As more and more organizations migrate to the cloud, security remains a top of mind concern. Just as in traditional IT infrastructures, data breaches from hackers can have a range of implications in the cloud, from financial losses to damage to the brand’s reputation and a loss of market share. As one of the most widely implemented cloud platforms available, Amazon Web Services offers a level of security that is widely recognized as being stringent and solid. In this post, we’ll take a close look at what security means in the cloud. Then, we’ll dig into some of the specifics of the AWS security model, based on our AWS Security Fundamentals eBook.
Security in the cloud
Security in the cloud is obviously different from that in a traditional IT environment. This can be a significant impediment to cloud adoption. In the 2017 State of the Cloud report by InformationWeek and Interop ITX, 60% of respondents listed security as one of their top concerns about the cloud. This is no surprise. When it comes to the cloud, organizations don’t know exactly where their data or their customer data resides. They may know the region or availability zone but they won’t be able to pinpoint exactly where it exists.
On the other end of the spectrum, for those already in the cloud, they might get a bit too complacent with the security support that they are getting (or assume that they are getting) from their provider. People think, “okay I’m using their services, I’ve been told that they are resilient.” What they don’t realize is that they still need to architect some of their own security on top of what they’re getting from their cloud platform.
Why is security important in the cloud?
Let’s look at why security is important in the first place. One of the most important reasons for security is to prevent unauthorized people from accessing your data. Compliance (legal or regulatory) is another important reason. You might have data that must remain in a specific country or location. You may need to comply with certain government regulations such as ISO 27001 that requires you to be PCI compliant, and this might be established in your service level agreements or within your customer contractual agreements. Your customers may have certain requirements for how their data is stored. They might want it to be encrypted, whether at rest or in transit. They may have other specific encryption protocols that they want you to abide by.
You will want to take all of these factors into consideration when you’re thinking about security within the cloud.
Cloud security vs. on-premise security
Now, let’s look at how security in the cloud is different from on-premise security.
With your on-premise solution, you have more responsibility as an organization because you have full control over the estate of your infrastructure, which allows more nuanced control of the various aspects of security. The main difference is that everything is accessible to you. You can control who has access to your facilities, buildings, and data center, and you determine who is authorized and trusted to perform installations and maintenance for your infrastructure. You can resolve all of the issues yourself; it’s all self-contained.
However, in the cloud, this aspect of security is taken away from you. We aren’t allowed to gain access to their data centers or their availability zones.
With your on-premise solutions, you can specify exactly where your data is stored. You’ll know which customer data is in which data center and which rack, even down to a particular SAN. You have full visibility of the storage and where customer data is located. In the cloud, you don’t have as much control. You know roughly where it is but not precisely. When it comes to business continuity and disaster recovery and items such as off-site backup management, that entire process is down to you to architect within the facilities that you have. Within AWS for example, much of this is handled by design from their global infrastructure and their resilient services.
The AWS security model
Security is AWS’s number-one priority in every sense. It’s an area into which AWS pours huge capital and energy and near-constant attention. Serving over a million customers, AWS’s most stringent security standards are already being used for audit purposes by the most security-sensitive customers in the world. Facing so many requirements, AWS is certified and compliant across a huge range of security standards, including PCI DSS, ISO, and SOC.
AWS Services are deployed and distributed in exactly the same way throughout their entire global infrastructure. This means that a single user accessing a simple S3 bucket for document backups is covered by the same intense security standards as the largest and most demanding corporations and governmental agencies.
In the cloud, responsibilities are shared between the customer (you) and your cloud provider. AWS defines the security responsibilities for each party in its Shared Responsibility Model, which lies at the very foundation of AWS Security. You must decide how you want your resources to sit ‘in’ the cloud, while AWS guarantees the global security ‘of’ the Cloud (i.e., the hardware they provide to host and connect your resources). If you are looking for an overview of AWS shared responsibility model and importance of security, take a look at this recent webinar on AWS Security.
A solid understanding of the AWS Shared Responsibility Model makes it easier to build and maintain a highly secure and reliable environment. Without knowing where you need to step in and take control of data security, you cannot properly define just how secure my environment is.
Who is responsible?
Let’s take a closer look at who is responsible for what in the AWS Shared Responsibility Model.
AWS responsibility: AWS is responsible for what is known as Security ‘of’ the Cloud. This covers their global infrastructure elements – Regions, Availability Zones, and Edge Locations, as well as the foundations of their services covering Compute, Storage, Database, and Network.
AWS owns and controls access to their Data Centers where your customer data resides. This covers physical access to all hardware and networking components, and any additional Data Centre facilities including generators, uninterruptible power supply (UPS) systems, power distribution units (PDUs), computer room air conditioning (CRAC) units and fire suppression systems. Some of the security compliance controls mentioned previously are based upon this physical access entry and control. Essentially, AWS is responsible for the components that make up the Cloud, any data put ‘into’ the cloud then becomes, you guessed it, your responsibility.
Customer responsibility: With the basic cloud infrastructure secured and maintained by AWS, the responsibility for what goes into the cloud falls on you. From the bottom of the stack, this covers both client and server side encryption and network traffic protection, and then moves up to the security of the operating system, network, and firewall configuration, followed by application security and identity and access management.
How much of this additional security you wish to implement is entirely your decision. What you choose may depend on the nature of your business or on existing controls you may already have in place. We recommend tightening security just enough to minimize exposure to external threats that could compromise your environment. The important point to remember is that, while AWS provides many powerful security controls, how and when to apply them is not AWS’s responsibility.
AWS Security Fundamentals eBook: Ready to learn more?
Now that you understand how security is different in the cloud, you’re probably ready to learn more about the specific security features that you need to know to get started. Our AWS Security Fundamentals eBook covers some of the most common and effective methods of implementing security in your VPC and across IAM and S3 services.
You will learn about:
- Instance Level Security
- AWS security groups: What they are and why they’re important
- OS patch protocols, key pairs, and your various tenancy options
- Network Level Security
- Segmenting your VPC, Public and private subnets.AWS Network ACLs and their limitations
- How to create bastion hosts, NAT instances
- Introduction to AWS Virtual Private Cloud peering
- Identity & Access Management
- Groups, roles, policies
- Federated Access
- AWS Trusted Advisor
- AWS Billing Controls and AWS Linked Accounts
- Simple Storage Service (S3) Security
- And a complete list of resources to get you started implementing your security requirements.
AWS Security: Bastion Host, NAT instances and VPC Peering
Effective security requires close control over your data and resources. Bastion hosts, NAT instances, and VPC peering can help you secure your AWS infrastructure. Welcome to part four of my AWS Security overview. In part three, we looked at network security at the subnet level. This ti...
Top 13 Amazon Virtual Private Cloud (VPC) Best Practices
Amazon Virtual Private Cloud (VPC) brings a host of advantages to the table, including static private IP addresses, Elastic Network Interfaces, secure bastion host setup, DHCP options, Advanced Network Access Control, predictable internal IP ranges, VPN connectivity, movement of interna...
Big Changes to the AWS Certification Exams
With AWS re:Invent 2019 just around the corner, we can expect some early announcements to trickle through with upcoming features and services. However, AWS has just announced some big changes to their certification exams. So what’s changing and what’s new? There is a brand NEW ...
New on Cloud Academy: ITIL® 4, Microsoft 365 Tenant, Jenkins, TOGAF® 9.1, and more
At Cloud Academy, we're always striving to make improvements to our training platform. Based on your feedback, we released some new features to help make it easier for you to continue studying. These new features allow you to: Remove content from “Continue Studying” section Disc...
AWS Security Groups: Instance Level Security
Instance security requires that you fully understand AWS security groups, along with patching responsibility, key pairs, and various tenancy options. As a precursor to this post, you should have a thorough understanding of the AWS Shared Responsibility Model before moving onto discussi...
Cloud Migration Risks & Benefits
If you’re like most businesses, you already have at least one workload running in the cloud. However, that doesn’t mean that cloud migration is right for everyone. While cloud environments are generally scalable, reliable, and highly available, those won’t be the only considerations dri...
Real-Time Application Monitoring with Amazon Kinesis
Amazon Kinesis is a real-time data streaming service that makes it easy to collect, process, and analyze data so you can get quick insights and react as fast as possible to new information. With Amazon Kinesis you can ingest real-time data such as application logs, website clickstre...
Google Cloud Functions vs. AWS Lambda: The Fight for Serverless Cloud Domination
Serverless computing: What is it and why is it important? A quick background The general concept of serverless computing was introduced to the market by Amazon Web Services (AWS) around 2014 with the release of AWS Lambda. As we know, cloud computing has made it possible for users to ...
Google Vision vs. Amazon Rekognition: A Vendor-Neutral Comparison
Google Cloud Vision and Amazon Rekognition offer a broad spectrum of solutions, some of which are comparable in terms of functional details, quality, performance, and costs. This post is a fact-based comparative analysis on Google Vision vs. Amazon Rekognition and will focus on the tech...
New on Cloud Academy: CISSP, AWS, Azure, & DevOps Labs, Python for Beginners, and more…
As Hurricane Dorian intensifies, it looks like Floridians across the entire state might have to hunker down for another big one. If you've gone through a hurricane, you know that preparing for one is no joke. You'll need a survival kit with plenty of water, flashlights, batteries, and n...
Amazon Route 53: Why You Should Consider DNS Migration
What Amazon Route 53 brings to the DNS table Amazon Route 53 is a highly available and scalable Domain Name System (DNS) service offered by AWS. It is named by the TCP or UDP port 53, which is where DNS server requests are addressed. Like any DNS service, Route 53 handles domain regist...
How to Unlock Complimentary Access to Cloud Academy
Are you looking to get trained or certified on AWS, Azure, Google Cloud Platform, DevOps, Cloud Security, Python, Java, or another technical skill? Then you'll want to mark your calendars for August 23, 2019. Starting Friday at 12:00 a.m. PDT (3:00 a.m. EDT), Cloud Academy is offering c...