One of the most asked question about Cloud is “How Secure is Cloud?” and usually a short answer is “Businesses can focus on their core business ideas while security and infrastructure is handled by Cloud Service Provider.”
This blog highlights the 6 key aspects about Security on AWS Cloud which one needs to understand and in the process bust this myth that Security is a concern on Cloud.
1. Cloud Security is Universal: Cloud doesn’t differentiate between customers i.e. no matter what your cloud spend is or you are just using the free tiers offered by AWS, you get the same level of security. One doesn’t pay extra for security! The cost of which otherwise would be substantial if one were to build that on his/her on-premise infrastructure. To expect the least, one gets the following security with all the services they consume on AWS,6 Things you should know about Security on AWS Cloud
- Security Accreditations: AWS Cloud is certified with worlds strictest security accreditation like SOC1/2 (Control Objectives), SAS70, ISO 27001, PCI (The Payment Card Industry) DSS (Data Security Standard Level 1 Compliance, FISMA (Federal Information Security Management Act) and HIPAA compliant among others. Cloud makes it super simple and cost effective for you to get these security accreditations and become compliant to world class security standards.
- Physical Security: The need to create a physically secure environment with appropriate manning, CCTV security, discarding of end-of-life hardware, multi-level physical security etc. With soaring infrastructure prices, inflation, the cost of physical security would at the least be same as maintaining an ATM machine if not more, which is a gross underestimation for larger requirements.
- Network Security: DDoS (Distributed Denial of Service), MITM (Man in the Middle), IP Spoofing, Unauthorized Port Scanning, Packet Sniffing, Configuration Management. In a world were everyday we see new virus and hacking attacks, it’s needless to say that it’s of utmost important to keep your systems and process up-to-date.
- Geo-Diversity and Fault Tolerance: AWS Global infrastructure is spread across the globe (in multiple seismic zones) with eight Regions, which helps in designing application to have Geo-Diversity i.e. if there is a natural calamity affecting any geography, the application can still be up and running from other geographies. Moreover each Region has multiple availability zones, which helps in designing the application to become fault tolerant due to some hardware failure within a region.
2. Visibility: CIOs often struggle with questions like, what infrastructure do you have, how do you know, what’s in your environment? Obviously, taking inventory and annuals audits are one way to get these answers. However with AWS one can take the inventory, know the firewall rules, and know the exact no. of servers, storage space, the OS being used and about any other software / hardware object in use.
The enhanced level of visibility offers a better way to mitigate risk related to infrastructure. As Stephen Schmidt, Chief Information Security Officer, says “You can’t protect what you don’t know you have”.
AWS Management Console provides a web-interface to manage all the objects being used on AWS, additionally, it also supports multi-factor authentication enabling a secured access to this interface.
3. Auditable: The cloud environment is auditable i.e. to help you know how AWS manages its security and it also helps you store logs in a cost effective way.
- The security mechanism which AWS claims to have in place is auditable and is audited by 3rd party auditors before granting accreditation The proof of these audits is available on AWS website under Artefacts like Plans, Policies and Procedures followed by AWS.
- AWS users can store application logs on Storage (S3) or Archival (Glacier) and store them in a cost effective way for as long as one wants to. Needless to say that there are innumerous benefits of storing logs in fact in some cases it’s required for compliance.
4. Transparent: AWS Cloud lets one choose the audit / certification as per the business needs. Businesses can use AWS artefacts for compliance i.e. A portion of compliance requirement is taken care by the Cloud helping you comply with different security accreditation.
5. Shared: Security on cloud is a shared responsibility; it’s like driving a car with awesome security features but One Still Needs to Drive it Safely to avoid mishap!Security on Cloud is Shared Responsibility
AWS Responsibility: This is about how AWS manages security and compliance, and how it protects the large base of customer data? As Stephen Schmidt, Chief Information Security Officer says “We are responsible from Concrete up to the Hypervisor within the Virtual Machine Environment” which includes the following,
- Physical Security
- Physical Infrastructure
- Network Infrastructure
- Virtualization Infrastructure
User Responsibility: This is about how the user, manages his cloud deployments and how s/he protects data. Users need to ensure the security related to,
- Choice of Operating System
- Security groups
- Identify and access management
- Network ACLs
- Network Configuration
- Account Management
6. Familiar: The Control Objectives followed in the AWS Cloud environment are fundamentally similar to the Control Objectives on On-Premise environment.
Audited SOC1/2 Control Objectives followed by AWS are,
- Security Organization: Ex- AWS employees are trained on the highest security standards
- Amazon employee life cycle: Ex- Appropriate background check for employee and revaluating background on a regular basis
- Logical security: Ex- Access levels are confined to the required systems only and revaluating the need of access on a regular basis.
- Secure data handling: Ex- Secure disposing of an end of life storage media
- Physical security
- Environment safeguards
- Change management
- Data integrity, availability and redundancy
- Incident handling
Hope this help in shunning security myths about Cloud. Please feel free to write to us or leave your comment here.
Know more about the Best Security Practices on AWS Cloud.
- AWS Security by CJ Moses
- AWS Security Center
- Security and Compliance in the AWS Cloud by Chad Woolf
- Security OF the AWS Cloud by Stephen Schmidt