Amazon Web Services is an IaaS model and when utilising services from any IaaS provider it is necessary to ensure best practices are followed to safeguard the workloads deployed in the environment are secure. AWS should be no different.
Amazon supplies a wealth of information on securing your data within AWS. Amazon include the steps you, as the user of AWS, should take and to ensure that your user responsibilities are met, as well as outline Amazon’s responsibilities as the provider of the services. If the best practices are followed correctly, the potential vulnerability of your workloads in the cloud is greatly reduced.
It’s often time consuming and daunting to filter through the masses of information provided hence in this article we aim to highlight a few areas that we consider when securing your AWS workloads.
AWS differs from other IaaS providers by being the most widely adopted IaaS presently. However many of the practices recommended to secure your AWS workloads could apply to other IaaS providers too.
When choosing AWS as your IaaS provider you are already ahead of the game when it comes to security. There is definitely truth in saying, that not every cloud is built the same but AWS has built security features into the cloud and takes the security of its infrastructure, environment, users and user data very seriously. The security you are afforded through AWS and the services provided is second to none. This is a great start.
There is always more that can be done to further secure your data and this should not be overlooked, even when the built-in/default security is already present and superior.
IaaS cloud delivers concepts beyond virtualisation so that you don’t need to learn how to manage them yourself. A lot of the time, when utilising the IaaS cloud, you are not even aware of the details of the virtualisation platform being used - it is not your responsibility (the model lends itself to this) and thus no need for you, as the user, to fret over it. That is if the vendor of choice has a good track record and proven experience and knowledge in the space, with AWS you can rest assured that this is the case.
In majority of scenarios AWS deployment will involve integrating both on premise and cloud AWS services and infrastructure. Thus to secure this mixed environment effectively and data at varying points it is best to focus on an identity based strategy as well as securing the infrastructure, remembering that AWS supports a Shared Responsibility Model when it comes to security.
How do we define the workload? The workload in the viewpoint of cloud computing is a perception of the utilisation to which the cloud consumers put their virtual machines on the cloud.
Various workloads differ in characteristics and have differing requirements for cloud compute. Workload requirements will differ with regards to compute capacity, variability of load, network requirements, backup requirements and services needs, availability and accessibility needs, bandwidth requirements, storage needs, and security requirements.
Due to the varied workload types and variation in characteristics and needs, the requirements to effectively secure the workloads can be complex. However there are a few focus practices that should be followed to support the security of all workloads and any security gaps left exposed can then be addressed appropriately.
Workloads can be classified as
- Client centric (development and testing, productivity applications, graphic intensive applications, internet applications)
- Server centric (websites, online services, E-commerce, storage and backup)
- Mobile centric (mobile services, support mobile applications)
These varied workloads need to be properly secured on AWS in a way that is comprehensive to sufficiently cover all the varying characteristics each workload imparts.
Securing your workloads
Step one: Get the basics right
It’s often suggested that the following be considered to help best secure the IaaS environment. These areas must be considered and looked for when considering any IaaS service provider and to help ensure the basics for securing your workloads with the provider is addressed. AWS have these basics sufficiently covered and offer so much more.
Choosing the right provider
Choose the IaaS Provider with care; a provider who is transparent and conforms to security compliance and standards is essential and offers a proven secure infrastructure, environment and service (AWS has this covered).
Application Vulnerability Scanning and Application Integration
Applications are hosted in the IaaS cloud and are often the cause of a breach. Applications should be properly scanned for vulnerabilities and software updated periodically or as required.
Identity and Access Control Management
Credential theft and misuse of privileges is also a major reason for a breach. Identity and access management in the cloud is very important and must be strictly controlled to ensure resources are not accessed without authorisation. Consider multifactor authentication and role-based access controls.
Log Monitoring and Management
An effective log monitoring strategy is pertinent. This must be integrated, comprehensive and managed correctly.
The best method to ensure your sensitive data is secure. This can be done at various levels (database, network, backup, in transit and rest)
The AWS Approach
The basic points are reiterated within the AWS approach. You have chosen an exceptional vendor in AWS and it seems AWS have succeeded in covering the necessary crucial points.
Amazon approaches securing your workloads in the best possible ways. The practices they follow and recommend the users to follow are well thought out and established and are always kept current due to there market presence and abundance of knowledge and resources available to them to ensure the service they provide to the user is always up to date.
AWS functions to strategically secure data at all stages of compute and have a well-established IAM practice in place.
Further to the basics requirements for any IaaS, to better secure your workloads in AWS the focus should be on ensuring the points below are addressed
- AWS utilises a Shared-Responsibility Model, understand what this means and what your responsibilities are.
- Ensure that you have visibility of Cloud-Based Workloads.
- Activate and utilise CloudTrail.
- IAM practices are one of the most important areas to get right, ensure the IAM foundation is solid.
- AWS IAM offers functionalities to obtain a solid IAM foundation. Utilise these capabilities, such as group and role definitions, Security Token Services as well as security policies. AWS also supports Active Directory.
- Build security into the AWS workload from the development stage.
- Encryption is key to ensuring your data is secure. Encrypt all network traffic.
- Encrypt all the data the VM stores locally by default.
- Ensure data in transit is secure, data moving in and out of the cloud (between on premise data centres and cloud). You could utilise VPNs or identity-based solutions.
- Handle AWS as an extension of your own data centre, ensuring that it is secured in the same manner.
- Utilise AWS security groups by default.
- Leverage a third-party firewall for more superior capabilities.
- Adopt a workload-centric security strategy.
- Avoid overlooking the support protection infrastructure for the application and associated network infrastructure services.
- Encourage your current security vendors to support AWS.
This is a simplified overview of considerations in securing your AWS workloads. If best practice is followed, together AWS and the user, can better ensure the Confidentiality, Integrity and Availability of the workload/data in AWS moreover confidence in the privacy of data is achievable.
It’s important to retain that one should always deliberate security in the same manner, whether computing using traditional physical or a virtualised environment. The same good practices should be upheld and the data still requires to be secured, no matter the environment, be it physical or virtual.
Considering these focus areas and applying the security strategies and solutions correctly to your service will assist in achieving a more secure workload in AWS.