Pillar #2 Of The AWS Well-Architected Framework: Security
Pillar #2 Of The AWS Well-Architected Framework: Security
Human error, security at every level of your stack, and automation security are some of the key practices in this pillar.
Join the DZone community and get the full member experience.Join For Free
Learn how to migrate and modernize stateless applications and run them in a Kubernetes cluster.
Today’s post continues our sequence on the 5 Pillars of AWS Well-Architected Frameworks. Catch up on the first post here on Operational Excellence. In today’s cloud computing landscape, security is paramount. The increasing number and intensity of cyber attacks, the challenges faced by systems and users, and the business objectives that need to be achieved all require the highest standard of cloud security. Setting up a secure environment is only the beginning. Ways to deal with security events and additional measures to protect data transmissions are also parts of the equation.
With Amazon Web Services (AWS) becoming the go-to ecosystem for cloud implementation for many businesses who want to scale, security is a necessity rather than an option. This is also the reason why one of the AWS Well-Architected Framework’s five pillars—the second pillar, to be exact—is security. For the environment and systems it hosts to be completely secure, there are several design principles to follow to expand your chances of achieving a truly well-architected system.
The Challenges Of Cloud Security
Before we get to the design principles that govern how to best secure an AWS cloud environment, it is necessary to review the risks faced by modern cloud ecosystems and how the right foundation can mitigate those risks. Unauthorized access, information theft, and data loss are the most common challenges faced by any system today, but they are far from the only ones.
There are also risks of data breaches, mostly caused by insecure data points and human error. With mission-critical systems, the risk of denial of service due to DDoS attacks is even more harmful. Add modern cyber attacks coming in different forms and attacking through multiple system weak points, and it is easy to see why security is something that needs to be covered from the start.
The key to mitigating most of these cloud security risks lies in the ability to configure the cloud environment properly. By identifying the potential attacks as well as the additional risks the cloud environment bears, we can review how each design principle of this pillar works.
Basic Design Principles
For the risks mentioned earlier to be mitigated with the utmost care, an AWS environment must be set up with security in mind. As mentioned before, cloud security is a necessity rather than an option, and the design principles of this pillar are meant to guide you through creating a secure environment. Those design principles are:
- Implement a strong identity foundation: In simple terms, you need to establish strict and meticulous user and user role management as part of the environment. It is not enough to create system-level user management routines. Everything from access to different AWS resources to roles assigned to individual identities needs to be defined clearly and managed properly.
- Enable traceability: Accountability is a big part of modern information security approaches, so it is not surprising to find adding a layer of logging for the purpose of traceability is a part of the basic design principles of good security. Logs and metrics allow system administrators to trace everything back to a point of execution.
- Apply security at all layers: As mentioned before, applying security on a system-level isn’t enough. The approach to sufficient cloud security needs to be holistic and from the ground up. There is no such thing as being too careful when it comes to protecting your AWS environment, and that includes protecting the operating system, the load balancers used as part of the environment, and everything else in between.
- Automate security best practices: Automation is a big part of AWS cloud security. You now have tools like CloudWatch, the Amazon GuardDuty, and Amazon Athena. The latter allows you to analyze logs with advanced parameters; for example, you can analyze logs and find activities that match certain attributes, patterns, and sources.
- Protect data in transit and at rest: Data protection measures must be in force across the environment and beyond. Transmissions from and to the cloud environment must already be encrypted, while additional measures such as tokenization and stricter access control can help prevent data from being seized in transit.
- Keep people away from data: Human error is a risk that cannot be eliminated, but it is a risk that can be reduced. That is what this design principle is all about: reducing the risk of human errors causing loss of data and other security issues by limiting direct interaction between people and data. This includes limiting manual data processing.
- Prepare for security events: The last piece is a set of plans and contingencies to help make dealing with security events, especially security emergencies, easy. By putting in place a set of procedures, everyone responsible for the environment only needs to follow strict guidelines to maintain the highest security standards under different circumstances.
Remember that security requires a holistic approach. These design principles will not protect your system on their own, but they create a safer AWS environment when implemented as a whole. A strong security pillar means your environment is ready for action. Security is also one of the best foundations to build a strong business foundation on. With the Well-Architected Framework on your side, you can help your organization compare your system design against best practices, and discover how to establish reliable and efficient processes.
It is the goal of AWS to be the environment that offers sufficient protection for the environment itself, the systems running in it, and any assets related business operations.
To sign up for a Well-Architected Review with Ibexlabs, contact us here. As APN Partners, the team at Ibexlabs can assist in making business recommendations surrounding the implications of AWS work-based designs and infrastructure. Following the review, Ibexlabs will advise an organizational roadmap to scale your business in accordance with your short to long-term goals based on the AWS Well-Architected Pillars.
AWS will also provide up to $5,000 worth of AWS credits for remediation for all customers who sign up with an AWS APN Partner for the AWS Well-Architected Program.
This post was originally published here.
Published at DZone with permission of Kiran Sangeetam . See the original article here.
Opinions expressed by DZone contributors are their own.