As more and more organizations migrate to the cloud, security remains a top of mind concern. Just as in traditional IT infrastructures, data breaches from hackers can have a range of implications in the cloud, from financial losses to damage to the brand’s reputation and a loss of market share. As one of the most widely implemented cloud platforms available, Amazon Web Services offers a level of security that is widely recognized as being stringent and solid. In this post, we’ll take a close look at what security means in the cloud. Then, we’ll dig into some of the specifics of the AWS security model, based on our AWS Security Fundamentals eBook.
Security in the cloud
Security in the cloud is obviously different from that in a traditional IT environment. This can be a significant impediment to cloud adoption. In the 2017 State of the Cloud report by InformationWeek and Interop ITX, 60% of respondents listed security as one of their top concerns about the cloud. This is no surprise. When it comes to the cloud, organizations don’t know exactly where their data or their customer data resides. They may know the region or availability zone but they won’t be able to pinpoint exactly where it exists.
On the other end of the spectrum, for those already in the cloud, they might get a bit too complacent with the security support that they are getting (or assume that they are getting) from their provider. People think, “okay I’m using their services, I’ve been told that they are resilient.” What they don’t realize is that they still need to architect some of their own security on top of what they’re getting from their cloud platform.
Why is security important in the cloud?
Let’s look at why security is important in the first place. One of the most important reasons for security is to prevent unauthorized people from accessing your data. Compliance (legal or regulatory) is another important reason. You might have data that must remain in a specific country or location. You may need to comply with certain government regulations such as ISO 27001 that requires you to be PCI compliant, and this might be established in your service level agreements or within your customer contractual agreements. Your customers may have certain requirements for how their data is stored. They might want it to be encrypted, whether at rest or in transit. They may have other specific encryption protocols that they want you to abide by.
You will want to take all of these factors into consideration when you’re thinking about security within the cloud.
Cloud security vs. on-premise security
Now, let’s look at how security in the cloud is different from on-premise security.
With your on-premise solution, you have more responsibility as an organization because you have full control over the estate of your infrastructure, which allows more nuanced control of the various aspects of security. The main difference is that everything is accessible to you. You can control who has access to your facilities, buildings, and data center, and you determine who is authorized and trusted to perform installations and maintenance for your infrastructure. You can resolve all of the issues yourself; it’s all self-contained.
However, in the cloud, this aspect of security is taken away from you. We aren’t allowed to gain access to their data centers or their availability zones.
With your on-premise solutions, you can specify exactly where your data is stored. You’ll know which customer data is in which data center and which rack, even down to a particular SAN. You have full visibility of the storage and where customer data is located. In the cloud, you don’t have as much control. You know roughly where it is but not precisely. When it comes to business continuity and disaster recovery and items such as off-site backup management, that entire process is down to you to architect within the facilities that you have. Within AWS for example, much of this is handled by design from their global infrastructure and their resilient services.
The AWS security model
Security is AWS’s number-one priority in every sense. It’s an area into which AWS pours huge capital and energy and near-constant attention. Serving over a million customers, AWS’s most stringent security standards are already being used for audit purposes by the most security-sensitive customers in the world. Facing so many requirements, AWS is certified and compliant across a huge range of security standards, including PCI DSS, ISO, and SOC.
AWS Services are deployed and distributed in exactly the same way throughout their entire global infrastructure. This means that a single user accessing a simple S3 bucket for document backups is covered by the same intense security standards as the largest and most demanding corporations and governmental agencies.
In the cloud, responsibilities are shared between the customer (you) and your cloud provider. AWS defines the security responsibilities for each party in its Shared Responsibility Model, which lies at the very foundation of AWS Security. You must decide how you want your resources to sit ‘in’ the cloud, while AWS guarantees the global security ‘of’ the Cloud (i.e., the hardware they provide to host and connect your resources). If you are looking for an overview of AWS shared responsibility model and importance of security, take a look at this recent webinar on AWS Security.
A solid understanding of the AWS Shared Responsibility Model makes it easier to build and maintain a highly secure and reliable environment. Without knowing where you need to step in and take control of data security, you cannot properly define just how secure my environment is.
Who is responsible?
Let’s take a closer look at who is responsible for what in the AWS Shared Responsibility Model.
AWS responsibility: AWS is responsible for what is known as Security ‘of’ the Cloud. This covers their global infrastructure elements – Regions, Availability Zones, and Edge Locations, as well as the foundations of their services covering Compute, Storage, Database, and Network.
AWS owns and controls access to their Data Centers where your customer data resides. This covers physical access to all hardware and networking components, and any additional Data Centre facilities including generators, uninterruptible power supply (UPS) systems, power distribution units (PDUs), computer room air conditioning (CRAC) units and fire suppression systems. Some of the security compliance controls mentioned previously are based upon this physical access entry and control. Essentially, AWS is responsible for the components that make up the Cloud, any data put ‘into’ the cloud then becomes, you guessed it, your responsibility.
Customer responsibility: With the basic cloud infrastructure secured and maintained by AWS, the responsibility for what goes into the cloud falls on you. From the bottom of the stack, this covers both client and server side encryption and network traffic protection, and then moves up to the security of the operating system, network, and firewall configuration, followed by application security and identity and access management.
How much of this additional security you wish to implement is entirely your decision. What you choose may depend on the nature of your business or on existing controls you may already have in place. We recommend tightening security just enough to minimize exposure to external threats that could compromise your environment. The important point to remember is that, while AWS provides many powerful security controls, how and when to apply them is not AWS’s responsibility.
AWS Security Fundamentals eBook: Ready to learn more?
Now that you understand how security is different in the cloud, you’re probably ready to learn more about the specific security features that you need to know to get started. Our AWS Security Fundamentals eBook covers some of the most common and effective methods of implementing security in your VPC and across IAM and S3 services.
You will learn about:
- Instance Level Security
- AWS security groups: What they are and why they’re important
- OS patch protocols, key pairs, and your various tenancy options
- Network Level Security
- Segmenting your VPC, Public and private subnets.AWS Network ACLs and their limitations
- How to create bastion hosts, NAT instances
- Introduction to AWS Virtual Private Cloud peering
- Identity & Access Management
- Groups, roles, policies
- Federated Access
- AWS Trusted Advisor
- AWS Billing Controls and AWS Linked Accounts
- Simple Storage Service (S3) Security
- And a complete list of resources to get you started implementing your security requirements.
What Exactly Is a Cloud Architect and How Do You Become One?
One of the buzzwords surrounding the cloud that I'm sure you've heard is "Cloud Architect." In this article, I will outline my understanding of what a cloud architect does and I'll analyze the skills and certifications necessary to become one. I will also list some of the types of jobs ...
Boto: Using Python to Automate AWS Services
Boto allows you to write scripts to automate things like starting AWS EC2 instances Boto is a Python package that provides programmatic connectivity to Amazon Web Services (AWS). AWS offers a range of services for dynamically scaling servers including the core compute service, Elastic...
Content Roadmap: AZ-500, ITIL 4, MS-100, Google Cloud Associate Engineer, and More
Last month, Cloud Academy joined forces with QA, the UK’s largest B2B skills provider, and it put us in an excellent position to solve a massive skills gap problem. As a result of this collaboration, you will see our training library grow with additions from QA’s massive catalog of 500+...
DevSecOps: How to Secure DevOps Environments
Security has been a friction point when discussing DevOps. This stems from the assumption that DevOps teams move too fast to handle security concerns. This makes sense if Information Security (InfoSec) is separate from the DevOps value stream, or if development velocity exceeds the band...
Test Your Cloud Knowledge on AWS, Azure, or Google Cloud Platform
Cloud skills are in demand | In today's digital era, employers are constantly seeking skilled professionals with working knowledge of AWS, Azure, and Google Cloud Platform. According to the 2019 Trends in Cloud Transformation report by 451 Research: Business and IT transformations re...
Disadvantages of Cloud Computing
If you want to deliver digital services of any kind, you’ll need to estimate all types of resources, not the least of which are CPU, memory, storage, and network connectivity. Which resources you choose for your delivery — cloud-based or local — is up to you. But you’ll definitely want...
Google Cloud vs AWS: A Comparison (or can they be compared?)
The "Google Cloud vs AWS" argument used to be a common discussion among our members, but is this still really a thing? You may already know that there are three major players in the public cloud platforms arena: Amazon Web Services (AWS), Microsoft Azure, and Google Cloud Platform (GCP)...
Deployment Orchestration with AWS Elastic Beanstalk
If you're responsible for the development and deployment of web applications within your AWS environment for your organization, then it's likely you've heard of AWS Elastic Beanstalk. If you are new to this service, or simply need to know a bit more about the service and the benefits th...
How to Use & Install the AWS CLI
What is the AWS CLI? | The AWS Command Line Interface (CLI) is for managing your AWS services from a terminal session on your own client, allowing you to control and configure multiple AWS services and implement a level of automation. If you’ve been using AWS for some time and feel...
Cloud Academy’s Blog Digest: July 2019
July has been a very exciting month for us at Cloud Academy. On July 10, we officially joined forces with QA, the UK’s largest B2B skills provider (read the announcement). Over the coming weeks, you will see additions from QA’s massive catalog of 500+ certification courses and 1500+ ins...
AWS Fundamentals: Understanding Compute, Storage, Database, Networking & Security
If you are just starting out on your journey toward mastering AWS cloud computing, then your first stop should be to understand the AWS fundamentals. This will enable you to get a solid foundation to then expand your knowledge across the entire AWS service catalog. It can be both d...
How to Become a DevOps Engineer
The DevOps Handbook introduces DevOps as a framework for improving the process for converting a business hypothesis into a technology-enabled service that delivers value to the customer. This process is called the value stream. Accelerate finds that applying DevOps principles of flow, f...