AWS, Security Based on a Shared Responsibility Model (Part 1)

If you would like to read the next part in this article series please go to AWS, Security Based on a Shared Responsibility Model (Part 2).

Having a clear understanding of the demarcation of responsibilities is essential to achieving the best possible security and service outcome when utilising a public cloud service, utilising AWS is no different.

Part one will look at AWSs share in the responsibility.

Introduction

AWS prides itself on its infrastructure and the manner in which it lends itself to the running of its very efficient and ever-growing cloud service base. Another feature is the ability afforded to customers to maintain maximum control of their data when using AWS infrastructure and services. However with sustaining control of data at this level, customers must also retain responsibility for many of the critical security requirements of their data when using these services. These responsibilities vary from one AWS service to the next, across the broad range of services offered, which can be confusing for the customer to get their head around.

Amazon conforms to a rigorous set of security standards, policies and practices to ensure that the cloud environment offers the best possible security at all times and so that their share in the responsibility is covered properly. They also offer guidance for the customer to follow to ascertain that they too have the best opportunity at handling their part of the shared security responsibility and to jointly tackle any security concerns and improve security without compromising on flexibility and scalability of the services.

Responsibilities Defined-Amazon Web Services (AWS)

Amazon Web Services are responsible for securing the underlying global infrastructure and foundation services that support the AWS cloud.

Global infrastructure and foundation services

AWSs infrastructure is vast and expands the globe. They have data centres across America, North and South, Asia, Europe, Australia, darting up everywhere. It is the sole responsibility of AWS to ensure that this global infrastructure and foundation services are properly secured.

The AWS areas of responsibilities comprise of:

Securing the Global infrastructure

  • Availability zones
  • Regions
  • Edge locations

Securing the Foundation services

  • Network Services
  • Compute Services
  • Data base Services
  • Storage services

AWS Deployment and Business Continuity Management

AWS Identity and Access Management

The following outlines some of the steps AWS undertakes to ensure that their share of responsibility is met.

  1. Compliance

Amazon Web Services assures the customer that their duties are undertaken appropriately by conforming to a number of rigorous security standards, regulations and best practices, the compliance is vouched by a number of independent auditors.

Certifications of compliance include:

  • · SOC 1/SSAE 16/ISAE 3402 (formerly SAS 70)
  • · SOC 2
  • · SOC 3
  • · FISMA, DIACAP, and FedRAMP
  • · DOD CSM Levels 1-5
  • · PCI DSS Level 1
  • · ISO 27001
  • · ITAR
  • · FIPS 140-2
  • · MTCS Level 3

The platform is flexible in that it allows customers to further implement solutions or standards that may be specific to a particular industry or required by the customer to support a standard or certification.

  1. Physical and environmental Global Infrastructure and Security

The infrastructure is designed and built in a superior modus, this has been achievable from many years of experience and unsurpassed expertise and resources on hand. The infrastructure and platforms achieved cannot be matched by a customer approach.

Facilities and data centres are strictly controlled at all access areas utilising a variety of authentication, electronic control and detection means. They are concealed, confidential and safeguarded, round the clock.

Access to facilities is limited using a least privilege approach, all access is logged and individuals audited habitually. Access to facilities is not granted lightly.

Facilities are fittingly protected against potential physical damage from fires, with detection systems throughout and to cover all potential scenarios.

Power supply to the data centres is good and viable with back up power supply if required.

Climate and temperature within data centres is effectively monitored and kept at required levels for proper and safe functioning of hardware and servers.

Electrical, mechanical, and critical systems and equipment are routinely maintained (for preventative measures) and monitored moreover effectively managed.

Storage devices that are no longer needed or no longer in use are disposed of according to specified outlined and accepted practices as to protect customer data from unauthorised disclosure.

Instances are isolated from other virtual machines running within the same server.

  1. Business continuity management (availability and incidence response)

The infrastructure lends itself to high availability and resiliency. The customer can make use of a multiple of independent availability zones (all powered independently from different grids and utilities) within a multiple of geographic locations. This too serves as both a great failover and load-balancing feature.

Strategically spreading data across multiple availability zones offers the capability to maintain resilience when confronted with various failure scenarios (natural disasters or system failures).

AWS provisions up to date, workable systems and procedures (all hours, throughout the week and year) for use in response to an incident and to assist in efficient incident resolution if required. These systems and procedures are reviewed routinely and are maintained.

  1. Network security (securing the architecture and access points, monitoring and complete defence)

AWS has a superior network that is meticulously monitored, both internal and external boundaries, and managed. The architecture enables comprehensive monitoring of communications and traffic and the network and transmission is protected (SSL protocol). It is designed with fault tolerance in mind, with minimal customer impact if failure were to occur.

AWS utilises automated monitoring measures to detect a multitude of unauthorised activities, Denial of Service attacks or unusual occurrences on the networks. All issues are documented for resolution purposes and personnel are available for quick resolve.

AWS also protects against traditional network security issues (Distributed Denial of Service attacks, Man in the Middle Attacks, IP spoofing, Port scanning and Packet sniffing by other customers)

The customer can implement further network security features or solutions and utilise encryption technology to further secure sensitive data. (This is advisable)

AWS also stay updated with possible vulnerabilities through routine scanning of the AWS environment, also proactively monitoring channels for new patches that come available.

  1. Control of access to infrastructure

AWS separates the corporate network from the production network, both with different and unique access and authentication requirements.

Stringent access and credential policies are enforced by AWS to control access to the infrastructure and foundation services and to the maintain security posture.

  1. Managed services

All security elements of products managed by AWS (managed services) also remain AWSs responsibility. These services delivered to the customer are done under the agreement that AWS will manage them as well. The customer has little responsibility when opting for this type of service, mainly configurations of resource access controls and securing of credentials.

With regards to services that fall within this category AWS is responsible for the following as well:

  • Instance maintenance
  • Secure the guest OS
  • Patching of the data base
  • Configuration of the firewall
  • Disaster recovery

Conclusion

The AWS infrastructure and environment is first class and a secure environment and solid foundation for the customer to build on.

Sharing responsibilities and working together, customer and trusted AWS partner, to secure an otherwise complex environment, does ease the strain and if approached correctly should reap great results, however it is important to remember that the final responsibility is with you, the AWS customer.

Look out for part two of this series where we will discuss the customer’s part in the AWS Shared responsibility model.

If you would like to read the next part in this article series please go to AWS, Security Based on a Shared Responsibility Model (Part 2).

Leave a Comment

Your email address will not be published.

This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

Scroll to Top