My introduction article about cloud security best practices will focus on AWS cloud security. The core information in this article can be extended to other cloud technologies like GCP and Azure.
Amazon Web Services (AWS) is the most-used cloud infrastructure provider today. With multiple cloudbased services, large organizations rely on it every day to provide services to their employees and contractors, and applications to customers. Companies like Netflix and LinkedIn base their core service infrastructure on AWS.
Recently, numerous cloud-related attacks occurred in multiple large companies. The need to protect AWS cloud services is paramount. Company investment in AWS has to include a detailed security approach, so, it is essential to verify that all parts of AWS are proactively protected.
Security CIA Triad
A common way to explain cybersecurity needs and requirements is via the CIA triad. Different organizations can emphasize some parts of the triad as more important for their business needs. However, every company has to maintain key factors of the triad as described below.
It is crucial in today’s world for companies to protect the sensitive and personal information of their employees from unauthorized access.
Information confidentiality is dependent on being able to set proper access levels to your data. Doing this requires segregating the information into data sets that are organized based on need-to-know access and sensitivity level that information actually has. You need to also examine the amount of damage if confidentiality is breached. Some of the ways to manage confidentiality include access control lists, volume, file encryption, and data classification.
This component of the CIA triad is designed to protect data from alteration or destruction by unapproved parties, and it ensures that when an authorized person makes an unwanted change, the change can be reversed and damage prevented.
The last component of the CIA triad is related to the availability of the data. Authentication mechanisms and systems have to function accurately for the information they protect and ensure it is available when it is needed. Modern computing resources have architectures that are specifically designed to improve availability.
DDoS protection measures and systems specifically address availability-related challenges related to volumetric distributed attacks. My explanation of cloud security best practices will follow a reference to the CIA thread as a methodological framework for holistic cloud security.
Building AWS Cloud Security
Your AWS environment security requires risk prioritization and risk management based on your organization’s use of the AWS services available and the detailed risk footprint these services create as a result. In order to create a security baseline, follow the list below:
Know your responsibilities
AWS uses a shared responsibility model where AWS is responsible for the availability of computing, storage, and more. You are responsible for your data, company applications, users identity, and – most importantly – overall environment security.
Know your risk
In the case of AWS, the risk is about exposure. Since most use cases of AWS are internet-facing, you need to understand your potential risk. Performing a risk scoring may be necessary to comprehend where you may be exposed and what security service may be necessary to protect your AWS investment. Remember, risk assessment is a pivotal first step in any security program.
Limit access via IAM
Start with a properly configured IAM strategy that utilizes defined roles to ensure that users only have access to the bare minimum resources they should. Use 2FA as much as possible, separate accounts, and never allow employees to use service accounts for manual admin tasks. Following these requirements will improve the integrity and confidentiality of your environment.
Think “defense in depth” security
Threats are evolving, requiring that your security strategy uses several tools and methods. Products that assist you with the protection, prevention, detection, and remediation of AWS security necessitate implementation across infrastructure, identity, storage, and endpoints.
Use external vendor solutions from AWS marketplace if needed. This can provide you with more granular security and better visibility. Solutions by multiple security vendors are available in the AWS marketplace. Fortinet, Pal Alto Networks and Checkpoint, and Splunk are just a fraction of hundreds of vendors available.
Focus Areas of AWS Security
Identity and access control
AWS environment access requires a combined approach. A central user identity store is used with the ability to manage user identities, along with single sign-on (SSO), multi-factor authentication, and detailed access to AWS resources.
If your environment is exposed to the internet, you need network firewalls, web application firewalls, and encryption in transit. Use base-security services like EDR to protect your AWS environment as a whole.
Threat detection and remediation
A large array of threat intelligence exists today. Threat intelligence can be used as the basis to detect threats. Networklevel intrusion detection and host-level detection are necessary parts of the strategy with AWS implementations.
The need to understand where your sensitive data is stored is the first step for its defense. Mapping critical data is pivotal for a successful defense strategy. Data located in S3, EC2 instances, EBS, RDS, and more, all contain critical, protected, sensitive, or otherwise valuable data. Data classification requires automatic discovery and classification data based on its content. This requirement relates to the confidentiality part of the triad.
It is your direct responsibility to perform assessments of and fixing vulnerabilities found on virtual resources within AWS that your company deployed. This requirement relates to the integrity part of the security triad.
AWS tests its infrastructure in a rapid way. There are multiple core services (AWS EC2 and AWS RDS) against which customers can perform their own penetration tests without approval from AWS. Selected types of tests are prohibited by AWS or require a separate written approval process to pass with AWS. This requirement relates to the integrity part of the security triad.
AWS Native Security Services
AWS Firewall Manager and Amazon WAF are centralized configuration and management of rules used to block traffic and traffic patterns synonymous with malicious activity. AWS supports the encryption of data that is available across most AWS storage and database services. Consider utilizing AWS KMS – Key Management Services to supervise encryption keys and their use. This requirement relates to the integrity part of the security triad.
Use Amazon Macie to identify sensitive data such as personally identifiable information, providing visibility into how this data is accessed. Maice is limited in scope to data residing in S3. This requirement relates to the confidentiality part of the security triad.
Monitoring and auditing
Two key services provide this requirement: Amazon CloudWatch collects data via logs, metrics, and events across multiple AWS services. AWS CloudTrail detects AWS account activity and API access.
AWS Inspector service can provide vulnerability management functionality by looking for vulnerabilities and providing automated security assessments on EC2 instances.
The technologies mentioned relate to the confidentiality part of the security triad.
Identity and access management
AWS offers multiple solutions designed to meet the needs of organizations that are in different levels of security maturity. Important services for IAM are AWS Identity and Access Management (IAM), AWS Multi-Factor Authentication, and AWS Directory Service. IAM AWS services provide highly secure and centralized access to AWS resources. IAM services can integrate with onpremises identity systems, such as Active Directory and OKTA style cloud-based identity management solutions to offer SSO access to multiple applications and infrastructure services outside of AWS.
Amazon GuardDuty can monitor AWS accounts and analyze network and account activity for anomalous behavior. GuardDuty uses rule sets and machine learning to alert on abnormal activity. GuardDuty identifies threats within AWS and can either address them with Amazon Lambda or route findings into third-party event management SIEM application. This requirement relates to both integrity and confidentiality parts of the security triad.
Amazon Shield detects and responds to DDoS attacks to reduce the time to mitigate and reduce the scale of attacks. AWS customers can enjoy AWS Shield’s Standard level service for free. For more sophisticated requirements, external CDN and DDOS services by Akamai, Imperva, or Cloudflare can be used. This requirement relates to the availability part of the security triad.
As a final word, remember that cybersecurity might be complex and costly, but in the long run, it pays off as it allows safer business operations. In addition, investment in security creates a competitive advantage for your organization.