Security in the cloud should be viewed as a shared responsibility. With many organizations moving some, or all, of their data to the cloud, it’s important they understand, evaluate, and adopt the security solutions available to minimize and address risk.
Many cloud providers take care of the physical and underlying security and availability to the infrastructure that provides the services, but the consumer is responsible for configuring, deploying, and managing their data and systems within the cloud environment. This is where the shared responsibility model is important to understand. Cloud providers such as Amazon offer a multitude of security solutions to assist with properly configuring and managing these systems, however, these solutions are not enabled by default, so consumers must manually activate to leverage them.
Security and Network Access
Managed and unmanaged access to AWS resources should be carefully configured. Policies should be defined such that all traffic is blocked by default and only required communication is explicitly permitted. This will help to ensure unnecessary services and ports aren’t exposed. Management of services should be restricted to known and approved sources and used in combination with multi-factor authentication. In addition to a virtual or host-based firewall, it is considered best practice to leverage Amazon’s built-in security groups to help define and restrict permitted access. Most host-based or virtual firewalls will provide capabilities such as deep packet inspection, intrusion prevention, and additional advanced threat protection.
Logging and Security Monitoring
Amazon has multiple ways to begin logging data within EC2 including both CloudWatch and CloudTrail. Many times, organizations simply enable CloudWatch since it can be done with a single click. Unfortunately, these logs are generally focused towards availability and performance monitoring versus security events. To perform security monitoring and properly audit events to aid in a forensic investigation, it is crucial to monitor network, security, application, authentication, and system logs. The only way to pull all of these events in is to properly configure and tune them. It is recommended to point this data to a central aggregation server such as a SIEM, which will store this data for a year, provide threat detection capabilities, and allow for rapid incident response and analysis.
Identity and Access Management
In addition to restricting access management through access controls, it’s important to adopt best practices managing user access to AWS resources and API’s. This access can be managed through Amazon’s built-in Identity and Access Management (IAM). Role based access can be defined by referencing built-in security groups. These groups can be customized to align with roles within your organization. This helps to reduce risk by decreasing the chance of access creep. IAM policies should also be enforced to match corporate standards. Settings such as multi-factor authentication, password complexity requirements, and lockouts and expirations should also be aligned to the business’s requirements.If this article was helpful, make sure to check out our Office 365 Best Practices blog article.