Cloud security faces the public sector test - a Q/A with Doug VanDyke of AWS
- Summary:
- One highlight of the Infor Federal Forum was a view from AWS on the dynamics of public sector security. I missed him that day, but I tracked down AWS presenter Doug VanDyke to get his take on cloud security, and share the reactions to his keynote.
Few things bug me as much as an interview opportunity missed. I covered the Infor Federal Forum event from several angles, but I wasn't able to sit down with an important piece of the puzzle: a guest keynote from Amazon Web Services on public sector cloud security.
But all was not lost - Infor helped me to score a follow-up email interview with speaker Doug VanDyke, Director of US Federal & Nonprofits, Amazon Web Services Worldwide Public Sector.
VanDyke answered my questions on public cloud security in the face of a fresh wave of security concerns. He addressed AWS' close work with Infor, and also dished out advice for companies that are still in the early phases of data-center-to-cloud migrations.
Why cloud is the new normal, for private and public sector
Jon Reed: What were the big takeaways from your talk at the Infor Federal Forum for those who didn't make it?
Doug VanDyke: One of the main takeaways from the Infor Federal Forum is the fact that the cloud has become the new normal. The number of organizations going “all in” with the cloud without hesitation proves it is no longer the next big thing, but the new standard. This is true for private companies as well as government agencies and nonprofits that are now acting more like startups and adopt and move at the speed of ideas.
Another key message from the forum is the strong security of the AWS Cloud. Security has always been priority zero for the company and many organizations are recognizing that and are migrating to the cloud to become more secure.
Reed: What kinds of questions and feedback did you get from attendees?
VanDyke: The Infor Federal Forum attendees wanted to know how AWS secures data centers and which federal agencies use AWS to run mission critical applications. Customers were also interested in learning about best practices for moving to the cloud. Additionally, AWS partners were curious if they could leverage AWS FedRAMP compliance to help their customers.
Reed: In your talk, you emphasized that you don't see cloud as the "next evolution," but the "new normal." Tell us about that.
VanDyke: Technology has been evolving at a startling pace and organizations – including government agencies – recognize they have to move fast to keep up with the digital transformation and remain competitive. Cloud has become the new normal with companies of all sizes now deploying new applications to the cloud by default and an increasing number of organizations moving mission critical applications to the cloud – running as much of their IT operations on the cloud as possible. Organizations no longer question if they should move to the cloud but want to know how fast they can do it.
Cloud security - back in the media and boardroom spotlight
Reed: It seemed to me that confidence in cloud security was turning a corner before a slew of high profile incidents in the last year that have once again elevated cloud security to a board-level concern. Now a careful review of pros and cons is inflamed by fears. Yet most companies don't have nearly the kind of data security rigor that a cloud provider like Amazon does. What is your advice to CIOs who want to move to the cloud but want to send the right message to their board about why cloud is a secure option?
VanDyke: Security has always been our top priority and we are vigilant about our customers’ privacy. AWS was designed to be one of the most flexible and secure cloud environments and that removes many of the security pain points that come with traditional security architecture. We employ the same security isolations as in a traditional data center, and sophisticated technical and physical measures to prevent unauthorized access. Our systems are continuously monitored by security experts, but we also empower CIOs with visibility into their networks’ activity with tools such as AWS Config and resource tagging. Our scale allows us to invest significantly more into security than most large companies can afford themselves.
As a result, we have achieved a number of internationally recognized accreditations that satisfy the security requirements of our most security-conscious customers. AWS has a range of third-party security certifications and evaluations such as ISO 27017 for could security, ISO 27018 for cloud privacy as well as public sector certifications like FedRAMP at the Moderate and High levels, SRG Impact Level 2 and 4 for DoD systems, and ISO9001 for highly-sensitive industries such as healthcare, aerospace, life sciences, medical devices and automotive. We enable customers to meet their specific compliance needs like HIPAA for healthcare, FERPA for education, CJIS for criminal justice, as well as SEC Rule 17a-4(f) and IRS 1075 for financial services and tax information encryption.
All of these factors add up to our cloud infrastructure being one of the most secure environments available today, trusted by high-profile, security-sensitive customers including large-scale financial institutions, healthcare customers, and even the U.S. Department of Defense and Intelligence Community.
Reed: In your opinion, what is the biggest mistake or overlooked aspect of data security in most enterprises?
VanDyke: A crucial aspect of data security that is often overlooked is the “human element” of data security. AWS provides the highest levels of technological security available, but that only goes so far. It is essential that enterprises provide data security training and resources to staff so that end-users of the cloud are able to properly manage security risks and don’t unwillingly become vulnerable entry points into their company's network.
AWS believes in a shared responsibility model with our partners and customers. We ensure the security of our system and physical facilities while our customers are responsible for application and network security, data encryption, access control and configuration management with the help of vast security resources, tools and features that we provide.
Does public sector cloud security require a different approach?
Reed: Public sector organizations have unique dynamics, often including very rigorous compliance and data regulations. How does AWS approach the public sector - do you see more similarities or differences with private sector cloud customers? What are the differences?
VanDyke: Our approach is consistent throughout our entire customer base. Everything we do is driven by what our customers say is important to them as we strive to deliver an architecture that meets all needs and requirements. Both commercial and government clients look for scalability, agility, and speed when it comes to high-performance computing, storage, and on-demand resources needed to run their mission-critical applications.
Security is key for everyone. Our system, policies and processes are designed to create a secure environment for all customers including private companies in highly-regulated and sensitive industries, such as healthcare and financial sector. We then went a step further to satisfy the unique requirements of our government customers with our AWS GovCloud (US) region, an isolated secure region specifically designed for government workloads.
Reed: Though Infor does support other cloud choices, it has standardized on AWS for its CloudSuite products. Tell us about your partnership with Infor and give us your view on what the advantages are for such a close partnership with one cloud provider?
VanDyke: The Infor-AWS relationship allows Infor to provide its customers with the best enterprise applications powered by the most advanced infrastructure as a service. Infor is able to devote its time to its core competency of building industry specific solutions. Infor’s Federal Government customers also benefit from the AWS GovCloud (US) FedRAMP authorized cloud environment.
Reed: For those companies who are early on in considering moving crucial apps and workloads out of their data centers, what is your advice for getting started? What is the best way to dip your toes in and evaluate?
VanDyke: When embarking on the journey to the cloud, it is best to experiment with discrete projects that are not mission-critical or customer-facing. This allows you to develop and test workloads to explore the benefits of the cloud while ironing out any challenges, as well as provide vital information and processes that will be helpful for future, more critical migrations. They key is to find ways to test your migration practices and policies and see how cloud can integrate you're your enterprise with as little risk as possible. This will help you establish a clear baseline for how your future cloud migrations.
End note: I have not edited any of these responses as they were approved on Amazon's side to run verbatim. Readers know that most of my content has an informal approach. But given Amazon's lead in cloud services and the prevalent issue of security, I think it's good to let AWS make their case directly and share their advice this time. I did not ask AWS about IoT security, but if you're interested in that angle, check my piece Internet of Things security - six issues for enterprises to reckon with.