Cloud computing is no longer the “niche” or novel area it was once considered. Even if your organization isn’t embracing cloud computing internally, you are probably using a cloud-based platform for a CRM or relying on websites powered on Amazon Web Services (AWS), which claims 42% of the cloud market by revenue.
But despite cloud’s ubiquity, DevOps, and engineering teams are often unsure if their cloud environment is secure. In an Intel Security survey, only one-third of respondents expressed confidence that their senior management had a grip on cloud security.
Cloud computing – especially AWS – is here to stay, so how can your organization ensure its security? Ask your IT team the following three questions if you want to ease your – and your employee’s – minds.
The most important thing to realize about AWS security is it’s a question of configuration . Picture it like IKEA furniture – all the components are there for you to have a chair, but if you assemble it incorrectly, you could end up with something more like a lopsided table. The same applies to your cloud infrastructure.
Question #1: How are we monitoring security events in our cloud environment?
Ideally, your team will already be doing this with built-in tools offered by the service provider. However, from experience, this is not always the case. Your team should be automating anomaly detection from logs and your team should be alerted when anything out of the ordinary happens.
There are plenty of tools that exist for this purpose. AWS itself offers the more advanced tool CloudTrail (and Cloud Watch as well which can be used to monitor event like user account activity); your team should be using both.
Question #2: How are we securing our keys?
Disturbingly, not everyone can answer this question – the truth is keys are often poorly managed. The keys in question are what permit at access to your cloud infrastructure. Logically, the production keys should be well-guarded – and not left exposed in source code, shared with the entire development team, or given freely to contractors (all common situations).
Amazon provides Key Management Services (KMS) – the tools are at your team’s fingertips. However, if they aren’t used correctly, they can’t be effective. (You can also use a third-party service like Vault, which offers similar functionality, suitable for everything from employee credential storage to data encryption).
Question #3: How are you securely storing sensitive data?
Data storage can easily turn into a case of “who’s on first.” Often, the permissions are awry. There’s no reason there should be copies of production data in development systems. Your production environment should be on lock whereas your development environment should be a “playground” for the engineering teams.
Who has access and what they have access to should be closely controlled when it comes to production data; following the principle of least privilege and performing regular reviews is best practice here.
Security by Design – Not by AccidentThis is a concept that security professionals often beat people over the head with, but for a reason. Insecure AWS configurations suffer from this problem (as recently seen in the Verizon breach that left 14 million customer records exposed). These configurations are left in poor shape because security was not a focus from the start as well as the fact that there probably was some confusion surrounding the actual technology. Each cloud-based platform is different, and it’s important for your engineering team to thoroughly understand what can go wrong.
When your team is configuring the AWS environment, following the OWASP Secure by Design principles – specifically the previously mentioned principle of least privilege and separation of duties. AWS has its own Security by Design documentation available as well. Most security missteps are easy to avoid with some careful forethought.
Maintenance is key, too. It’s best to perform security design reviews before you deploy your environment, too. Assessing your infrastructure’s security regularly going forward is key, too.
AWS comes with pitfalls (and enough jargon to fill its own dictionary), but if designed and implemented properly, security will be more achievable. And instead of a lopsided table, you’ll have a chair.
Christie Terrill , CONTRIBUTOR