources