Security and AWS: Strategies and services to protect your environment

A look at the importance of implementing best-practice security for your AWS infrastructure by Bulletproof’s Gary Marshall

Realising the many benefits that cloud can bring - such as operational efficiencies, commercial savings, increased flexibility and speed to market - requires you to maximise your use of cloud services and not simply treat cloud as another source of raw compute and storage that would be available from a traditional Infrastructure as a Service (IaaS) offering.

Cloud security is more important than ever

It is entirely valid to approach this incrementally, gradually onboarding your traditional infrastructure to make use of more and more cloud services, as well as onboarding new projects and workloads directly onto more Platform or Software oriented cloud solutions.

As you are able to increasingly take advantage of such offerings, you can then realise an increasing array and scale of benefits.

However, what this emphasises is the importance of the security surrounding your cloud services, that this security is baked into your cloud developments from day one and not just provided as an afterthought. Securing your cloud environment is now more critical than ever and that means securing the whole of your cloud environment.

Not just securing the infrastructure and other cloud elements that you are directly making use of, but also ensuring you are securing your window into the cloud, such as the AWS Console itself.

Using best-in-breed security services

The good news is that in an AWS cloud environment, you are able to take advantage of best-in-breed security services across all facets of your cloud environment. In many cases these will be far superior to any security services that you may have previously been able to access, whether that’s because of cost or complexity.

The cloud security services you will be able to make use of include a combination of best-practice processes and designs, offerings from the AWS Marketplace and of course, native AWS products themselves.

The importance of verifying and tracking changes

As you consider each of these areas of security, it’s important to not only ensure that any initial configuration is accurate, but also that any changes are appropriately verified and tracked and that the ongoing security posture continues to be validated.

This ongoing regular validation will ideally be via automated mechanisms that provide both monitoring and reporting of some of the key security elements. AWS provide some best-practice security reporting via the AWS Console with ‘Trusted Advisor’.

This gives visibility to elements such as open ports, use of MFA (multi-factor authentication), the use of strong passwords (or not), globally readable/writable storage bucket use and a range of other security and audit capabilities. It’s great practice to ensure your security processes include the review of the reports from Trusted Advisor on a regular basis.

Consider using third-party security tools

On top of AWS services such as Trusted Advisor, there are also many third party tools that integrate with the AWS Console, APIs and logging that report on potential security events proactively.

One of the benefits of third party tooling is that they can also drill-down on important events such as changes within your cloud environment, as well as user events and API-calls.

This is achieved by using other AWS tools such as CloudTrail and AWS Config, both of which are important native AWS security services that enable your enhanced security posture.

Identity and Access Management (IAM) capabilities

AWS also provide comprehensive Identity and Access Management (IAM) capabilities to ensure you can better secure your AWS resources with individual role-based access to only defined resources.

This enables the appropriate access according to your unique security requirements and includes not only per resource restrictions, but also controls such as read-only permissions.

This ensures proactive limits are in place to restrict the ability to delete resources or otherwise modify resources, enable data in other geographic regions and many other controls that are far too numerous to itemise here! Using AWS IAM ensures that you’re not using the “AWS root credentials” - the privileged administrative user for the AWS environment - for day-to-day administration of your services and you can rapidly revoke credentials for users or programmatic access as required.

As part of securing your user access, ensuring that AWS MFA is enabled on the AWS root account is an important step and as outlined earlier is a key check within Trusted Advisor. MFA access can also be enabled across individual IAM users to further secure the environment.

How to actually secure your traditional workloads?

Let’s now turn our attention to some of the methods of securing the traditional workloads operating within your AWS environment. Consideration must be given to the cost of implementing a certain level of security services versus the “reward” that you will realise.

However, there are many security fundamentals that can be carried out without a significant investment that assist with ensuring the integrity of your cloud data.

For example, the Australian Signals Directorate (ASD) has a list of the top mitigation strategies to put a stop to malicious activity within your environment, with just the top 4 of these strategies stopping 85% of attacks. These start as simply as:

(1) Make use of application profiling and whitelisting to ensure that only approved applications are operating;

(2) Patch services running on the servers;

(3) Patch the operating system itself and;

(4) Restrict administrative privileges and use role-based access.

Testing application and system patches

These top 4 strategies sound relatively simple, but when you are dealing with a business critical production environment running in the cloud, then ensuring that implementing these strategies is not going to adversely impact your business application is an important consideration.

Once again, you can turn to some relatively low cost third party security tools such as Trend Deep Security (that can be licensed on a utility basis directly through AWS or via a managed services partner such as Bulletproof) to help in this regard.

Such security tools can apply virtual patches that can be rapidly rolled back in the event of a fault, as well as other capabilities such as system-level firewalling and Intrusion Detection and Prevention Services (IDS/IPS). If the environment and application is significant enough, then often testing such application or system patches in a clone of your production environment is an ideal first step, as well as ensuring that you are adequately planning, reviewing and approving changes to your services.

Many of these system-level security services have analogous network-level offerings. These include the use of network firewalling, application firewalling, intrusion detection and intrusion prevention services.

Consideration of using these services at the AWS Virtual Private cloud (VPC) level is important, as is a cloud design that uses the appropriate best-practice implementation of public/private subnets within that VPC to better secure your data.

Assessing your level of risk

In many cases, you must assess the level of risk you face in the event your environment was to be compromised. Is it a reputational risk in the market that you will face, or perhaps it’s a direct commercial risk from the immediate loss of revenue?

Once you have evaluated that risk, then this will assist you in identifying the level of security services you must consider to better protect your cloud environment. However, the heightened level of security that can be achieved for little or even no cost cannot be understated, hopefully as emphasised by the list of mitigation strategies touched on by the ASD example above.

As part of assessing this risk, ensuring that if you are compromised, then you know about it via proactive monitoring and reporting of changes in your environment and security events is critical, as is having a documented security plan for recovering from a malicious attack.

This serves to minimise the impact on your brand and services, and potentially also the impact on your customers themselves, in the event that your security is breached.

Future security planning

There are a wide array of security services that you can implement that we have not touched on, but hopefully some of the ideas above help you in being able to better and quite rapidly secure your cloud services and precious data held in your cloud environment.

We have also touched on some elements that you can factor into future security planning, ensuring you can take advantage of the many commercial and operational benefits from safely utilising the cloud.

Some of the key security messages and controls we have touched on include:

  • Change control and ongoing validation of your security posture;
  • Reviewing security reports via AWS Trusted Advisor or other similar third-party tools;
  • Enabling AWS security services such as CloudTrail, AWS Config and MFA;
  • Implementing role-based access to both your cloud environment with AWS IAM controls as well as your cloud servers and services;
  • Applying basic mitigation strategies such as those outlined by the ASD to more traditional system workloads;
  • Consideration of system-level & network-level security services such as application firewalling and IDS/IPS as data enters and exits your AWS VPC and;
  • Documenting your response plan in the event of a security compromise

We haven’t even started to skim the surface of what can be achieved in implementing adequate security for your cloud environment. There is a wealth of additional topics and resources available from trusted and experienced sources on achieving this, such as AWS White Papers as well as customer case studies.

Gary Marshall is director of customer operations at Bulletproof


Join the Computerworld newsletter!

Error: Please check your email address.

Tags Amazon Web ServicesCloudBulletProofcloud computing

More about AWSEnablingIntrusionIPSMarshall

Show Comments