EXECUTIVE SUMMARY:

As organizations have transitioned from basic cloud environments to distributed, and considerably more complex cloud-native environments, the cloud security strategies of 5 years ago have become outdated. To enact a better cloud security strategy that allows you to stay a step ahead of cyber criminals, here’s what you need to know…

Are you in the clouds? AWS security can be tough. Infrastructure as a service (IaaS), platform as a service (PaaS), and software as a service (SaaS) offerings mean that organizations running AWS often have a lot of applications and cloud services that require expert configuration and security. Making matters more complicated, these resources can be running in multi-cloud or hybrid environments with other on-prem and cloud platforms that need to integrate and transfer data in a secure way.

But managing security in AWS isn’t difficult if you adhere to the right policies, standards and best practices. These must be consistently upheld and enforced. In this article, discover the most important elements of an AWS strategy that can help ensure that your code, data and cloud workloads stay secure.

The AWS shared responsibility model

Organizations commonly assume that because a cloud provider hosts an environment, the provider also provides comprehensive cyber security. This is simply untrue. All security teams should maintain basic familiarity with the AWS shared responsibility model. This business set-up means that AWS is responsible for the security of the infrastructure, but that the customer must secure everything that exists within the infrastructure.

In practical terms, your organization is responsible for configuring S3 buckets, managing access, protecting network traffic and ensuring the security of code across its lifecycle. Despite the fact that AWS secures the infrastructure, failure to take action around data security within the infrastructure can result in devastating large-scale data breach incidents – of the kind that will lead your management to think that you’re head is in the clouds.

Build your AWS cloud security strategy

Your organization probably already has overarching cyber security strategy (or if it doesn’t, implement one now). If you’re part of a newer organization and your entire infrastructure was built on AWS, your security strategy is likely inclusive of all AWS nuances. However, if your organization migrated to AWS more recently, you may need to incorporate new AWS security best practices into your routine.

AWS security is a unique challenge. The advantage of the cloud is that it’s elastic and scalable, which translates to the ability to spin resources up and down as needed. At the same time, this complicates security, rendering it significantly more difficult to manage than that designed for more static on-premises systems.

Legacy cyber security strategies won’t work for AWS resources. Thus, take the time and expend the effort to develop a strategy that can address all of the ways in which an AWS cloud can be compromised. An AWS strategy should include components like:

  • Visibility across your cloud environments
  • Zero trust policies and procedures
  • Cloud native security tools and platforms
  • DevSeOps strategies that align with security development workflows
  • Automation and cloud automation
  • A layered approach to cyber security

and more.

After outlining a strategy, implement it in conjunction with AWS security best practices. Although the list below is not comprehensive, the following AWS best practices are very valuable to enterprises hosting data in the cloud.

  1. Cloud security controls
  2. Incident response planning
  3. Detection, monitoring and alerting
  4. Encryption
  5. Data backups
  6. Up-to-date AWS
  7. Compliance planning
  8. Scaling security in workflows

1. Implementation of and enforcement of cloud security controls. In an AWS environment, access controls are key. Provide least privilege cloud access to employees and restrict or remove access as needed. Be discerning when it comes to provisioning access to those who are outside of your organization (third-parties…etc).

Require multi-factor authentication, enable single sign-on (SSO), create identity access management users as opposed to sharing AWS account root user credentials, and rotate access keys on a regular basis. In addition, insist on strong passwords. As of this writing, the strongest passwords include 14 characters that consist of letters, numbers and symbols.

Further, take the time to review access privileges regularly to confirm that no one has a superfluous level of access.

2. Planning for threats and incident response. In recent years, “assume breach” has been the de-facto mentality of cyber security professionals. According to this thinking, any system, account or person can represent an attack vector – at any time. Given the expansive attack surface, assume that attackers will breach at least one endpoint. And it’s possible that they’ve already done so.

The assume breach mentality means that organizations must retain a thorough incident and response plan. A strong incident and response plan can limit the level of collateral damage that an organization experiences in the wake of a cyber attack. A comprehensive incident response plan should spell out what’s needed to assess a breach, investigate the breach, the actions required to contain the breach and how your enterprise will pursue recovery.

3. Detection, monitoring, alerting. Developing solid detection, monitoring and alerting processes (and implementing solutions) is a fundamental component of AWS application security. AWS recommends several tools to help build out a strategy. These include:

  • Amazon GuardDuty: Managed threat detection services that monitor workloads for suspicious activity.
  • Amazon Macie: AI-powered discovery, categorization and protection for sensitive data discovered in environments. It also provides alerts in the event of suspicious, potentially unauthorized access.
  • AWS Config Rules: This tool examines the configuration of a resource against your organization’s pre-determined configuration rules. This allows you to zero in on any possible compliance issues.
  • Amazon CloudWatch: This is a monitoring service for AWS resources and any applications that run on AWS.
  • Amazon Security Hub: This tool offers a comprehensive view of your environment. It helps organize all security alerts from AWS services, including GuardDuty, Amazon Inspector, Amazon Macie and other third-party resources.

4. Protect data with encryption. Regulatory entities commonly require encryption. But it’s not just a nice-to-have. Encryption genuinely provides an extra layer of protection over data at rest. In the event that your access controls fail, encryption protects data from any person who may have gained unauthorized access to it.

AWS offers encryption across almost all services. They also offer flexible key management. This enables you to determine whether or not AWS will manage your keys, or whether you will retain complete control. Regardless of which method is best for your organization, design or adopt an encryption and key management system. Make sure that encrypted data and decryption keys are stored separately. See to it that they are secured under stringent protocols.

5. Create data backups. Natural disasters and cyber criminals can both disturb, destroy or disseminate your data, leaving your enterprise in the lurch. Back up your data to ensure that you can always restore critical information at nearly a moment’s notice.

To keep your data safe, consider AWS backup. You can get it on the Amazon EC2 free tier. It supports a number of additional services, including S3 buckets, EBS volumes, DynamoDB tables and more. From the console, you can automate your backups, create backup policies and requirements and apply the policies to other AWS resources using the tagging system.

6. Keeping AWS up-to-date. Patching your AWS environment and configuring updates is critical for the maintenance of strong security in the cloud. However, some IT leaders still deprioritize patching and updates in order to focus on seemingly more important problems or projects. But this is dangerous, as failure to patch or update can let a cyber criminal in through the front door.

Keep your AWS servers patched, even if they are not public. If finding the time is a constraint within your organization, leverage the AWS patch manager, which can automate patching across operating systems and applications. Alternatively, consider adoption of a managed security services provider.

7. Plan for regulatory compliance. In highly regulated industries, such as finance and healthcare, it’s critical to remain in compliance with privacy and security laws. AWS supports cyber security compliance standards. However, within the shared responsibility model, organizations must secure data, workloads and infrastructure configurations in ways that are compliant with requests of regulatory bodies.

8. Scaling security across a development workflow. If your AWS strategy only addresses cloud infrastructure, your strategy might need expansion. Build a strategy that includes all development stages – coding, infrastructure, application coding, runtime.

Further insights

Replicating the usual perimeter security principles in a cloud-native setting likely isn’t your best option. Address modern cloud security challenges with a cloud security strategy, cloud native security solutions and by following best practices. Ensure that you can prevent threats at cloud speed and scale.

For more AWS cloud security tips, please see CyberTalk.org’s past coverage.

If your organization needs to strengthen its security strategy, be sure to attend Check Point’s upcoming CPX 360 event. Register here.

Lastly, to receive cutting-edge cyber security news, best practices and resources in your inbox each week, please sign up for the CyberTalk.org newsletter.