As more and more organizations migrate to the cloud, security remains a top of mind concern. Just as in traditional IT infrastructures, data breaches from hackers can have a range of implications in the cloud, from financial losses to damage to the brand’s reputation and a loss of market share. As one of the most widely implemented cloud platforms available, Amazon Web Services offers a level of security that is widely recognized as being stringent and solid. In this post, we’ll take a close look at what security means in the cloud. Then, we’ll dig into some of the specifics of the AWS security model, based on our AWS Security Fundamentals eBook.
Security in the cloud
Security in the cloud is obviously different from that in a traditional IT environment. This can be a significant impediment to cloud adoption. In the 2017 State of the Cloud report by InformationWeek and Interop ITX, 60% of respondents listed security as one of their top concerns about the cloud. This is no surprise. When it comes to the cloud, organizations don’t know exactly where their data or their customer data resides. They may know the region or availability zone but they won’t be able to pinpoint exactly where it exists.
On the other end of the spectrum, for those already in the cloud, they might get a bit too complacent with the security support that they are getting (or assume that they are getting) from their provider. People think, “okay I’m using their services, I’ve been told that they are resilient.” What they don’t realize is that they still need to architect some of their own security on top of what they’re getting from their cloud platform.
Why is security important in the cloud?
Let’s look at why security is important in the first place. One of the most important reasons for security is to prevent unauthorized people from accessing your data. Compliance (legal or regulatory) is another important reason. You might have data that must remain in a specific country or location. You may need to comply with certain government regulations such as ISO 27001 that requires you to be PCI compliant, and this might be established in your service level agreements or within your customer contractual agreements. Your customers may have certain requirements for how their data is stored. They might want it to be encrypted, whether at rest or in transit. They may have other specific encryption protocols that they want you to abide by.
You will want to take all of these factors into consideration when you’re thinking about security within the cloud.
Cloud security vs. on-premise security
Now, let’s look at how security in the cloud is different from on-premise security.
With your on-premise solution, you have more responsibility as an organization because you have full control over the estate of your infrastructure, which allows more nuanced control of the various aspects of security. The main difference is that everything is accessible to you. You can control who has access to your facilities, buildings, and data center, and you determine who is authorized and trusted to perform installations and maintenance for your infrastructure. You can resolve all of the issues yourself; it’s all self-contained.
However, in the cloud, this aspect of security is taken away from you. We aren’t allowed to gain access to their data centers or their availability zones.
With your on-premise solutions, you can specify exactly where your data is stored. You’ll know which customer data is in which data center and which rack, even down to a particular SAN. You have full visibility of the storage and where customer data is located. In the cloud, you don’t have as much control. You know roughly where it is but not precisely. When it comes to business continuity and disaster recovery and items such as off-site backup management, that entire process is down to you to architect within the facilities that you have. Within AWS for example, much of this is handled by design from their global infrastructure and their resilient services.
The AWS security model
Security is AWS’s number-one priority in every sense. It’s an area into which AWS pours huge capital and energy and near-constant attention. Serving over a million customers, AWS’s most stringent security standards are already being used for audit purposes by the most security-sensitive customers in the world. Facing so many requirements, AWS is certified and compliant across a huge range of security standards, including PCI DSS, ISO, and SOC.
AWS Services are deployed and distributed in exactly the same way throughout their entire global infrastructure. This means that a single user accessing a simple S3 bucket for document backups is covered by the same intense security standards as the largest and most demanding corporations and governmental agencies.
In the cloud, responsibilities are shared between the customer (you) and your cloud provider. AWS defines the security responsibilities for each party in its Shared Responsibility Model, which lies at the very foundation of AWS Security. You must decide how you want your resources to sit ‘in’ the cloud, while AWS guarantees the global security ‘of’ the Cloud (i.e., the hardware they provide to host and connect your resources). If you are looking for an overview of AWS shared responsibility model and importance of security, take a look at this recent webinar on AWS Security.
A solid understanding of the AWS Shared Responsibility Model makes it easier to build and maintain a highly secure and reliable environment. Without knowing where you need to step in and take control of data security, you cannot properly define just how secure my environment is.
Who is responsible?
Let’s take a closer look at who is responsible for what in the AWS Shared Responsibility Model.
AWS responsibility: AWS is responsible for what is known as Security ‘of’ the Cloud. This covers their global infrastructure elements – Regions, Availability Zones, and Edge Locations, as well as the foundations of their services covering Compute, Storage, Database, and Network.
AWS owns and controls access to their Data Centers where your customer data resides. This covers physical access to all hardware and networking components, and any additional Data Centre facilities including generators, uninterruptible power supply (UPS) systems, power distribution units (PDUs), computer room air conditioning (CRAC) units and fire suppression systems. Some of the security compliance controls mentioned previously are based upon this physical access entry and control. Essentially, AWS is responsible for the components that make up the Cloud, any data put ‘into’ the cloud then becomes, you guessed it, your responsibility.
Customer responsibility: With the basic cloud infrastructure secured and maintained by AWS, the responsibility for what goes into the cloud falls on you. From the bottom of the stack, this covers both client and server side encryption and network traffic protection, and then moves up to the security of the operating system, network, and firewall configuration, followed by application security and identity and access management.
How much of this additional security you wish to implement is entirely your decision. What you choose may depend on the nature of your business or on existing controls you may already have in place. We recommend tightening security just enough to minimize exposure to external threats that could compromise your environment. The important point to remember is that, while AWS provides many powerful security controls, how and when to apply them is not AWS’s responsibility.
AWS Security Fundamentals eBook: Ready to learn more?
Now that you understand how security is different in the cloud, you’re probably ready to learn more about the specific security features that you need to know to get started. Our AWS Security Fundamentals eBook covers some of the most common and effective methods of implementing security in your VPC and across IAM and S3 services.
You will learn about:
- Instance Level Security
- AWS security groups: What they are and why they’re important
- OS patch protocols, key pairs, and your various tenancy options
- Network Level Security
- Segmenting your VPC, Public and private subnets.AWS Network ACLs and their limitations
- How to create bastion hosts, NAT instances
- Introduction to AWS Virtual Private Cloud peering
- Identity & Access Management
- Groups, roles, policies
- Federated Access
- AWS Trusted Advisor
- AWS Billing Controls and AWS Linked Accounts
- Simple Storage Service (S3) Security
- And a complete list of resources to get you started implementing your security requirements.
New on Cloud Academy: AWS Solution Architect Lab Challenge, Azure Hands-on Labs, Foundation Certificate in Cyber Security, and Much More
Now that Thanksgiving is over and the craziness of Black Friday has died down, it's now time for the busiest season of the year. Whether you're a last-minute shopper or you already have your shopping done, the holidays bring so much more excitement than any other time of year. Since our...
Understanding Enterprise Cloud Migration
What is enterprise cloud migration? Cloud migration is about moving your data, applications, and even infrastructure from your on-premises computers or infrastructure to a virtual pool of on-demand, shared resources that offer compute, storage, and network services at scale. Why d...
6 Reasons Why You Should Get an AWS Certification This Year
In the past decade, the rise of cloud computing has been undeniable. Businesses of all sizes are moving their infrastructure and applications to the cloud. This is partly because the cloud allows businesses and their employees to access important information from just about anywhere. ...
AWS Regions and Availability Zones: The Simplest Explanation You Will Ever Find Around
The basics of AWS Regions and Availability Zones We’re going to treat this article as a sort of AWS 101 — it’ll be a quick primer on AWS Regions and Availability Zones that will be useful for understanding the basics of how AWS infrastructure is organized. We’ll define each section,...
Application Load Balancer vs. Classic Load Balancer
What is an Elastic Load Balancer? This post covers basics of what an Elastic Load Balancer is, and two of its examples: Application Load Balancers and Classic Load Balancers. For additional information — including a comparison that explains Network Load Balancers — check out our post o...
Advantages and Disadvantages of Microservices Architecture
What are microservices? Let's start our discussion by setting a foundation of what microservices are. Microservices are a way of breaking large software projects into loosely coupled modules, which communicate with each other through simple Application Programming Interfaces (APIs). ...
Kubernetes Services: AWS vs. Azure vs. Google Cloud
Kubernetes is a popular open-source container orchestration platform that allows us to deploy and manage multi-container applications at scale. Businesses are rapidly adopting this revolutionary technology to modernize their applications. Cloud service providers — such as Amazon Web Ser...
AWS Internet of Things (IoT): The 3 Services You Need to Know
The Internet of Things (IoT) embeds technology into any physical thing to enable never-before-seen levels of connectivity. IoT is revolutionizing industries and creating many new market opportunities. Cloud services play an important role in enabling deployment of IoT solutions that min...
Which Certifications Should I Get?
As we mentioned in an earlier post, the old AWS slogan, “Cloud is the new normal” is indeed a reality today. Really, cloud has been the new normal for a while now and getting credentials has become an increasingly effective way to quickly showcase your abilities to recruiters and compan...
How to Go Serverless Like a Pro
So, no servers? Yeah, I checked and there are definitely no servers. Well...the cloud service providers do need servers to host and run the code, but we don’t have to worry about it. Which operating system to use, how and when to run the instances, the scalability, and all the arch...
AWS Security: Bastion Hosts, NAT instances and VPC Peering
Effective security requires close control over your data and resources. Bastion hosts, NAT instances, and VPC peering can help you secure your AWS infrastructure. Welcome to part four of my AWS Security overview. In part three, we looked at network security at the subnet level. This ti...
Top 13 Amazon Virtual Private Cloud (VPC) Best Practices
Amazon Virtual Private Cloud (VPC) brings a host of advantages to the table, including static private IP addresses, Elastic Network Interfaces, secure bastion host setup, DHCP options, Advanced Network Access Control, predictable internal IP ranges, VPN connectivity, movement of interna...