Importance of Security to AWS and Its Customers
It may be obvious that there is a heightened importance of security when operating in a public cloud. Amazon Web Services (AWS) has made it clear that security is one of their top priorities. AWS recognizes that if one of their customers were operating insecure systems and were breached, the public opinion might be misconstrued that AWS infrastructure services are insecure. Therefore, it behooves AWS to assist their customers to set up their cloud infrastructures securely right from the start. AWS also must provide methods for customers to review their settings and provide advice to improve security.
Recent AWS Security Incidents
Many enterprises are still fearful of operating within public cloud infrastructure. For these organizations, security is a major obstacle in their path to the cloud. There have been notable security incidents related to AWS cloud infrastructure usage. Among these are the famous Code Spaces attack, Datadog password breach, and Mexican voter information appearing on AWS. Other AWS security issues include the research performed by Worcester Polytechnic Institute (WPI) on AWS RSA crypto keys and AWS vulnerability research performed by Rhino Security Labs.
It is important to differentiate those security incidents that were the result of customers insecurely operating cloud systems from those incidents where AWS hadn’t completely protected against all conceivable vulnerabilities in their platform. Most of the security incidents fall into the former category and those later issues have historically been quickly addressed by AWS.
Advice on Cloud Security
There are many resources that provide guidance on how to secure cloud infrastructure. The Cloud Security Alliance (CSA) has provided advice on security measures for cloud services and launched their Security, Trust & Assurance Registry (STAR) and Certificate of Cloud Security Knowledge (CCSK) certification. The CSA partnered with the (ISC)2 Certified Cloud Security Professional (CCSP) certification. These two sources provide a good set of recommendations and best practices to build a foundation for a comprehensive cloud security framework.
AWS Security Credentials
AWS possesses all the major security certifications and attestations and has worked hard to keep their compliance current. For example, AWS operates its GovCloud U.S. federal systems in an isolated U.S. region that meets FedRAMP, FIPS, ITAR, FISMA, and NIST requirements. AWS has used their own software automation and scalability techniques to ensure that the security controls are maintained consistently across their global infrastructure and services.
AWS re:Invent Security Sessions
At this year’s AWS re:Invent annual conference, security was again a dominant theme across many of the technical breakout sessions. AWS re:Invent had numerous sessions on security, and following is a list of the technical breakout sessions that focus on security.
- BDM203 – FINRA: Building a Secure Data Science Platform on AWS
- CMP305 – Serverless to 32 XLarge: A Unified Security Approach To AWS Compute
- CTD204 – Offload Security Heavy-lifting to the AWS Edge
- DEV302 – Automated Governance of Your AWS Resources
- ENT318 – Enterprise Fundamentals: Use AWS to Secure Your DevOps Pipeline Like a Bank Would
- ENT401 – Unlocking the Four Seasons of Migrations and Operations: Enterprise Grade, Cloud Assured with Infosys and AWS
- FIN301 – Fraud Detection with Amazon Machine Learning on AWS
- FIN303 – Use AWS to Secure Your DevOps Pipeline Like a Bank
- GPSCT308 – Chalk Talk: Applying Security-by-Design to Drive Compliance and Audit Assertion
- GPSST302 – Lessons From the Front Lines: Best Practices Learned from APN Security and Storage Ecosystem Partners
- GPST403 – Advanced Techniques for Managing Sensitive Data in the Cloud
- HLC303 – Embracing DevSecOps while Improving Compliance and Security Agility and Posture
- IOT302 – IoT Security: The New Frontiers
- LD102 – Live Demo: AWS WAF Preconfigured Protections and Security Automation
- LD118 – Live Demo: AWS WAF Preconfigured Protections and Security Automation
- MBL310 – Add User Sign-In, User Management, and Security to your Mobile and Web Applications with Amazon Cognito
- NET205 – Future-Proofing the WAN and Simplifying Security On Your Journey To The Cloud
- NET405 – Amazon s2n: Cryptography and Open Source at AWS
- PTS206 – The Secure and Flexible AWS Cloud
- PTS208 – Who Stole My SPAN Port?! Obtaining Traffic Visibility in AWS for Deep Packet Inspection
- PTS215 – How to address the security and performance monitoring challenges of the public cloud
- PTS218 – Securing AWS at the speed of DevOps: Case Studies from the Front Lines
- PTS303 – Advanced Threat Prevention Security for Hybrid Clouds
- PTS304 – 5 Easy Steps to Preventing Data Breaches
- SAC201 – Lessons from a Chief Security Officer: Achieving Continuous Compliance in Elastic Environments
- SAC304 – Predictive Security: Using Big Data to Fortify Your Defenses
- SAC305 – How AWS Automates Internal Compliance at Massive Scale using AWS Services
- SAC306 – Encryption: It Was the Best of Controls, It Was the Worst of Controls
- SAC307 – The Psychology of Security Automation
- SAC308 – Hackproof Your Cloud: Responding to 2016 Threats
- SAC309 – You Can’t Protect What You Can’t See: AWS Security Monitoring & Compliance Validation
- SAC310 – Securing Serverless Architectures, and API Filtering at Layer 7
- SAC312 – Architecting for End-to-End Security in the Enterprise
- SAC313 – Enterprise Patterns for Payment Card Industry Data Security Standard (PCI DSS)
- SAC315 – Scaling Security Operations and Automating Governance: Which AWS Services Should I Use?
- SAC316 – Security Automation: Spend Less Time Securing Your Applications
- SAC317 – IAM Best Practices to Live By
- SAC319 – Architecting Security and Governance Across a Multi-Account Strategy
- SAC320 – Deep Dive: Implementing Security and Governance Across a Multi-Account Strategy
- SAC321 – Cyber Resiliency – surviving the breach
- SAC326 – How Harvard University Improves Scalable Cloud Network Security, Visibility, and Automation
- SAC327 – No More Ransomware: How Europol, the Dutch Police, and AWS Are Helping Millions Deal with Cybercrime
- SAC401 – 5 Security Automation Improvements You Can Make by Using Amazon CloudWatch Events and AWS Config Rules
- SAC402 – The AWS Hero’s Journey to Achieving Autonomous, Self-Healing Security
- SEC301 – Audit Your AWS Account Against Industry Best Practices: The CIS AWS Benchmarks
- SEC302 – Workshop: Adhere to the Principle of Least Privilege by Using AWS Identity and Access Management (IAM) and Amazon Virtual Private Cloud (VPC)
- SEC303 – Get the Most from AWS KMS: Architecting Applications for High Security
- SEC304 – Reduce Your Blast Radius by Using Multiple AWS Accounts Per Region and Service
- SEC305 – Scaling Security Resources for Your First 10 Million
- SEC306 – Workshop: Choose Your Own SAML Adventure: A Self-Directed Journey to AWS Identity Federation Mastery
- SEC307 – Microservices, Macro Security Needs: How Nike Uses a Multi-Layer, End-to-End Security Approach to Protect Microservice-Based Solutions at Scale
- SEC308 – Securing Enterprise Big Data Workloads on AWS
- SEC309 – Proactive Security Testing in AWS: From Early Implementation to Deployment Penetration Testing
- SEC312 – re:Source Mini Con for Security Services State of the Union
- SEC313 – Automating Security Event Response, from Idea to Code to Execution
- SEC314 – Common Considerations for Data Integrity Controls in Healthcare
- SEC401 – Automated Formal Reasoning About AWS Systems
- WIN305 – Best Practices for Integrating Active Directory with AWS Workloads
- WWPS301 – AWS GovCloud (US) for Highly Regulated Workloads
- WWPS303 – Modernizing Government in the Cloud in Highly Regulated Environments
- WWPS304 – Using AWS to Meet Requirements for Education, Healthcare and Public Safety (HIPAA, FERPA, and CJIS)
This is a tremendously high number of sessions that were specifically on the topic of security and compliance. You could easily spend the better part of a week trying to ingest all this information. If you weren’t able to attend AWS re:Invent in person, or if you did attend AWS re:Invent but were unable to attend all your favorite sessions, these will be posted on the Internet after the event. Historically, AWS has taken all the audio/video recordings of these sessions and will eventually post them to YouTube. These presentations themselves have also been posted to SlideShare.net. If you are interested, you can even watch previous year’s AWS re:Invent security presentations.
AWS Security Ecosystem
AWS also has assembled a comprehensive ecosystem of other security vendors that can integrate with AWS services. These other AWS security partners augment the security that is already provided by the native AWS services and features. AWS has established a competency program for their partner companies to promote their competency with AWS infrastructure. AWS has a security-specific competency and lists these vendors on their site. Many of the AWS security partners can be consumed by AWS customers through the AWS Marketplace. Following is a partial list of some of the AWS security competency partners who were sharing their solutions at the re:Invent conference vendor expo hall.
Traditional enterprise perimeter firewalls like Check Point, Fortinet and Palo Alto Networks offer virtual instances of their firewalls that can integrate with a customer’s AWS VPC network. Web application firewalls (WAFs) like Imperva and Barracuda also integrate with AWS.
Identity management companies like Okta, OneLogin and Ping Identity integrate well with AWS.
Traditional host-based security and anti-virus software from Trend Micro and Sophos (along with their UTM functionality) are also part of the AWS security ecosystem.
There are several companies that can provide added security management, compliance, and visibility to AWS cloud infrastructure. These companies include Cloud Checkr, CloudPassage, Datadog, Dome9, Evident.io, Fugue, and ThreatStack.
Along those lines of monitoring, Splunk has integrated with AWS for many years and just released version 5.0 of the Splunk App for AWS.
Vulnerability scanning can be performed in AWS infrastructure using security partner solutions from Qualys and Tenable.
There are also unique companies like Bracket Computing (BRKT) that can provide added layers of encryption and policy enforcement on top of AWS infrastructure to create security isolation and confidentiality.
Summary
Security has more to do with people and processes than technology. Good security comes down to discipline and, as is true for most things, it is easier to be secure from the beginning rather than try to add security in after systems are in production. If your organization has good information security hygiene in your company’s on-premises IT infrastructure, then it is likely that your company will exhibit good cloud security operations. Cloud services can be less secure, equally secure, or more secure than your traditional on-premises data center. Good design, implementation using best practices, proper maintenance, and vigilance will make your cloud system secure.
GTRI is an experienced cloud infrastructure solution provider helping customers securely consume cloud services. GTRI offers a “Cloud Security Assessment” service which can be performed proactively during the design and deployment phases or reactively during the operational phase. GTRI can help you manage your cloud services spending by analyzing your cloud services and current consumption, and assist you with managing the billing, visibility, and cost optimization. GTRI can help you proactively manage your physical and virtualized IT assets, reduce risks, and realize more business benefits of using cloud infrastructure.
Scott Hogg is the Chief Technology Officer (CTO) for GTRI.