If there is one good thing that came out of the recent cyber-attacks, it is the fact that more companies are becoming focused on cyber security. For some of them, such as Target, Sony, LinkedIn, and Verizon, security was an afterthought until they got burnt. Others decided that prevention is better than the cure and that issues caught by their users are more threatening than those caught internally.
We all know that cyber-security is a process that takes time, and as the speed of software delivery rises, so does the burden on security teams. Doing things faster can interfere with their primary task of maintaining and releasing secure applications as they are not left with enough time to thoroughly inspect applications before they are released to end users. The challenge here is to find the right combination of processes that would allow software developers to keep releasing at a rapid pace while leaving enough time for security teams to complete their security assessments.
Picking up Speed With DevOps and AWS
In the past, most organizations had a vertical structure with poorly defined integration between infrastructure, development, and security teams. The downside of this was that different groups reported to different organizational structures with different goals. This mismatch of goals often led to conflict and missed deadlines.
As innovation and customer requirements evolve, time to market becomes more important than ever and businesses need to become more agile than ever before. To go hand in hand with the demands of agile businesses, software developers have to release applications in a consistent and repeatable way. One way to achieve that is with the adoption of DevOps.
Since the first DevOps conference in 2009, adoption of DevOps is growing so fast that Gartner says by the end of the year, it will evolve from a niche strategy employed by large cloud providers to a mainstream strategy employed by 25% of Global 2000 organizations. Laurie Wurster, research director at Gartner said that “digital business is essentially software, meaning that organizations that expect to thrive in a digital environment must have an improved competence in software delivery.”
With its roots, deeply planted in the idea of Lean Manufacturing, DevOps focuses on communication, teamwork, and integration between software developers and other departments while removing unused features, processes, and low-quality software. DevOps´ focus is on building quality into the code, empowered by automated testing and continuous improvement. With DevOps, organizations are able to achieve 30x more frequent deployments, with a 200x increase in speed from code commit to deploy and a 60% decrease in production failures.
As more and more organizations move from monolithic and inflexible software development towards DevOps, cloud adoption becomes vitally important. Due to increased flexibility and considerable cost savings, more and more businesses are moving their workloads to the cloud. Cloud services such as software-as-a-service (SaaS) with infrastructure-as-a-service (IaaS) and platform-as-a-service (PaaS) are used by most IT businesses for use cases such as collaboration services, email, backups, and disaster recovery. While there are a variety of business drivers for cloud adoption, KPMG research has identified that business executives are mostly motivated by the following motivators:
- Agility: cloud enables businesses to quickly respond to changing business environments and needs
- Cost savings: cloud reduces the need for substantial investments in technology infrastructure thus giving businesses an easier way to benefit from innovation.
- Increased performance: it is easier to modify complex infrastructure with the cloud than it is with traditional on-premise systems.
It is obvious – moving from on-premise to the cloud can give businesses a competitive edge they so hardly need. Given the popularity of cloud services, it´s needless to say that there are more cloud providers today than there are clouds above our heads. Amazon Web Services (AWS) is one of the largest cloud providers who powers a considerable amount of the Internet (Airbnb, Netflix, Slack…). AWS offers a whole collection of cloud-based services such as servers (EC2), storage (S3), and even devices that businesses can use to test their applications (Device Farm). Additionally, AWS provides services that are designed for DevOps and built for use with the AWS cloud.
Security – The Achilles Heel of AWS
Even with all the benefits of DevOps and cloud services such as AWS, security still remains a challenge. Most organizations use cloud services to process or store sensitive data such as intellectual property, customer financial information, business intelligence, and employee information. Unlike in traditional on-premise IT environments, AWS gives businesses computing resources that are available from anywhere in the world. Accessibility, one of the biggest advantages of AWS, has become its greatest weakness.
After Code Spaces, a code-hosting and software collaboration platform, got killed in the cloud due to an attacker who deleted their data and backups, it´s logical to ask ourselves: are public clouds secure or is this sense of security merely an illusion?
AWS has amplified its Identity and Access Management (IAM) on several occasions and has made it very flexible and extensible. However, that flexibility falls at the first hurdle. Managing tightly controlled user access and figuring what permissions are required for a certain operation has become too complex and slow for most businesses, especially those who just started with AWS. There are several reasons for this:
- User access is IP-centric: controlling who can access what with static IP addresses and port mapping doesn´t cut as users´ addresses change.
- Complexity leads to shortcuts: most companies use basic settings and just hand out their Amazon master credentials to their employees, instead of creating users and policies.
- Access rarely gets revoked: most businesses never revoke access to users who no longer need it which can cause problems for compliance and security.
Like most cloud providers, AWS deals with security of physical data centers and the servers needed for virtual machines to run, and businesses need to take care of protecting their infrastructure by themselves. It´s true – AWS has a plethora of security services and tools that can secure almost anything, but the businesses have to actually implement them to work. Due to the wide variety of services and options, AWS security has become so complicated that many businesses would rather take their chances with cyber attackers than to spend hours researching how to protect themselves and that data. This complexity goes so far that Stephen Schmidt, chief information security officer at AWS, started a blog which offers security best practices and how-to guides.
Securing the Insecure
The following are some best practices on how to go beyond the default security options and really secure your AWS account.
Remove User Accounts
Businesses should avoid user accounts whenever possible. Credentials of only one user are more than enough to take over the whole system. There are several APIs within AWS that can be used for provisioning and it is better to use them for working with instances instead of just creating new accounts. Applications should access the system via special accounts that have very low privileges.
Developers Should Not Be Running the Show
If there is one thing developers care about the most, it´s speed. Developers are under constant pressure to build new releases and that pressure can put security on the bottom of their to-do lists. The real problem occurs when developers take shortcuts which can leave open ports or user accounts with administrator rights. Since developers typically work in different environments, a good approach would be to set up separate AWS accounts for each environment.
Apply Software Development Methodologies to Your Security
Similar as software gets tested before going into production, cloud security should be tested with the same approach. When there is a vulnerability in cloud security, it should be treated with the same priority as a bug in the software.
Back up Your Data
Backups should be done regularly so the data can be recovered in case of a cyber attack or compromised access. In case of Code Spaces who were attacked by a DDoS attack in order to ask for ransom, they tried to stop the attack by logging into their AWS account. This resulted in the attacker deleting all their data from the servers. Without backups, the damage was so severe that the business ceased to operate. All AWS users can back up their data or move it from S3 to Amazon Glacier for archiving. Having an offline backup ensures businesses there is a copy of their data to which attackers don´t have immediate access.
Use AWS Built-in Security Tools
As we mentioned above, AWS has a wide variety of security tools such as encryption tools, HSM for private keys, firewalls, and more. Administrators can split instances by their type and assign them to different groups. Going further, admins can define access rules or restrict certain ports to prevent attackers in gaining a foothold on the server and accessing the database. Whitelisting IP addresses is another step that can be done to restrict access to certain systems but this requires regular list inspections to ensure the list is up-to-date and that no changes have been made.
The above best practices on how to secure AWS are just a high-level overview of different procedures that businesses should take to additionally secure their data in the cloud.
The broad range of Amazon services and their security tools add a great deal of complexity that can be too much for developers who are already under a great deal of pressure. While most of them do a great job once properly configured, they will do nothing when faced with an attacker who put his hands on valid user credentials or an insider looking to wreak havoc onto his company.
Cloud security should be simple. The more complicated it gets, the more opportunities it creates for attackers to find a loophole.