Friday, July 28, 2017

AI and the Future of Cybersecurity: Analyzing & Identifying Cybercrime (Webinar)

On August 17th I'll be co-presenting a webinar with Darktrace on "AI and the Future of Cybersecurity: Analyzing & Identifying Cybercrime".

In today’s world, it is critical to be proactive. Ransomware, malware, insider threat, and IoT are evolving rapidly, which means that prevention tactics must keep up and evolve at an equally rapid pace. Zero day attacks can be detected and prevented when businesses incorporate AI and Machine Learning into their cyber defense strategy.

If you want to learn more, please register for the webinar (seats are limited): http://www.ccsinet.com/ai-future-cybersecurity/

Monday, July 3, 2017

Targeted iPhone Phishing Scams (Trident Zero Day)

Here's the video of an interview I did for News12 regarding iPhone users being targeted for phishing scams related to the Trident zero day. Time to update!

http://longisland.news12.com/story/35241250/cybersecurity-expert-warns-of-scam-targeting-iphone-users

The Rise of Artifical Intelligence in Cyber Security

The rise of behavioral analytics, machine learning, artificial intelligence, or whatever the latest nomenclature is currently being promoted by vendors, has taken the security community by storm and showing no signs of stopping. It's almost impossible not to see these phrases mentioned on new preventative solutions going to market and rightfully so. With an industry accustomed to relying on static signatures, known bad hashes and singular alerting, this technology is a welcome relief for defenders and we've seen the market capitalize on our desire for it. Here's an article I wrote for SC Magazine regarding how AI become the darling of an industry: https://www.scmagazine.com/how-artificial-intelligence-became-the-darling-of-an-industry/article/666778/

Monday, May 15, 2017

WannaCry - It's Time To Get Back To Basics

I've been asked to comment on the WannaCry Ransomware by a few groups. Here are my thoughts on what happened and what the logical next steps are. You can read the blog post here: http://www.ccsinet.com/blog/wannacry-keep-calm-and-remember-the-basics/
Honestly, this is a wake-up call for the security community to "Get Back to Basics". Plain and simple. 

Friday, May 5, 2017

Defeating Ransomware With A Little Help From Your Friends

We all know this so it doesn't have to be said, but I'm going to say it anyway: Ransomware sucks. For anyone who's suffered at the hand of attackers making money by holding your personal or business data hostage, you know just how much it sucks. The issue doesn't seem to be going away either, but getting exponentially more difficult to deal with as attackers hone techniques and companies continue to deal with limited security resources.

Last month I worked with CCSI to write a whitepaper on behavioral analytics and machine learning and how it can be applied to detect and prevent attackers in your network. On May 11th, CCSI is hosting a webinar to review this whitepaper and the role of how MSSP's can use this technology to assist you with becoming more secure.

The key questions to ask when attempting to defeat ransomware are:

1. Will your current technology detect ransomware in your network?
2. If it does detect it will it prevent it?
3. How do you respond to these notifications? Especially during off-hours or with a limited staff.

This webinar reviews the role of MSSPs in this space and how they assist your organization become more resilient by using this technology to detect/prevent/respond to ransomware in your network 24x7x365.

There is limited space for this webinar so sign up soon: http://www.ccsinet.com/ccsi-webinar-defeat-ransomware/

Tuesday, April 25, 2017

Using Machine Learning and Behavior Analysis to Assist with Threat Detection

Here's a whitepaper I wrote with CCSI describing what machine learning is and how you can use behavior analysis to assist your organization with threat detection. Few things over the past years have changed the way we defend our network like these two. 

Attackers are consistently breaching enterprise networks in attempts to compromise confidential data and the hard truth is they’re not slowing down. Data breaches have almost become common place in today’s news and we’ve seen businesses hit with attacks that cost them millions of dollars in lost revenue, fines and consumer trust. The majority of these organizations already had the traditional security commodities in place (e.g. Logging, firewall, SIEM) and yet was still breached by dedicated attackers. In today’s attack landscape advanced attackers are able to bypass many of these defenses with persistent and dedicated attacks directed towards the organizations user base and vulnerabilities within their security architecture. The unfortunate truth when using only traditional security defenses is that the odds are heavily weighted in the attackers favor. By adding behavioral analysis and machine learning to a business’s cyber defense brings visibility to threats, which are sorely needed in today’s networks.

Tuesday, March 28, 2017

MegaplanIT Supports PCI SSC North America Community Meeting with Platinum Sponsorship

I've worked with the group over at MegaplanIT for quite some time and have nothing but great things to say about them and their company. They're professionalism, technical ability and business acumen have always impressed me. Which is why when I heard they were sponsoring the PCI SSC North America Community as a Platinum sponsor I wanted to give them the recognition they deserve. Over the years MegaplanIT has grown to become a trusted partner in the security and compliance space and it's great seeing good people succeed. I would highly recommend reaching out to them for any PCI related services. Below is their new press release - Kudos, guys!




MegaplanIT Supports PCI SSC North America Community Meeting with Platinum Sponsorship

MegaplanIT, LLC, is the Platinum sponsor for the PCI SSC North America Community Meeting being held in Orlando, Florida, in September, 2017.

Scottsdale, Arizona – March 2017

MegaplanIT, LLC, a PCI QSC and premier provider of security and compliance solutions, has announced that it would be participating in the PCI SSC North America Community event this September, as a Platinum sponsor. The event, which takes place September 12-14, in Orlando Florida, is a principal conference bringing together stakeholders from the payment card industry to participate in discussions on the latest standards, technologies, and strategic initiatives shared by the PCI Council.

“We are excited for the opportunity to partner with the PCI Council as a Platinum sponsor in this year’s PCI SSC North America Community Meeting.  By sponsoring the event, we hope to display MegaplanIT’s continued commitment to, and appreciation of, the PCI Council’s hard work and guidance”, says Managing Partner of MegaplanIT, Michael Vitolo. He goes on to share, “with this support of the Council, we’re continually looking to develop strong relationships and work with other organizations to become a trusted partner within the payment card industry, while offering the best services available to our customers.”

By promoting the Platinum sponsorship, MegaplanIT believes that showcasing their brand during this PCI community event demonstrates their level of commitment and dedication to their clients in need of PCI and security related services. 

For further details please contact:

Jerry Abowd
Principal Account Manager
MegaPlanIT, LLC
800-891-1634 ext 105

Thursday, March 23, 2017

10 Must Read Infosec Books

I was recently asked to participate in selecting one information security book to add to a round-up of recommended reading for infosec pros. The round-up includes ten selections from different people and was published by Tripwire here.

There are many great books out there I wanted to recommended, but since I only had one spot on the list I wanted to make it count. My selection, even though it's an older book, was: Extrusion Detection: Security Monitoring for Internal Intrusions by Richard Bejtlich.

The technology in this book might have changed, but the concepts are still the same. In order to defend the confidential data within your network, there needs to be proper extrusion detection in place to detect intruders who have comprised your internal systems and are attempting to siphon sensitive data our of your network. There's been a huge emphasis on preventing threats in the past but we have to gain a mindset on expecting that we're already breached and how to deal with it. This book gives you some serious food for thought on how it can be applied and was eye-opening for me when I read it almost a decade ago.

Tuesday, February 21, 2017

New York State’s New Cybersecurity Regulation and What it Means to you

New York is launching a new regulation in cybersecurity which will come into effect March 1. This new regulation will target banking and insurance sectors with the aim of better protecting institutions and consumers against the bad actors that target these firms.
This new cyber security regulation, believed to be the first of its kind adopted by a U.S. state, highlights need as well as the inability to quall the attack on businesses and government agencies regardless of the countless monies invested in information security being thrown at the bad guys.
Take a look at the rest of the article here to determine what this means for youi http://www.ccsinet.com/ny-states-cybersecurity-regulation/

Friday, February 10, 2017

Establishing a Data Protection Committee for the Boardroom

Within other countries, especially Europe, there’s requirement to have data protection committees to enforce the privacy and protection of a countries or organizations data. Within America we don’t have those particular laws enforced here, but it’s something we should still strive towards even if it’s not mandated by government….yet. By establishing a committee regarding data protection within an organization there needs to be upper management approval, understanding of risk and law and the proper tools to complete the job. With this in mind the two largest concerns to data itself is security and privacy. These two topics overlap in certain areas, but can each standalone individually. When building a committee to protect these two aspects of data we’ll need to understand what the role of the committee is and how it will function going forward.


By far the most important part of the committee is the membership of who’s been asked to attend. There needs to be chairs, preferably co-chairs, that have been either voted on or assigned to the committee by upper management or leadership. The committee itself should include all walks of life when it comes to its members and not only include those in the security field. By only including members within security you miss out on valuable insight from other areas of the business. 

Membership should include representation from legal, compliance, particular business units, M&A teams, security & privacy, operations, etc. The membership can grow, but it should be kept to individuals who have the authority and acumen to make decisions regarding the topics at hand. They don’t always have to be experts on data security, but should bring knowledge of their business unit or field and how it relates to the protection of the organizations data. These members should be a cross-functional group of individuals working together with potentially a few advisors to help guide the conversation. This group should be in attendance for the majority of the committee meetings and not continually sending someone in their place. If this happens the meeting will be derailed and won’t bring about change. The tone of the committee should be one of top down management that’s making strategic decisions about data security and should be less operational in nature.

The need for this committee should be one that stimulates conversation with each business group, while guiding, proposing and advising the company on how to handle data protection as an organization. They’ll have to have an understanding of the current threat landscape and where the company is with protecting their data and privacy. By understanding this they’ll also have to understand where the gaps lie within their strategic vision. Once this occurs they can start putting plans in motion for standards and deliverables for subsequent meetings. By creating a vision of the future and reacting towards gaps that are in the company currently the data protection committee can start making real progress within the organization.

With this progress, there will also need to be resources, budget and metrics. Proposing a plan of the future might require budget, but many times there are things that can be done without even spending a dime. Creating an agenda for each meeting with the appropriate deliverables to be accomplished is a helpful way to determine the progress of the committee. By brining metrics of these deliverables and holding those accountable to the data protection tasks will help involvement and participation. Long story short, this data protection committee needs to be made up people throughout the business that are looking to the future to protect the security and privacy of the data your organization holds. By using this committee to shine a light to your data protection efforts it can improve the safety of your data going forward.

The Difference Between Sandboxes and Containers

Isolating malware before it spreads and infects your endpoints is important. In doing so multiple technologies have come out with ways to defend against the threat of malware by isolating and detonating malware before it's able to exploit your systems. In this article, I speak about the differences between sandboxes and containers and recommendations on when they should be used.

It's really up to your architecture as to what makes the most sense for your environment, but understand the difference between containers and sandboxes will definitely give you a good starting point.

You can read my opinion on the matter here: http://searchsecurity.techtarget.com/answer/Whats-the-difference-between-software-containers-and-sandboxing

Tuesday, January 31, 2017

Cloud Adoption is Driving Security Innovation

Cloud adoption is bringing about a revolution in security innovation. Only a few short years ago security professionals were terrified to even utter the word “cloud”, but today as organizations see the benefit of moving towards the cloud it’s adoption has forced innovations that weren’t around just a few short years ago. If the cloud was to ever be taken seriously cloud service providers knew security had to be wrapped in from the start. By taking this approach leading cloud providers have driven security into their infrastructure and have arguably created environments that are not only as secure as where a business’s data was previously, but potentially even better. In many cases it’s up to the organization to create and manage the configuration in a secure manner. With this being said, CSP’s and security vendors have taken advantage of security in the cloud and are pushing it to their advantage and securing their clients in the meantime.

Cloud Service Providers Benefit from Security
It’s not a secret that AWS and Azure have been making giant strides in security. This has been done by either partnering with third party vendors to integrate their solution into their infrastructure, or with home grown features allowing clients the ability to have the needed architecture to implement a secure network. The security risks of the cloud were made known right away and without the CSP’s foreseeing this blocker as early as they did the cloud adoption wouldn’t be as prevalent as it is today. Not only did they secure their infrastructure to a point where it would pass regulatory audits, but added additional features within their cloud ecosystem that allowed security to come to the masses (E.G Logging, WAF, firewalls, security assessments, etc) that are built into their offerings. In the past other companies might have shied away from these options with on premise equipment, but having these services available has helped spread the awareness and implementation of security to the masses. The major CSP’s have to be given credit on the way they’ve banked on security and turned their offerings not only more secure, but more successful.

Security Vendors Adoption and SecSaas
With the cloud providers shoring up their infrastructure it was only a matter of time before the security vendors started to dabble in the cloud. Today there numerous cloud options available to security your enterprise and the security industry has made a large push to make sure that they’re products are all functional in a cloud based architecture. The security industry has been given a green light to proceed developing their products to be cloud friendly. If they didn’t they’d be left behind by competitors that are taking advantage of all the benefits the cloud has to offer. Just like the CSP’s pushed security into their offering early on, the security vendors are now pushing cloud into theirs.
Security vendors are using the cloud now to produce innovate products that are changing the way businesses work. The flexibility of the cloud and the capability to communicate remotely is allowing vendors to perform additional analysis, monitor more efficiently and remove management systems that once lived on premise at a client’s site. This is also allowing protection of endpoints to be up consistently up to date no matter where that endpoint happens to be. These vendors are also able to setup SOC like monitoring since all data lives on their site and assist the clients with 24x7 monitoring. No longer does an endpoint leaving the boundaries of your enterprise also leave security behind with it. These vendors are able to have their hybrid solutions produce the same level of security and monitoring without being tied to a geographic location.

Also, this has produced a huge increase in SecSaaS or security as a service. These services allow customers to have the flexibility of security services in the cloud and outsource the infrastructure to a third party. This industry has been growing and will continue to be a large part of the security in the cloud. A few examples of these services would be: MFA, IdP, SIEM, spam/phishing, DLP, MDM and the list goes on. These providers are taking particular security services that would normally be done on premise and outsourcing them to the cloud. The innovation here allows quick turn around on implementation, mergers and acquisitions to be unified, adoption of technology that might not have the in-house resources to manage, etc.

Many security companies today will start in the cloud and by having the ability to launch something in startup mode allows for innovators to test their ideas without having to be strapped for capital. This allows the burden of finances to be lifted and for new technology to be developed without the fear of financial loss. The cloud is enabling new ideas that are able to be tested quickly and efficiently and with that the industry will continue to grow and ideas that might have been stifled in the past will flourish and have the ability to be used by the masses.


Monday, January 30, 2017

Reviewing the Stampado Ransomware Variant

It seems like every day there's a new variant of ransomware popping up in the wild. Attackers are constantly tweaking code and making feature enhancements to their product to keep one step ahead of defenders. In this article, we discuss the Stampado variant, how it worms its way through your netowrk and why it became so popular.

http://searchsecurity.techtarget.com/answer/How-does-Stampado-ransomware-spread-to-external-drives

Forget Mobile Apps the Battle's on Your Infrastructure

Mobile apps might be a newer threat landscape within information security, but it’s not where the war is being waged. Don’t get me wrong there are some very dodgy things happening in the mobile arena and it’s something we need to be diligent with when it comes to security, but the biggest threats are occurring here, they’re happening in your infrastructure. Many mobile apps, I’m saying many when I refer to Apple, receive timely software updates, solid data permissions and configurable privacy settings. This doesn’t mean they’re impenetrable as we’ve seen with the recent Stagefright and Trident attacks against both Android and iPhone respectively. With this being said, the infrastructure is still the target. It’s where the malicious actors are looking to conquer and mobile apps are just one way into this battle.

A few years ago everyone was concerned with locking down the perimeter and making it impenetrable. I honestly think we’ve done a decent job of this and attackers have shied away from walking right through the front door. I’m sure this still happens today with misconfigurations and weak firewall rules, but an enormous amount of time and money have been spent to protect the perimeter from attack. It boded so well that attackers started looking into other areas of attack and brought the focus back to the internal infrastructure, in particular the endpoint. The endpoints within your infrastructure are comparable to the battlefield today. Included within this battle are not only mobile devices, but every endpoint that a user is touching. These are the entry points into the network and allow attackers the ability to gain a foothold into your environment.

With the war being focused back to the endpoint we’re seeing an entire new market based off analytics appear to protect the endpoints from attack. This is more than needed since the old method of using signatures has become a reactive approach of catching malicious actors moving through your systems. By being able to have additional visibility into your network from an east-west perspective improves your chances of detecting an attacker before they’ve compromised additional endpoints. The fight being brought down to the endpoint has spawned new technologies that didn’t exist just a few years ago. Just like the rise in technology produced during World War II to protect those against harm ushered civilizations into a new age of advancement after the war. The crisis of malware and attackers infecting endpoints has forced many vendors to generate technology that helps remediate some of the larger issues at hand within their infrastructure.

These technologies are in a direct response to the onslaught of attacks occurring within these networks against their infrastructure and endpoints. Many of these technologies are able to produce agents that allow segmentation for isolation, are signatureless, allow for an understanding of your compliance as hole, etc. Included within these detections are also systems that allow for deception to catch attackers within the infrastructure, use baselining analytics to catch endpoint behavior out of the norm and even allow third party “hunt teams” to search your network for malicious actors and events.

The endpoints within your infrastructure are where the battle is being waged and the technology is catching up once again to assist with giving people the ability to defend themselves. This of course is not a panacea by any means, but it’s an exciting advancement to the call of duty that security practioners require to assist them on the frontlines. Let’s hope that with the advancement of new technology the discouragement of attackers will be pushed back giving defenders just enough time to prepare for the attackers next avenue of attack. The cat and mouse game will continue, it’s just a matter of when and where.


Thursday, January 26, 2017

Tuesday, January 24, 2017

Using Security as an Business Enabler

Security is no longer a dirty word in most organizations. It’s become something to be embraced rather than a roadblock. With all the public hacks we’ve seen sprawl the headlines management has taken notice. Many organizations are looking to take the opposite approach when it comes to security now and embrace it as a business enabler. They’ve noticed that not only is it wise to secure their data and business, but it could essentially be used as a business benefit. The security mindset is seeping into the board room and it’s assisting with the growth of security as a business enabler. Here are a few areas that can assist with watering this thought throughout your enterprise.

One of the first steps in transforming a company to use security as an enablement is to permit the in-house security resources to be evangelists. This starts with the security management and works its way down through the entire department. This has been talked about numerous times in multiple other articles, but what they don’t talk about is allowing the security team to be put on display and network with other teams. At the end of the day they’re the ones who will be performing the work and are the disciples who will be pushing the security culture throughout the company. If they’re able to circulate into other groups spreading the word of security it will disseminate through the company much faster. In doing this, the security team needs to be careful of using FUD to get there way. Let’s be honest, by using Fear, Uncertainty and Doubt a security team will enforce some issues in the business, but it’s a short-term win. By creating a culture of partnership with groups first will gain clout in your decisions when it comes to matters of real importance. Bullying teams into security only makes them want to circumvent the process the next time you’re involved. This doesn’t lead to security enabling anything within a business. Let’s put a check on the ego’s here.

If you can’t speak the language of risk a company will never see security as an enabler. Learn to be bilingual when dealing with those that might not understand security and bring the concept of risk into the conversation. Not all vulnerabilities, misconfigurations, etc are equal and if you’re running around like Chicken Little each time something is wrong, your influence can be tarnished. I’m not saying to not be security concise, that’s the last thing I’m saying, but applying risk to security is how it ends up becoming an enabler. This can be used against new threats coming into the enterprise, during mergers and acquisitions and essentially any business decision making process. This allows security to be seen as confident and astute when it comes to complex enterprise decisions and not as a panic-stricken department looking to catch up to the threats of the day.

This allows security to become a partner and change the perception of what your mission is within the business. You’re not here to stop projects or become a roadblock to progress, but to become a shareholder in assisting with moving the organization to the next level. By reaching this level it brings together the ability to work together with the business to not only protect the brand, but to protect the bottom line. By making security a trusted advisor in your business it allows an organization to continue customer loyalty or even gain additional respect, sell more products, complete compliance and reach higher levels of standards, wile first and foremost protecting your data and brand. By building relationships, networking, speaking security in a language that others will understand not only helps your internal security function more efficiently, but it will spread throughout the organization making security part of the process and a driver in your business going forward. 

Saturday, January 14, 2017

Snowden Petition Reaches One Million Signatures

The petition to President Obama to declare clemency for Edward Snowden has reached one million signatures. With a few days left in office, President Obama is purportedly preparing a short list of pardons and many are hoping Snowden is on this list.

If you haven't already done so, you can sign the petition here: https://pardonsnowden.org/

Alexa, are you spying on me?

It wasn't law enforcement. or an oppressive regime, that installed surveillance in our homes, but a population bowing to convenience. With the increase of virtual assistants, like Amazon's Alexa, we're causing self-inflicted privacy wounds from the likes of big brother business and government. These systems are dutifully listening to our every word while recording and storing this information to be used at a later time.

This is an emerging topic we're rushing headlong into without thinking about the future of privacy or security in our homes. Not to sound sarcastic, but right now it seems like we're more concerned about walking into a room and "speaking" the lights on or asking Alexa random questions without having to get off the couch. It's a topic that definitely needs more conversation.

I wrote this article for Tripwire to discuss the current and long-term privacy concerns of implementing virtual assistants. Hopefully, this article helps stimulate some thoughts on the issue.

https://www.tripwire.com/state-of-security/security-awareness/alexa-are-you-keeping-my-information-private/

Wednesday, January 11, 2017

Maintaining Digital Privacy in an Evolving World

I wrote this article in attempts to take the best tools in the digital privacy space and have them listed under one blog. There are many other good tools available, but these in my opinion are the most important and easily accessible tools to help bolster your online privacy right away.

This article touches on browser, email, messaging, mobile and cloud storage alternatives which can be utilized to protect your privacy today. Please give it a read and let me know if there are other applications you recommend that aren't in it. If so, I'll add them to a blog in a future post to get the word out.

Here's the article: http://searchsecurity.techtarget.com/tip/How-to-maintain-digital-privacy-in-an-evolving-world

Monday, January 9, 2017

The Guardian: Privacy in Donald Trump's America

Here's a quick interview with Ewen MacAskill, from The Guardian, talking about the state of privacy and mass surveillance in Donald Trumps America. Ewen was one of three reporters that met and worked with Edward Snowden in Hong Kong while he was revealing the NSA's bulk data programs.

During the podcast, Ewen offers his opinion on how he thinks President Obama and President-Elect Trump will compare and contrast each other on digital privacy and the current state of mass surveillance globally. 

Saturday, January 7, 2017

Chronicling Ransomware

Check out this excellent resource from "PrivacyPC" on ransomware updates and variants starting from May of 2016. The timeline goes through release dates, updates, ransomware decryption and other related events. This is definitely something worth keeping in your toolbox as "PrivacyPC' continues to maintain the list.

http://privacy-pc.com/articles/ransomware-chronicle.html

Tuesday, January 3, 2017

What to Expect When Moving to Amazon's AWS

So your organization has decided to make the move to AWS and they’re thinking about ways to manage the migration with the least amount resistance. Good for you! When moving to AWS there are multiple tasks that need to be completed for a successful migration or new implementation within their cloud offering. There are in-depth checklists, Amazon actually has one of their own and in this article, we’re going to review six areas we think should be considered before your move to Amazon occurs.

Applications and Data

When migrating to the cloud an organization needs to consider the applications they’re currently using and if they’ll function properly in AWS. It’s very possible an organization is using legacy apps that might not function properly up in the cloud. Yes, believe it or not, people still use legacy apps. Understand the needs of these applications and if they’re even able to be installed within AWS. Also, get a firm understanding of the data being stored in the cloud. If this data is sensitive, think PHI or PCI, determine if you have the proper controls implemented to cover both security and compliance. If you don’t have this capability after moving to the cloud, you’ll have to start utilizing security solutions to protect this data, either with the AWS native security resources, or other solutions you have configured as an EC2 instance or within a hybrid install. Examples of these solutions would be a web application firewall, data encryption (rest and transit), logging and security assessments. Amazon offers all these services, but it’s possible the organization already has virtual or hybrid solutions which will fulfill your needs. Lastly, it’s important to determine if you’ll be using a public or private cloud model with your data/applications. This could come into effect if there’s a busy tenant causing resource issues which inadvertently cause your stack/application to have performance degradation.

Billing and Cost

As with anything cost and billing are important. This will almost always be an operational expense and the budgeting of moving to the cloud should be spoken of with finance before considering a move. This being told there are a few items to keep your eyes on with AWS. The first thing to determine is if there are other accounts setup with Amazon that might be active within the organization. With it being as easy as setting up instances with a credit card it’s possible a business is already in the cloud and you don’t even realize it. If this occurs or there’s a need to have multiple accounts created there should be an AWS master account created to link back all the services to the organization. Secondly, create billing alerts that will notify you when configured thresholds have gone over. The last thing you want is a misconfiguration or security issue causing additional dollars without knowing about it upfront. There are many other areas to review with billing, but these are two areas you might want to start off with.

Change Management and Automation

This is a big deal in the world of cloud. When deploying systems in the cloud everyone thinks it will be automation nirvana, but because of this flexibility, change, and config management need even more attention. When dealing with a purely AWS environment it needs to be determined who can build and launch instances within your account. AWS has something called Amazon Machine Image (AMI) which allows the needed information for an instance to be built. These need to be monitored as to not have issues with deploying wrong instances and keeping up with updates. Also, how will an organization deal with system hardening, patching, firewall changes (since security groups need to be understood before making inappropriate security holes). When dealing with additional changes and config management on instances it’s very easy to start VM creep and creating a decommissioning process should be written for cost, operational and security concerns.

Incident Response and Security

This is a topic that can have multiple articles written on it alone, but we’re going to try and cram as much as we can in here now. If you’re using AWS for your entire ecosystem then bringing in their security services is a must. Amazon has published native services that allow the ability to use them for IAM, logging, cloud WAF, MFA, encryption with HSM’s and security assessments. Using these tools is a must if you’re going to go all in with Amazon. Using their tools can assist with security since they have native integration with each tool within the Amazon ecosystem. Last, but not least, incident response in the cloud needs to be reviewed. Performing IR in the cloud is a different animal and you’ll need to determine if your normal procedures, tools and runbooks will fit while performing IR in the cloud. There will be areas you can’t touch, like logs on a system within a multitenant environment, and working with Amazon during this time is essential. Learn what you need to do upfront before you have too late.

Remote Management

Obviously, since the systems aren’t on-premise there needs to be a way to remotely access your instances securely. With this there are a few options that need to be thought out before even creating a single instance in AWS. The access to the console needs to be secured and logged right away. It should also have MFA on it and locked down to a particular range if possible, possibly via VPC. This is the access to your world in the cloud and it needs to be secured. Also, there will be applications that have access to the API’s which essentially could have complete access to the instances in AWS. These need to be protected and configured in a way that this access doesn’t get compromised. It’s a big subject and one that needs to be reviewed in greater detail. Lastly, understanding if you’ll be using federation services to tie back to any on-prem LDAP or other identify instance is a thought that must be understood during the design phase of the cloud implementation.

Disaster Recovery and Resiliency

Reviewing how your new cloud environment is built for disaster and resiliency is another major factor to consider when investing in AWS. Get a feel for the availability zones you’ll be hosting your environment in and where you’d like to fail in case of emergency. It’s possible to fail to availability zones in different countries and if that’s that case you should review the data laws of the country your data will no reside in afterward. For your applications and systems, there should be no single point of failure and all critical apps should have a process to make it resilient. Amazon has multiple load balancing, snapshot and synchronization services that allow a customer to keep their data available at all times.

AWS offering is deep and before investing your money into moving into their architecture a customer should have a firm understanding of both their current architecture, where they’d like to be in the future and what AWS has to offer. The options are vast and planning up front is needed for a successful implementation.