Securing AWS workloads with Simon Scholey
Nasstar's Cloud Architect, Simon Scholey, is a true cloud security expert. He recently achieved AWS Certified Security – Specialty status, an impressive accomplishment shared by only a select few.
What makes Simon's expertise so important? That’s simple: ensuring the security of AWS workloads is absolutely essential for enterprise organisations.
In our chat with Simon, we dive into why this is such a vital topic and explore the many ways Nasstar is leading the charge in this critical area.
Can you tell me about your background and what drew you to cloud computing?
I started as an apprentice in 2003, and I've been exploring different IT roles since then. I found AWS particularly interesting while working in the Energy sector and quickly realised that was the direction I wanted to take my career. I’ve been with Nasstar for over 3 years now - I was promoted to cloud architect last year and absolutely love it.
How do you and your team protect customers from data breaches and security incidents?
We design our solutions so they're secure by design and compliant with the latest AWS security baselines. We always keep them in mind when designing and building. We also adhere to the least privilege model - only granting users the access they need for the job at hand. That's to protect both us and our customers from any unwanted changes, intentional or accidental.
We've had safety procedures in place for a while, and making sure they're up-to-date with current regulations is an ongoing job. The landscape is constantly changing but always being on your toes is essential in maintaining security.
What role does AWS play in securing cloud services?
AWS is fantastic when it comes to security – it’s always been job number one for them. They just keep bringing out new services and enhancing existing ones. They’re also compliant with loads of different certifications, which means AWS customers are automatically compliant. Ultimately, that means more protection for end users.
However, there is the shared responsibility model, and as a Managed Service Provider, we still have to do our bit. It's very important that we configure services correctly to ensure they're secure and continuously patch servers against vulnerabilities.
What is "Secure by Design" at Nasstar?
SbD (Secure by Design) is our security standard. Anything we do in terms of solution design must meet those standards. That means our designs are secure out-of-the-box, and any future changes must adhere to these standards.
Who comes up with the changes?
Our internal cloud team is responsible for coming up with any changes, many of which are driven by AWS Security Hub, a constantly evolving set of best practice standards which workloads should meet. They have a number of recommendations which are continuously updated.
When changes are required, we work with our customers to plan and implement them to secure their cloud environments.
If there was a customer or company that wasn’t compliant with security best practices, what should they do first?
That's a really important question and it's something that shouldn't be ignored, you have to be proactive with security.
When we bring on a new customer, we conduct a full security review of their cloud estate. We follow various best practice models. For example, we have a limited access account with all their security tooling in it. All their other accounts report any findings to a central place, giving us an overview of the entire estate.
We do the same for logs, creating a separate account for logging that's even more restricted. This ensures that no one can tamper with anything to cover their tracks. It's also important to ensure that people have only the privileges they need to do their job, adhering to the least privilege model.
When it comes to removing users who have left the company, we have to ensure that the process is carried out as quickly as possible. One way to do that is by linking AWS with Azure AD. Once someone is removed from their company system, they're automatically removed from AWS, without any additional logging or ticketing.
What about automation, do we encourage our customers to adopt it? Is it becoming more common in security architectures?
Absolutely! Automation should be the first port of call for anything, whether it's patching, creating new environments, or logging events.
There are lots of automation services already available and more coming to Amazon’s Security Hub this year. AWS Shield, for example, is available and is used for DDoS protection. It can automate changes to other AWS components in the event of a DDoS attack.
Automation can also help to optimise your break-glass function and privileged access model, where people are working on the lowest possible level of permission unless they have a genuine business reason to elevate those permissions. All those changes can be automatically logged and audited with notifications sent to a support team, so they can keep an eye on what's going on.
Do you have a favourite AWS security product?
AWS Inspector. It's the one that I've spent a lot of time with recently. It's very easy to get set up and quickly provides a view of vulnerabilities across your organisation so you can focus on patching.
Is cloud security creating a drag on productivity for development teams?
Security is absolutely critical to any organisation, and it’s an investment that pays off as all organisations must protect their business systems and customer data from day one.
At Nasstar, we believe that education is key. By giving people the right training and tools, we can empower developers to do their jobs securely and efficiently. It's also important to encourage open communication and to involve the right people at the right time, particularly architects at the start of a project. By doing so, we can ensure that our solutions are built with security in mind from the very beginning.
Which of Nasstar's cloud security services should everyone know about?
At Nasstar, we are dedicated to providing our customers with the highest level of security possible. We offer a range of services tailored to each customer's needs, so it's difficult to pinpoint just one.
I would however like to highlight our work with the Rail Delivery Group. Through this partnership, we’ve been able to demonstrate the effectiveness of our services and our commitment to knowledge sharing. It's important to us that our customers feel confident in their security posture, and we work tirelessly to ensure that they do.