Many IT people know the benefits of using the cloud: including cost, scalability, reliability and ease of use. However, the number one issue raised by professionals considering a move to the cloud is security and concerns over not having critical data on-premise. These security concerns are valid, so we’ll explore some of the security features offered by Amazon Web Services (AWS) that are utilized for uAchieve in the cloud. We’ll look at three elements: logical security, physical security, and compliance.
When you create a new account with AWS you get your own VPC (Virtual Private Cloud). Think of this as your own data center in the cloud logically separated from anyone else’s private cloud. You can log into the AWS console and administer users’ accounts, grant permissions and setup security roles. Users set up in AWS are the only users who will have access to the VPC and resources within it.
Within your VPC you can setup separate logical “areas” called subnets, each of which can be secured differently. You can setup private subnets that would not allow any access to or from the outside. These private subnets will only communicate to resources you setup within your VPC via private networks that do not go over the public internet. You can setup public subnets and add resources that communicate to the internet based on rules you setup.
Within a subnet, you can setup Network Access Control Lists (NACLs) that allow you to allow/deny specific traffic types to and from your subnets. NACLs can allow or block specific IP addresses. For example, you can have your institution’s IP range, and only that range, allowed to connect to the subnet. Typically, you would use NACLs to allow specific IP addresses from a specific location for specific reasons such as SSH or RDP.
Within a subnet, you can setup Security Groups. Think of Security Groups as individual firewalls for the different resources you have in AWS like a Virtual Machine (VM). With Security Groups you can define an additional security layer to secure access to and from your cloud resources beyond the NACLs setup at the subnet level.
AWS offers many of its cloud compute resources as services, including storage, databases, load balancers, and many more. With cloud services, AWS takes care of the underlying hardware, software, operating system, patches, and upgrades. AWS cloud services don’t allow anyone to SSH or RDP into the service ensuring added security.
AWS supports SSL and ETL for data communication and encryption of data in transit with TLS across all its services. With storage in AWS for your files, data blocks or databases, you can enable encryption at rest. AWS will handle the encryption/decryption for your application access without any changes to your code. If the underlying hardware is compromised, your data will be inaccessible due to encryption.
Amazon GuardDuty is a threat detection service that continuously monitors for malicious or unauthorized behavior to help you protect your AWS accounts and workloads. It monitors for activity such as unusual API calls or potentially unauthorized deployments that indicate a possible account compromise. GuardDuty also detects potentially compromised instances or reconnaissance by attackers.
AWS WAF is a web application firewall that helps protect web applications from common web exploits that could affect application availability, compromise security, or consume excessive resources. The best defense is to turn attacks away at the front door! AWS WAF gives you control over which traffic to allow or block to your web applications by defining customizable web security rules. You can use AWS WAF to create custom rules that block common attack patterns, such as SQL injection or cross-site scripting, and rules that are designed for your specific application. New rules can be deployed within minutes, letting you respond quickly to changing traffic patterns. Also, AWS WAF includes a full-featured API that you can use to automate the creation, deployment, and maintenance of web security rules.
The community of AWS users also helps to identify and share routines for dealing with new forms of attack. This is a tremendous resource for comparing the strategies of other security managers and perhaps adopting a ready-made solution, saving critical response time.
AWS monitors data centers using their global Security Operations Centers, which are responsible for monitoring, triaging, and executing security programs. They provide 24/7 global support by managing and monitoring data center access activities, equipping local teams and other support teams to respond to security incidents by triaging, consulting, analyzing, and dispatching responses.
Physical access points to server rooms are recorded by Closed Circuit Television Camera (CCTV). Images are retained according to legal and compliance requirements.
Physical access is controlled at building ingress points by professional security staff utilizing surveillance, detection systems, and other electronic means. Authorized staff utilize multi-factor authentication mechanisms to access data centers. Entrances to server rooms are secured with devices that sound alarms to initiate an incident response if the door is forced or held open.
Electronic intrusion detection systems are installed within the data layer to monitor, detect, and automatically alert appropriate personnel of security incidents. Ingress and egress points to server rooms are secured with devices that require each individual to provide multi-factor authentication before granting entry or exit. These devices will sound alarms if the door is forced open without authentication or held open. Door alarming devices are also configured to detect instances where an individual exit or enters a data layer without providing multi-factor authentication. Alarms are immediately dispatched to 24/7 AWS Security Operations Centers for immediate logging, analysis, and response.
Media storage devices used to store data are classified by AWS as Critical and treated accordingly, as high impact, throughout their life-cycles. AWS has exacting standards on how to install, service, and eventually destroy the devices when they are no longer useful. When a storage device has reached the end of its useful life, AWS decommissions media using techniques detailed in NIST 800-88. Media that stored customer data is not removed from AWS control until it has been securely decommissioned.
AWS compliance certifications and attestations are assessed by a third-party, independent auditor and result in a certification, audit report, or attestation of compliance. AWS is certified in ISO 9001, 27001, 27017 and 27018. They’re also PCI DSS Level 1 certified and SOC 1, 2 and 3. AWS offers functionality (such as security features), enablers, and legal agreements (such as the AWS Data Processing Agreement and Business Associate Addendum) to support customer compliance such as FERPA, HIPPA and IRS 1075.
When thinking about cloud and moving your data to the cloud, security should be at the forefront. However, the idea that public clouds are less secure than an on-premise data center are absolutely invalid. With AWS, security is built into all layers of the cloud from physical to logical security. Following AWS Security Best Practices will ensure that your cloud is as secure, if not more secure than an on-premise data center.
With AWS, Microsoft Azure or Google Cloud, you are benefiting from the big footprint of these companies for your institution. These multi-billion companies can negotiate lower hardware/software prices, setup bigger more reliable centers and dedicate many more resources to security and compliance than your institution
For more information about uAchieve in the cloud or to send me a comment, please email me at [email protected].