Data theft: no one’s immune
Because, in conformance with their Shared Responsibility Model, AWS does such a good job protecting their physical infrastructure, many of the kinds of data theft that plague locally-hosted operations aren’t likely to threaten your cloud-based servers.
Consider, as an example, the unauthorized individual who just sat down in front of that workstation over there… the one right behind the room divider. See how easily he’s able to bypass network checkpoints by posting his freshly encoded data to social networking accounts or fax-to-email services? I’ll bet you’ll never see anything like that happening inside an Amazon server farm.
But not so fast with the smug grin: this definitely doesn’t mean you’re off the hook. Not even close. After all, the kind of disaster that recently hit Morgan Stanley – and 350,000 of its customers – could just as easily have happened on an AWS-hosted system. Data theft (sometimes called “data exfiltration”) is a serious threat to all networked systems, and you’ve got responsibilities to your customers, investors, and society at large to do your part to prevent it.
Data theft: preventative solutions
Here’s a checklist of steps you can – and should – take to both harden your deployment and, in general, tighten the way you interact with your cloud resources:
- IAM. The less access to your resources you provide to team members and applications, the lower the chances that your data will go missing. Through their Identity and Access Management (IAM) service, AWS allows you to expose your individual compute and data resources to specific purpose-built users and roles, rather than to all and sundry who might be associated with your account. Use it.
- Penetration-testing. When asked in advance, AWS will provide permission for you to launch simulated attacks against your cloud infrastructure. Using specialized operating system distributions like Kali Linux, you’ll get a first-hand look at how well your ACLs, security groups, and VPCs are configured, and how easy it will be for the bad guys to blow past them.
- Anti-phishing training. All the stealth technology in the world won’t do much good if someone on your team clicks on the “fix the problem” link in the fake “your account needs resetting” email he just received.
- Secure your own local infrastructure. You can’t very well blame Amazon if the gentleman at Data Theft Incorporated got your account authentication data through a keystroke tracker installed on the compromised PC you’re using, can you?
- Log monitoring. System access and event logs exist for a reason. Hint: it might have something to do with keeping track of system access and events.
- CloudWatch. Haven’t got the time or patience to properly monitor your logs? Once you set them to trigger alarm notifications upon detection of unusual activity, the friendly electrons at Amazon’s CloudWatch will be only too happy to do it for you.
Data Leak Prevention technology
Besides those more integrated approaches, there’s also Data Leak Prevention (DLP) technology, an entire class of software solutions aimed at data theft protection. DLP systems use machine learning heuristics, user activity monitoring, and sometimes honeypots to monitor a network.
They’ll particularly focus on analyzing data when it’s in motion (network), at rest (archived), and in use (endpoints). Should you feel the need is pressing enough, there’s no reason you can’t install such a package on part of your cloud infrastructure to keep watch over your account resources.
Of course, DLP systems are available from many of the usual suspects like Symantic and McAfee. But it’s the Linux-based open source packages, MyDLP and, perhaps, OpenDLP that should interest us the most because they’re likely to be flexible (and Linux-friendly) enough to fit comfortably into the AWS environment.
The bottom line? The tools we’ll need to defend our cloud deployments against data theft are available. We’ve just got to decide to use them.
Google Cloud Platform Certification: Preparation and Prerequisites
Google Cloud Platform (GCP) has evolved from being a niche player to a serious competitor to Amazon Web Services and Microsoft Azure. In 2019, research firm Gartner placed Google in the Leaders quadrant in its Magic Quadrant for Cloud Infrastructure as a Service for the second consecuti...
New Lab Challenges: Push Your Skills to the Next Level
Build hands-on experience using real accounts on AWS, Azure, Google Cloud Platform, and more Meaningful cloud skills require more than book knowledge. Hands-on experience is required to translate knowledge into real-world results. We see this time and time again in studies about how pe...
New on Cloud Academy: AWS Solution Architect Lab Challenge, Azure Hands-on Labs, Foundation Certificate in Cyber Security, and Much More
Now that Thanksgiving is over and the craziness of Black Friday has died down, it's now time for the busiest season of the year. Whether you're a last-minute shopper or you already have your shopping done, the holidays bring so much more excitement than any other time of year. Since our...
Understanding Enterprise Cloud Migration
What is enterprise cloud migration? Cloud migration is about moving your data, applications, and even infrastructure from your on-premises computers or infrastructure to a virtual pool of on-demand, shared resources that offer compute, storage, and network services at scale. Why d...
6 Reasons Why You Should Get an AWS Certification This Year
In the past decade, the rise of cloud computing has been undeniable. Businesses of all sizes are moving their infrastructure and applications to the cloud. This is partly because the cloud allows businesses and their employees to access important information from just about anywhere. ...
AWS Regions and Availability Zones: The Simplest Explanation You Will Ever Find Around
The basics of AWS Regions and Availability Zones We’re going to treat this article as a sort of AWS 101 — it’ll be a quick primer on AWS Regions and Availability Zones that will be useful for understanding the basics of how AWS infrastructure is organized. We’ll define each section,...
Application Load Balancer vs. Classic Load Balancer
What is an Elastic Load Balancer? This post covers basics of what an Elastic Load Balancer is, and two of its examples: Application Load Balancers and Classic Load Balancers. For additional information — including a comparison that explains Network Load Balancers — check out our post o...
Advantages and Disadvantages of Microservices Architecture
What are microservices? Let's start our discussion by setting a foundation of what microservices are. Microservices are a way of breaking large software projects into loosely coupled modules, which communicate with each other through simple Application Programming Interfaces (APIs). ...
Kubernetes Services: AWS vs. Azure vs. Google Cloud
Kubernetes is a popular open-source container orchestration platform that allows us to deploy and manage multi-container applications at scale. Businesses are rapidly adopting this revolutionary technology to modernize their applications. Cloud service providers — such as Amazon Web Ser...
AWS Internet of Things (IoT): The 3 Services You Need to Know
The Internet of Things (IoT) embeds technology into any physical thing to enable never-before-seen levels of connectivity. IoT is revolutionizing industries and creating many new market opportunities. Cloud services play an important role in enabling deployment of IoT solutions that min...
Which Certifications Should I Get?
As we mentioned in an earlier post, the old AWS slogan, “Cloud is the new normal” is indeed a reality today. Really, cloud has been the new normal for a while now and getting credentials has become an increasingly effective way to quickly showcase your abilities to recruiters and compan...
How to Go Serverless Like a Pro
So, no servers? Yeah, I checked and there are definitely no servers. Well...the cloud service providers do need servers to host and run the code, but we don’t have to worry about it. Which operating system to use, how and when to run the instances, the scalability, and all the arch...