As more companies of every size migrate their enterprises to the cloud, it is imperative that whether you are a security professional or not, you ensure you and your team execute a well-thought security plan in order to safely and successful protect and defend your data. This article provides a quick start guide to security strategy to follow as you migrate your enterprise to the cloud or to use as a guide tool to help ensure existing cloud deployments are secure. Information and cloud security are not always fun; however, the risk-reward ratio achieved through an empirical approach in today’s hostile cyber environment can provide a fantastic payoff for you, your team, and your company!
In 2016, Amazon became the fastest company ever to reach $100 billion in annual sales. Amazon Web Services (AWS) is reaching $10 billion in annual sales, doing so at a pace even faster than the milestone Amazon.com achieved. Amazon Web Services is the most widely adopted cloud infrastructure-as-a-service provider. The rapid pace of enterprises leveraging the Amazon Cloud mandates now more than ever that security best practices for securing your cloud deployments are understood and followed.
According to a recent Gartner report, “AWS is the most widely deployed public cloud infrastructure as a service (IaaS) solution in the world and is a leader in Gartner's Magic Quadrant for Infrastructure as a Service (IaaS). AWS offers a large number of built-in security capabilities and questions on the proper practices for securing workloads in AWS are increasing.”
Gartner analysts go on to point out that “AWS is a not a 'consumer grade' IaaS cloud. It is a market leader, with a portfolio of security capabilities and security ecosystem partners unmatched by other IaaS providers. However, simply moving existing workloads to AWS without rethinking security tools, processes, and system management will result in workloads that are less secure than they were when located within enterprise datacenters. Conversely, a properly managed and secured workload in AWS will be at least as--and, in most cases, more secure than in an enterprise data center.”
Because AWS is acknowledged as the largest provider of public cloud IaaS, I will focus on best practices for AWS. However, the security measures discussed in this series are approached holistically and apply to the majority of Enterprise Cloud deployments. It is important to note that the order of topics in this series are not entirely random. Many of these steps are sequential and are critical to follow in an orderly manner.
In part one of this series on securing your cloud deployments, we will cover:
- Liftoff: Why strategy and planning are critical to a secure cloud
- Duality: Importance of a shared security responsibility model
- KNOW: Your provider’s global security infrastructure
- Initial fail-chain avoidance: Discovery
Liftoff: Why strategy and planning are critical to a secure cloud
According to a recent article in Threatpost, one of the biggest problems which unsurprisingly presents some of the biggest challenges when gearing up for a cloud deployment is taking the time to holistically plan a strategy for security.
In an ideal situation, companies would have the time to develop an ironclad enterprise cloud security. In reality, security and devops teams often only have enough time in the day to focus on managing and responding to threats, not developing and implementing robust prevention or mitigation strategies.
This is the reason that unintentionally, companies often opt for repeating tactical solutions. Grab a product or feature at the security problem and move on. Zero-day attack uncovered? Cover it with the latest patch. Worried about a rogue ex-employee? Implement the latest user access controls. Need to report on network activity? Build audit trails. But with an ad-hoc approach like this, there is little to no focus on the big picture — certainly there’s no comprehensive strategy.
Often times, this piecemeal tactical approach is being driven by the need to meet compliance regulations and/or requirements. Taking the approach of addressing security or compliance problems as they come up at results in companies spending money on point solutions to solve the immediate challenge or threat and often end up with a complex set of disparate solutions that both cause an unnecessary amount of cost to the company but may also cause conflicts in the overall cloud deployment--or even worse, create holes in security that didn’t exist in the past. This causes issues that need to be addressed (if you are in scenario of a deployment that you can’t back out of) and considered which include:
- Will the next point solution you want to buy work with the rest of your solutions?
- Do the deployed security solutions combined with the new solution contribute to increasing your security harmonically?
- Are the deployed solutions and the new solution(s) under consideration able to be managed in a unified manner?
Unfortunately, the answer to my questions above are not typically the ones you want to hear. This reinforces the position that taking the time--despite the anticipated 360-degree pushback--to plan security from a strategic perspective rather than kicking up a cloud deployment and dealing with security as it comes along. Commencing at a strategic level allows your company to invest in security platforms that support your entire infrastructure rather than knocking down tactical problems as they arise.
“The supreme art of war is to subdue the enemy without fighting.” ~Sun Tzu
Duality: Importance of a shared security responsibility model
When migrating to the cloud or setting up a new instance, one of the key topics to remind all members of your team and in particular, your management--even if the manager is the CEO--is that security in the cloud is shared responsibility. Some cloud novices remain under the misconception that if they deploy in the cloud, that security is the responsibility of the cloud provider; which is absolutely not true.
The AWS Shared Security Responsibility model is the foundation of the Amazon Security Platform. The Shared Security Responsibility model is also the foundation of the vast majority of all cloud deployments. It is critical when preparing for an AWS cloud deployment to understand that when using AWS services, customers maintain complete control over their content and are responsible for managing critical content security requirements.
A summary of the primary customer responsibility includes:
- What content you choose to store on AWS
- Which AWS services are used with your content
- The country that content is stored in by AWS datacenter
- The format and structure of your content and whether it is masked, anonymized, or encrypted
- Who you grant access to your content and how those access rights are granted, managed and revoked
At the same time, AWS understands their responsibilities in the Cloud Security model. Under the shared responsibility model, AWS:
- Operates, manages, and controls the components from the host operating system and virtualization layer down to the physical security of the facilities in which the services operate
- Provides tools and information to assists customers in their efforts to account for and validate that controls are operating effectively in their extended IT environments
- Provides security group firewalls
- Makes available the ability to leverage:
- Host-based firewalls
- Host-based intrusion detection/ prevention
Sharing the responsibility for security in the cloud is clearly related to the fact that you have a provider when you host your company resources in cloud service provider’s infrastructure. Who is responsible for which components of security depends on the cloud service model you use but ultimately it will be a shared paradigm.
In the case of the AWS shared responsibility model, it is particularly effectual in that together AWS and its customers can achieve levels of security that would likely be unattainable if approached in a singular manner. In order to be truly successful with this approach, clear awareness of responsibilities for all parties involved is key, along with an in-depth understanding of your company’s distinctive security and risk posture. It is imperative to consider each service independently with regards to how best to secure the service, data, and networks and to take that time to understand how to partner for a successful security solution.
"We have to do the best we can. This is our sacred human responsibility." ~Albert Einstein
KNOW: Your provider’s global security infrastructure
One of the key items that you must consider when planning a migration to the cloud is the global footprint of the provider. Critical considerations like performance, security, compliance, workload segmentation, migration, and integration of the cloud into your existing enterprise all must be contemplated. A key consideration that may be overlooked is how the shape of your global cloud footprint and the cloud services, support, and security is available globally.
Privacy, compliance, and data laws and regulations are serious considerations both legally and in terms of the potential need to isolate some segments of your cloud enterprise. The potential penalties for violations in these areas can be debilitating.
It is important for you to choose where your applications are delivered and where both your company and client data is stored. You also may need to consider latency/performance issues and data sharing. As you move more of your enterprise into the cloud, it is imperative to partner with a provider who gives you the flexibility to decide where your IT workloads are housed.
Finally, as your company increasingly relies on innovation to both drive market demand and keep pace with technology, you need to be ready to support these activities wherever they occur. The cloud voids the need for large up front investments in hardware and provides your company with the ability to spin up test environments wherever and whenever the need arises.
AWS operates their global cloud infrastructure with 35 “availability zones” that you use to provision a variety of basic computing resources such as processing and storage. The AWS global infrastructure includes the facilities, network, hardware, and operational software (e.g., host OS, virtualization software, etc.) that support the provisioning and use of these resources. The AWS global infrastructure is designed and managed according to security best practices as well as a variety of security compliance standards. As an AWS customer, you rest assured that you’re building web architectures on top of some of the most secure computing infrastructure in the world.
There are clearly other cloud providers with a global footprint but I believe AWS provides the best illustration of the considerations that should be undertaken in terms of a truly global public cloud infrastructure.
"There's no locality on the web - every market is a global market." ~Ethan Zuckerman
Initial fail-chain avoidance: Discovery
Discovering cloud-ready workloads and applications is an integral part of the migration strategy. The new competency for migration technology for discovery and planning recognizes cloud provider partners that can perform the initial groundwork to shortlist the applications that can be moved to the cloud. They participate in discovering the IT assets within the customer application portfolio to identify dependencies and requirements. They help enterprises in building a comprehensive migration plan.
The new AWS Application Discovery Service (first announced at in April 2016) is designed to help you AWS cloud users gain a holistic view of your existing environments, identify what’s going on, and provide you with the information and visibility that you need to have in order to successfully migrate existing applications to the cloud.
Discovery is an important part of the AWS (or any) Cloud Adoption Framework. The framework helps our customers to plan for their journey. Among other things, it outlines a series of migration steps:
- Evaluate current IT Enterprise
- Discover and plan
The Application Discovery Service focuses on assisting IT migration by automating a process that is slow, tedious, and complex and very likely incomplete when done manually. Planning datacenter migrations can involve thousands of workloads that are often deeply interdependent. Application discovery and dependency mapping are important early first steps in the migration process, but are difficult to perform at scale due to the lack of automated tools.
The AWS Application Discovery Service automatically collects configuration and usage data from servers, storage, and networking equipment to develop a list of applications, how they perform, and how they are interdependent. This information is retained in encrypted format in an AWS Application Discovery Service database which you can export as a CSV or XML file into your preferred visualization tool or cloud migration solution to help reduce the complexity and time in planning your cloud migration.
I trust that the first installment in this series on the security perspective of cloud migration/deployments helps you and your organization understand the first steps in achieving risk management and compliance goals, and in understanding the importance of enabling rigorous methods to describe structure of security and compliance processes, systems, and personnel. These are the first steps you can take with components and activities to assist with assessment, control selection, and compliance validation with DevSecOps principles while leveraging automation tools to make your migration or assessment as easy as possible.
I trust this is helpful and encourage your comments and questions!
Photo credit: All Amazon photos are from Amazon Web Services