Is AWS cloud security really out of your hands?
By Cameron McKenzie
As long as security remains a common concern for enterprise consumers, cloud providers must work hard to prove that they deserve their customers’ trust. Amazon is certainly striving to impress in this arena with its wide array of security measures, pushing forward the ambitious goal of providing comprehensive cloud based security that can fully replace, and even improve upon, the protection that their consumers would traditionally expect from on-premise solutions.
But how can Amazon and AWS compete with on premise solutions in terms of security? At the physical level, secure and resilient data centers across multiple regions is the foundation, but that's only the start. Applications and data hosted in the AWS cloud are also protected using dozens of built-in security features including secure access, firewalls, identity access management, multi-factor authentication, private subnets, encrypted data storage, dedicated networks, and security logs. A Trusted Advisor, available as part of the premium support package, that monitors AWS resources and notifies the account manager about security configuration gaps.
Giving away the keys to enterprise
With an admirable track record for security and maintaining confidentiality, many enterprise consumers are entrusting the cloud with their deepest secrets. “A lot of our enterprise customers had extra-sensitive assets with very secret crypto keys where on-premise they were using Hardware Security Modules." Said AWS Sr. Vice President Andy Jassy. "They wanted us to provide that capability so they could move them out of their own data centers. So we built a service called HSM that allows customers to use tamper-proof HSMs for their most sensitive secrets.”
However, as resilient as these modern cloud based systems may be, businesses are not completely absolved from the responsibility of maintaining a secure solution. Many of the most critical areas have to do with how applications and data are managed and monitored. Mark Nunnikhoven from Trend Micro addressed this unpleasant, yet unavoidable security responsibility in his presentation on Updating Security Operations for the Cloud: “Auditing plays a very important role in the security process. Auditing, in a nutshell, is the verification and validation that the controls you think are in place are actually in place. So you’ve designed this framework and you think the security is good. Auditors are the ones who come in to check if those security features really are in place and doing what you think they are doing.”
Auditing has always been a weak point from an operational standpoint, with one of its biggest annoyances that it tends to involves paperwork, or at least paper trails. Any system that requires one or more users to manually enter data to make changes is subject to errors and procrastination. Initially, the cloud might seem to make this problem go away by shifting a great deal of the infrastructure and resources out of the enterprise, but the ease with which new compute resources, servers, databases, or instances can be spun up in the cloud also means the process may be much more opaque. That means there’s actually more to audit.
The auditing paradox
Why does cloud based auditing so often get overlooked, and when it's done, why is it often done so poorly? In the cloud, there is a massive amount of information being collected on a vast number of diverse services such as DBs and CDNs. To be successful and effective, an internal operational security team must understand how to not only collect this information, but also how to generate digestible reports for dissection. When there is no more paperwork or manual process to create resistance to best practices, auditors can actually start enjoying their job. Fortunately, there are a number of tools that are making this possibility a reality. The most significant is AWS’ Cloud Trail which records all API activity and documents any changes. Also, for automated security report generation, third party tools and centralized console options abound. Deployed properly, such solutions can replace manual tasks, offering timely, accurate, and highly detailed views of the state of security in the cloud. A trusted partner can assist with tasks such as implementing automation, generating an initial vulnerability assessment report, and tracking the remediation process. Having a second set of eyes involved is a smart move.
At the end of the day, internal security will always need to evaluate the overall cloud security picture. Only those intimately familiar with how business needs intersect with the cloud can determine the risk level, compliance needs, and security concerns that are a top priority. But with so much riding on the security of an organizations infrastructure, taking the time to ensure all aspects of the enterprise solution is properly secured and effectively audited is simply due diligence that every enterprise client today expects.
What security concerns do you have with your cloud based resources? Let us know.
22 Jun 2014