Do Datacenter Compliance Rules Belong In The Cloud?

Transcript

Hilary Doyle: So, what would you say on-prem based compliance can do better than cloud alternatives?

Steven Woodward: They can actually do better or as well as in the cloud.

Rahul Subramaniam: That’s where a lot of my heartburn comes from.

Steven Woodward: Some of the agile guys are a little bit too agile.

Rahul Subramaniam: I think AWS has been very clear about the shared responsibility model.

Hilary Doyle: It feels like a cop out, I’m not going to lie.

This is AWS Insiders, an original podcast by CloudFix about the services, patterns and future of cloud computing at AWS. CloudFix is a tool that finds and implements 100% safe AWS-recommended cost savings. That’s fixes not just analytics.

I’m Hilary Doyle, joined as always by Rahul Subramaniam. Rahul, how are you my guy?

Rahul Subramaniam: Hilary, I’m good. Ready to do this. Let’s go.

Hilary Doyle: Ooh, okay. You are all business today. I will step it up.

In this episode, compliance and security. Do old school rules from the data center have any business in the new school cloud? Rahul, let’s start with an overview of compliance and how it relates to security.

Rahul Subramaniam: Okay. So, every organization has a set of rules and or regulations that they have to abide by, right?

Hilary Doyle: Ah, no fun.

Rahul Subramaniam: Some of these are, of course, adopted or self-adopted, while others are regulator-mandated or enforced. Now, compliance is a loaded word in this context because it not only implies adherence to these rules and regulations, but at the same time, it also refers to the group of people that are responsible for enforcing this adherence across the organization.

Hilary Doyle: And that’s compliance. We have risk management expert and my fellow Canadian, Steven Woodward, with us to discuss compliance and so much more. Rahul has his hot takes. We’ve got the usual tips and tricks, a solid investment of a use case. And first, your tried and true AWS headlines, because we want to keep you in the know.

Rahul, AWS Compute Optimizer now supports Amazon ECS services running on AWS Fargate. On a scale of zero to 100, how much should we care about this?

Rahul Subramaniam: That’s got to be a hundred, of course, Hilary.

Hilary Doyle: Whoa.

Rahul Subramaniam: There’s more dollars to save. The Compute Optimizer, which has existed for Lambda so far, is being extended to cover Fargate now. AWS is doing all the heavy-lifting to analyze your usage patterns and make recommendations on how to right size your Fargate containers. With regards to CPU and memory allocations, this is a big deal.

Hilary Doyle: Next, Amazon Neptune has announced Graph Explorer, an open source visual exploration tool for low-code users. Customers can now browse labeled property graphs, or resource description framework data, in a graph database and discover connections between data without having to write graph queries. Rahul, what have I just said?

Rahul Subramaniam: Okay. So Neptune is AWS’s graph database, right?

Hilary Doyle: Right.

Rahul Subramaniam: To explore the data, we’ve really struggled with not having a tool to look at all of this data and be able to explore it dynamically. So, AWS is finally providing a more visual way to look at all of this data.

Hilary Doyle: Got it. Thank you for making sense of that. It was not easy.

More news from the Cloud Provider Competition file. Microsoft has snapped up a $5 billion, 10-year cloud partnership with the London Stock Exchange. AWS, that’s gotta sting. The deal pairs Microsoft 365 with the Exchange’s desktop, financial markets, insights, analytics platform. Plus, the two companies are planning to build a new financial data platform on Azure.

Is this setting a precedent that AWS should be worried about?

Rahul Subramaniam: I’d say this would be bad news for AWS if the cloud space was really a zero-sum game. Luckily for all the players, it isn’t. I mean, each of the players could grow by a few multiples and still have demand headroom.

So, congratulations to Microsoft for bagging the deal. But I’m just really excited that more of these old school organizations are accelerating their move to the public cloud. This is good for everyone.

Hilary Doyle: Too friendly, Rahul. This is a debate show. Pull it together, get mean. We’re moving on. Those are your AWS headlines.

Rahul, let’s get back to compliance and security and really set the scene. Before the cloud, what did on-prem compliance actually look like?

Rahul Subramaniam: It all depends on how far back you want to go in history.

Hilary Doyle: Oh my God, to the beginning. Yes.

Rahul Subramaniam: Okay. So, there was a time when regulation primarily depended on physical security measures. I mean, the mindset is exactly what you see in movies, like Die Hard and Mission Impossible. Tom Cruise going down the exhaust shaft, hanging by a string, diving into the mainframe server room.

Hilary Doyle: Yeah.

Rahul Subramaniam: Yeah.

Hilary Doyle: I really like the direction that this is going. Yep. Yep.

Rahul Subramaniam: I mean, you asked for the scene, right? So that’s what I’m painting here.

Hilary Doyle: Thank you. No, I appreciate it. I want your trailer voice. But anyway, in your own time.

Rahul Subramaniam: So, barring basic authentication and authorization, which in a number of cases was based on passwords and key cards, there was very little attention paid to non-physical security.

In the last 10 years, non-physical security has come into the spotlight and teams have been scrambling under the load of trying to do everything themselves.

Hilary Doyle: Non-physical security. So, how to protect yourself from hackers?

Rahul Subramaniam: Absolutely. The cloud providers have spent billions of dollars making sure that the lower layers of the stack that they manage are as secure as they possibly can be. They provide customers with this secure foundation on which you can build whatever application you want. This is what we call the Shared Security Model.

The cloud service providers are responsible for the security of the foundation layers, whereas the customers of these cloud services are responsible for the security of whatever you build on top of it.

Hilary Doyle: Great. So, back to on-prem versus cloud compliance frameworks. How would you describe the friction between the two approaches at this very moment in time?

Rahul Subramaniam: The friction comes from the fact that the considerations of a cloud environment are fundamentally different from the consideration of an on-prem setup. What you need to worry about in the cloud most is API security, the access patterns, the data encryption at rest and at transit, those kinds of things. I mean, you don’t worry about whether there are three guards manning the doors of a data center or if your service will go down as someone yanks a cable off the rack. Those would be considerations of an on-prem setup.

What compliance folks struggle with the most is, when they bring their on-prem security and compliance mindset to the cloud deployment, it just doesn’t work for them.

Hilary Doyle: We’re going to chat about this further with Steve Woodward. But first, let’s get to our use case. It’s one that’s near and dear to my heart and to my business.

Rahul, earlier we mentioned the London Stock Exchange. Are you an investor in any of the global exchanges?

Rahul Subramaniam: Who isn’t, Hilary?

Hilary Doyle: Oh. Well, actually a lot of people aren’t. But not to worry because my startup Wealthie Works Daily, launching soon, is going to change all of that. But back to the discussion at hand.

Next to healthcare, financial services have the most stringent compliance requirements in the world. I can gleefully attest to this. So for today’s use case, we’re looking at longtime AWS customer, NASDAQ. That’s the New York-based stock exchange. Most active trading exchange in the US, with about 4,000 companies listed internationally.

NASDAQ moved to an AWS data warehouse back in 2014, powered by Redshift. But in 2018, they were ingesting data ranging from 30 billion to 55 billion records, and surpassing four terabytes of data every night. That is a lot.

Rahul Subramaniam: Hilary, NASDAQ’s data needs just kept growing against daily deadlines and on-demand data availability, right? I mean, the market volatility in 2018 made things even more unstable. So it was imperative that NASDAQ came up with a new architecture, and fast. And we’ll find out about what they did just a little bit later in this show.

Hilary Doyle: We’ll take a look at their security setup too, right?

Rahul Subramaniam: Absolutely.

Hilary Doyle: Absolutely.

Rahul Subramaniam: And we’ll also see why using the cloud was the only way they could scale securely so quickly.

Hilary Doyle: What a time to be alive. So, standby for a secure and compliant resolution to this use case. And in the meantime, the moment we’ve all been waiting for. Our special guest, and did I mention my fellow Canadian, Steven Woodward. He’s the CEO of Cloud Perspectives, which among other things is a risk management company for clients looking to manage cloud computing strategies.

Welcome to the show, Steven. We’re delighted to have you.

Steven Woodward: Thanks very much. Very pleased to be here.

Hilary Doyle: We’re going to get right into it. You are speaking with a man who believes that all good things happen in the cloud. So, what would you say on-prem based compliance can do better than cloud alternatives?

Steven Woodward: If they actually have existing robust processes in place already and are highly mature, then they can actually do better or as well as in the cloud. So that’s the short answer.

Rahul Subramaniam: I’m going to jump right on that one, Steven.

Steven Woodward: There you go.

Hilary Doyle: Yes, absolutely.

Steven Woodward: There you go, Rahul.

Hilary Doyle: There we go.

Rahul Subramaniam: There’s a big if, that we started off with. And that’s where a lot of my heartburn comes from. I have rarely come across organizations that have this robust security and compliance mechanism in place. More often than not, it ends up becoming this checkbox exercise that organizations go through.

What’s your experience really been with seeing these organizations execute their compliance mechanisms?

Steven Woodward: So, 40 years ago when I was first getting into IT, I was a federal government employee with the Government of Canada. And at that time, we were pretty secure and there were not a lot of breaches. Other organizations today and the regulatory industries such as financial, those organizations actually have their act together pretty good in my experience. And they actually do satisfy a lot of those standardized check boxes from FedRAMP and ISO, et cetera, because they’ve been doing it for a while.

Hilary Doyle: But let’s talk about the optimal approach here. Because 40 years ago, I mean, the salad days of 40 years ago, we weren’t digital. So it was important to have on-premise compliance systems that worked and checked all the boxes.

Can a future-facing company reasonably expect to scale and succeed with legacy compliance systems now?

Steven Woodward: That’s where it is – it is tough. So my background was actually helping out at NIST, first coming up with a lot of those cloud definitions and FedRAMP compliance checklists, et cetera. So honestly, in supporting Rahul here, the reality is that organizations overall have become tremendously more mature on the security side. Largely because of the fact that, in order to get the government contracts, you actually had to get your ducks in a row and actually at least review these different compliance checklists.

So in that respect, it’s educated a wide audience around what are good practices. Because honestly, from my own experience and observations, some of the Agile guys, and I know we’ll get some pushback here, some of the Agile guys are a little bit too agile. So, it’s fine to have the motto of “Fail fast” but it should not be a motto of “Fail fast in a spectacular way.” It’s not necessarily something that is a good thing to strive towards.

So, I do believe that having a lot of these compliance checks, and looking at authorizations to operate, and making sure people are signing off and they understand the risks, are all good things that have actually come from largely because of cloud-first type strategies and needing those authorizations to operate.

Rahul Subramaniam: Do you really believe that organizations are geared towards handling all the complexities of the constantly changing environment in the cloud? Because that seems to be progressing way faster than the adoption is happening on these technologies.

And when you look at that scenario, it feels like everything that you’ve started off with is best suited for a stagnant or a static system, where things aren’t changing very much. But the cloud isn’t one of those systems. So, how relevant are those structures and schemes, and organizational policies that are set up?

Steven Woodward: So, you really do actually need to try to figure out how to automate. Because at the same time, though, it’s very naive to think that there’s not going to be any risk within that particular sprint or release. Because, unfortunately, all it takes is one small little oops where, “Oh, cool.” We’re just calling this really cool API, meanwhile that API is not hosted in North America or in any Five Eyes country. And it’s just thank you very much, I’m in your system now and here we go.

So, that’s where you really need to have those continuous analysis and integration tools to actually make sure that you are still secure.

Hilary Doyle: A question to both of you. Talk to us about the authority to operate on AWS. Can I or should I rely on ATO on AWS to address all of my compliance issues?

Rahul Subramaniam: Yeah. I think AWS has been very clear about the shared responsibility model.

Hilary Doyle: Right. I know that. Feels a bit-

Rahul Subramaniam: There’s a large part of the…

Hilary Doyle: It feels like a cop out, I’m not going to lie.

Rahul Subramaniam: No.

Hilary Doyle: Yeah, shared responsibility, so AWS can’t be held accountable if things go wrong? What am I misunderstanding there?

Rahul Subramaniam: No, I think there are layers. There are certain layers of the infrastructure where AWS absolutely can be held accountable for, and they provide all the certifications and all the compliance mechanisms that they have put in place. They make that available for you.

Now, that said, you should think of those as tools. But, I mean, you have people who are irresponsible with the tools and there are people who are responsible with the tools. And that’s why we call it a shared responsibility model.

I think where traditional compliance fails is that they try to encompass everything, without really realizing that they actually don’t encompass everything. Some of the most stringent regulations, they actually don’t talk about things at the processor level. They don’t talk about things at the silicon level yet. Steven?

Steven Woodward: It is interesting because to Hilary’s point, cop out, don’t know if really it’s sort of the right word or not, but-

Hilary Doyle: It was an inelegant term, Steven. I agree.

Steven Woodward: But let’s face the reality. The one major example from 2019, of course, was Capital One, where the shared responsibility model was a major discussion point of litigation. But of course, Capital One ultimately had to actually penny up and pay, I think it was $180 million in different fines, et cetera?

So yes, the cloud service providers are not necessarily on the hook. Usually for the cloud service providers, they will give back service credits. That’s about all.

Hilary Doyle: If you are looking to future-proof your business, that we’re speaking about the future all the time on this show, is there one compliance protocol that either of you would look to follow above all others?

Steven Woodward: Yeah, it’s interesting because there isn’t a magic answer, because it depends on the business also.

Hilary Doyle: Right. Of course.

Steven Woodward: So, using the frameworks that the US has already actually put significant investment in and actually has significant collaboration in, it’s great. So in that respect, I’m looking at FedRAMP and NIST 800-53, Rev 4 and Rev 5.

Hilary Doyle: Right.

Steven Woodward: Because again, those have been around the block. If I was over on the more financial side, then there’s obviously different financial controls that probably need to be added honestly to it.

Hilary Doyle: Rahul, how would you answer?

Rahul Subramaniam: Yeah. I think we just need to take a very pragmatic approach around security and compliance. And so, just like any other aspect of life, you basically weigh the risks and the rewards. And you choose the right balance between them.

By saying, “Hey, if anything is government-related, here are the 10 compliances you must have,” I mean, that just feels like overkill. Because there are a lot of very simple automations, or very simple tools, that you can actually put in place and get tons of productivity. But today, you can’t do that, because somebody decided that this was the diktat.

Steven Woodward: And in that case, from the standpoint of this is where the actual customer has to be really clear around what it is that they’re buying. So are you buying infrastructure services? Then I would say, yes, they actually have jumped through enough hoops. All the major cloud service providers and all the cloud wannabes, et cetera, are all pretty good in terms of meeting ISO 27000 and then meeting cloud security alliance checklists and FedRAMP, et cetera.

As you start moving up the stack, though, once you start talking about platform as a service products, then the gap kind of widens between those that actually understand compliance, for writing these reusable APIs where they’re actually written based on other reusable APIs. And you have this cascading supply chain that might not be evident and may actually inherently contain some risks. Then you have to evaluate those.

And then you go up to software as a service. Some of them are just – let’s just be upfront – crappy software as a service applications that happen to be running on top of AWS, or Azure, or Google or whoever, right? But the reality is, they’re not secure.

Rahul Subramaniam: I think I would completely disagree with that. I mean, you have to assess the security of a system in the context of the use cases that it is meant to serve. And of course, the knowledge of the underlying system that constitutes it.

The claim that underlying systems are not secure is like saying that no lock in the world is secure because there exists a key that can open it. But, to change the subject for a moment, recently at Reinvent, I think it became amply clear that with all this recession that’s looming on our heads, the real innovation is going to come out of all the data that is sitting in these large enterprises.

The tools to actually unleash all this innovation only exist in the cloud today. It is probably one of the most secure and compliant places, if you do it right. I still see organizations struggle and believe that they are far better served doing all of this stuff on-premise all by themselves.

Do you see that happening as well? And how do you react to that?

Steven Woodward: So, the more major significant factor goes back to what we were earlier talking about, from the standpoint of, do you guys understand – if you are actually going to be doing some sort of serious analytics in the cloud, this means you need to get your act together, because you need to think about contingency plans.

What if there is a major communication outage, like what we had in Canada in July, where all of a sudden you can’t connect to anything? And so, what are the contingency plans? What are actually your quality assurance processes for your business analytics folks and your data scientists? Because they are part of this thing.

You can’t just say, “Well, it’s okay. We’re using these analytics packages from the cloud service providers. So, we’re fine.” No. You actually need to get your act together and your processes together. And that’s why it’s so important for the authorizations to operate. That you don’t just say, “Oh, well, AWS has their authorization to operate, so we’re good.”

No. You now actually have to think about your authorization to operate for that particular analytics platform. Or even more granular, those applications that have now been deemed that they’re going to be rolled out on that analytics platform.

And that goes back to, again, you actually need the education and the continuous learning and maturity of the organization, and somewhat smack some of the Agilists upside the head every now and then. And just say, “Okay, I understand you guys want to do things in two-week sprints, but let’s be clear, we are going to be actually assessing these things. We are going to be doing vulnerability scans to make sure that we’re not putting, especially when you’re dealing with government systems, our citizens’ data at risk.”

So, you just need to have that awareness and move forward accordingly.

Hilary Doyle: Steven, thank you so much for bringing color to our conversation about compliance. I know that is difficult to do. We’ve really appreciated this conversation.

Steven Woodward: You’re very welcome.

Rahul Subramaniam: An absolute pleasure, Steven. Thank you so much for this conversation.

Hilary Doyle: Rahul, before we cover your tips and tricks, I’d like to cover a recent Black Swan event that’s starting to feel more and more like an Everyday Swan event. Steven mentioned Capital One in 2019. It’s hard, though, not to be reminded of a more recent example.

LastPass is a consumer security program for managing digital passwords. It’s basically a central vault for all of your passwords. And in the ultimate twist of irony, LastPass security was compromised when hackers broke into its cloud database and grabbed tens of millions of customer sensitive information.

This does not sound like an excellent promo for cloud-based security.

Rahul Subramaniam: Well, in this case, the hackers stole credentials and keys from a LastPass employee. So that’s on them. I mean, no amount of security can compensate for reckless human behavior. You can build the most secure safe on the planet, but if you hand over the codes to that safe, you’ve got an impossible situation. Stapp’s Law lives on.

But the bottom line is that the tools available in the cloud around security are some of the best tools ever created or invented. They can help you be the most prepared that you possibly can be.

Hilary Doyle: Stop everything. What is Stapp’s Law? I don’t think it’s going to be a good one.

Rahul Subramaniam: So, there was this Air Force officer and surgeon called John Stapp, who famously said that, “The universal aptitude for ineptitude makes any human accomplishment an incredible miracle.”

Hilary Doyle: Yeah, I don’t like that one at all.

Okay. You’ve explained that cloud environments obviously need different compliance criteria from on-prem environments, laid out in a well-architected framework. What tips do you have for companies who are looking to achieve this?

Rahul Subramaniam: Okay. First, you have to learn and master the cloud paradigm.

Hilary Doyle: Yes.

Rahul Subramaniam: It is different from your on-prem setup. If you need to fill out a form and wait for approvals to launch an instance, you really don’t understand the cloud.

So second, okay, at the end of the day, you are responsible for the security and compliance of your setup and applications. Understanding and leveraging the shared responsibility model is your best bet to cover the largest possible surface area.

Hilary Doyle: Are there common gaps to look out for in the shared responsibility model?

Rahul Subramaniam: Absolutely. I mean, old school enterprises look for someone to blame when something goes wrong. And that’s not how the shared security model works.

You have to know what the cloud provider owns, and you need to own what you built.

Hilary Doyle: Excellent. Number three.

Rahul Subramaniam: Okay, so number three is that the well-architectured framework from AWS is really a great place to start, because it makes you ask the right questions about what security and compliance would mean for your application and organization.

Hilary Doyle: Once again, AWS for the win, according to Rahul’s lips, straight to your on-prem compliance team’s ears.

Rahul, let’s get back to our use case. When we left off, NASDAQ was struggling to ingest a massive and continuous store of data, up to 55 billion records a night. And this was back in 2018. So what happened? How did they tackle their need for a new architecture?

Rahul Subramaniam: Okay. So, NASDAQ built a new data lake on S3, separating their compute and storage, so that data loading and querying processes could scale independently. And they adopted Redshift Spectrum to query the data in both the S3 data lake and the still functioning data warehouse that they had.

And this came in handy when markets went crazy at the beginning of 2020, during the onset of the pandemic. I mean, NASDAQ was able to handle 70 billion to a peak of 113 billion records every single day.

Hilary Doyle: Wow.

Rahul Subramaniam: I mean, quite a simple solution actually, if you think about it.

Hilary Doyle: So, they solve for the scalability. They solve for the storage and compute issue. But where does security and compliance fit in one of the most significant financial platforms in the world? I imagine that billions of sensitive financial records probably need some fairly hefty compliance.

Rahul Subramaniam: Absolutely. And I can’t think of a better solution than S3 to build your data lake. You already had encryption in transit, with reads and writes to and from S3, and then they recently announced that every object that you store there will automatically be encrypted at rest by default.

Think about this. S3 stores over 280 trillion objects.

Hilary Doyle: Oh my God.

Rahul Subramaniam: And AWS guarantees that every one of them will automatically be encrypted when stored. And the best part, you don’t have to change a thing.

Bottom line, S3 just got way more secure for free. I can’t imagine building a solution that offers those kinds of basic guarantees and automatic upgrades in any on-prem setup.

Hilary Doyle: That’s impressive. But you mentioned Die Hard and Mission Impossible earlier, and I just want to point out the obvious. Which is to say, I don’t see anyone making a blockbuster about cloud-based security.

Rahul Subramaniam: Maybe next year?

Hilary Doyle: Maybe next year. That’s it for us, for now. We will be back. You’ve been listening to AWS Insiders from CloudFix. I’m Hilary Doyle.

Rahul Subramaniam: And I’m Rahul Subramaniam.

Hilary Doyle: CloudFix is an AWS cost optimization tool. You can learn more about them at cloudfix.com. Check out the show notes.

Rahul Subramaniam: Leave us a review, and please follow us.

Hilary Doyle: Oh. And reach out to us directly at podcast@cloudfix.com. You can send us your feedback and let us know what you’re keen to hear about on the show. We like hearing from you.

Okay, catch you later.

Rahul Subramaniam: See ya.