If you operate in the cloud today, chances are you are running on Amazon Web Services (AWS). And odds are you’re thinking about how to meet best practices and achieve security in the cloud. AWS is the number one IaaS provider and has been for several years, according to Gartner’s Magic Quadrant. However, many AWS customers today are still learning about how to approach cloud security.
The concerns and issues vary from company to company and industry to industry today, but any business running in the cloud would do well to be able to answer these three key questions:
Who has access to which applications and when?
How can we monitor for key file changes?
Will we be notified in a timely manner when something anomalous occurs?
We have spoken to a number of our customers and partners across the security industry to identify some of the most common challenges when it comes to AWS security. The seven that come up most often — along with what you need to know about each — are discussed below.
1. Strategy Before Tools
When it comes to cloud security, many companies wonder whether you should you put tools and controls in place first, or take the time to establish your security strategy before getting started. In our view, the vast majority of the time, the strategy should come first.
Why? This way, when assessing a control or tool, you will be able to determine whether and how it supports your strategy. Putting strategy first also empowers you to integrate security into all business functions — including those reliant on AWS.
This can be a huge help with continuous deployment cycles, in particular. For example, if your organization is using (or considering using) configuration management tools like Chef, Puppet, Ansible, or SaltStack to automate software updates and patches, having a clear security strategy can help you implement monitoring across these tools from day one. The same goes for any business process or tool across your organization. In the majority of cases, strategy should come first.
2. Prioritize Visibility
Most companies employ multiple SaaS tools to achieve their business goals on a day-to-day basis. With the logins and controls that vary across each of them, it can be quite challenging to understand at all times who is accessing what and where across the organization. This is important information because you want to be alerted immediately if any of the activity is anomalous or malicious. The lack of security visibility in the cloud can become an even bigger problem if there is no security strategy supporting the implementation and management of these applications (see #1: Strategy Before Tools).
To achieve better visibility on AWS, follow these three best practices:
Go Deep: When it comes to knowing what is happening on a host or workload, you need more information than an IDS log can provide. You need to know more than the fact that a certain packet went out over the wire. You should be able to see specific events over time on specific servers.
Look Beyond Logs: Logs are essential, but they often provide only a narrow view of what’s going on. It is one thing to see who is entering and leaving the building, and quite another to know what they are doing once they are inside. Network-based intrusion detection is limited; host-based intrusion detection gives you far more insight.
Do Not Forget Insider Threats: If an incident occurs, it is important to look at who caused it. Unfortunately, sometimes threat actors can be internal. This can stem from a mistake or from malicious intent. Regardless of the cause, some key indicators that a threat came from the inside are unusual network activity, unauthorized installs, abnormal login attempts or failures, or key file changes. Keep your guard up!
3. Understand Your Responsibility
AWS offers many useful security tools and configurations, but it is important to know where their responsibility ends and yours begins. In short:
AWS is responsible for the security of the cloud.
You are responsible for the security of your data and applications in the cloud.
We recommend that you think about the security of your data on AWS even before you decide to migrate. If you already have, it is not too late. Some questions to think about include:
How do we ensure compliance in the cloud?
How are we going to deal with incident response in the cloud?
How can we access log data in the cloud?
These are all very pertinent questions, ones that even the largest and most well-known companies using AWS are asking today. By keeping these considerations in mind, you will be able to migrate onto AWS with far more confidence.
4. Know Your Liability
Liability is a key topic in cloud security. When a security incident occurs, you need to know who is responsible so you can take appropriate action.
Today, providers like AWS take on a lot more collective security accountability for everything above the virtual machine layer. However, users still have to take responsibility for things like access control, monitoring, and audit logging. By taking a proactive approach to defining access levels and monitoring activity across the network, companies can be sure that if something does go wrong within their AWS environment, they can pinpoint liability with precision.
5. Protect Credentials
Many companies trust their sensitive data, like PHI, credit card data, and financial details, to cloud service providers like AWS. You can certainly do this, but you should keep in mind the ways in which this makes you a target for attackers. The key is to understand what attackers go after. Most security incidents actually occur because of credential theft — not sophisticated zero-day attacks against cloud providers themselves.
Credentials are a goldmine for attackers for one very important reason: they are the keys to the kingdom, granting access to a vast amount of data by exploiting a single data source.
You can preemptively protect your credentials and data in a number of ways. We recommend that you:
Turn on multifactor authentication (MFA) for all the applications that allow this functionality.
Monitor for anomalous logins.
Implement intrusion detection at the host level.
6. Beware Multi-Tenancy
Here is the true risk of multi-tenancy: when untrained staff or immature processes are used to deploy and monitor virtualized systems, the company becomes vulnerable. Many companies fear that, with multi-tenancy, their data could inadvertently become exposed to competitors. While providers like AWS are well aware of these concerns and have implemented layers of protection to ensure that you — and only you — see your own data, you can and should take a number of extra precautions on your own. Phil Cox, VP, Security & Compliance at Coupa Software provides some great suggestions via Quora.
7. Stay Compliant
If your organization is beholden to any compliance frameworks, you need to look at how that will work in AWS. While cloud providers like AWS do provide companies with a certain level of protection, they simply cannot cover every aspect of compliance.
AWS can (and does) offer protections such as encryption of PII, both at rest and in flight, but it does not continuously monitor data for anomalous behavior, provide host-level insights that can get to the root of the problem, and so on. It is not always straightforward to determine where AWS’s compliance features end and where another solution needs to come into play to fill in the gaps, but it is critical to do the research for your particular use case and make sure you don’t leave yourself exposed.
Parting Words: Trust, But Verify
Happily, most companies are no longer questioning whether they should move to the cloud. Instead, they’ve realized they can take advantage of the many benefits the cloud has to offer as long as they satisfy their security and compliance needs. AWS has proven to be a strong cloud partner to many of today’s biggest, fastest, and most innovative companies. You can trust AWS (we do!), but as with anything else, you should always verify. That is where your responsibility as a public cloud user lies.
By following the seven tips outlined above, you will be well on your way to defining your security and compliance needs and determining how to successfully meet them in the cloud.