ensure you’re securedocs.media.bitpipe.com/io_13x/io_130458/item_1306492/hb_ensure… · here’s...
TRANSCRIPT
EDITOR’S NOTE THE ROLE USERS PLAY IN SECURING AWS
TOOLS CAN FILL AWS SECURITY GAPS
NEW FEATURES BOOST AWS SECURITY
Ensure You’re Secure In Amazon Web Services, security requires the participation of users. Here’s what you need to know about the shared-responsibility approach.
HOME
EDITOR’S NOTE
THE ROLE
USERS PLAY IN
SECURING AWS
TOOLS CAN FILL
AWS SECURITY GAPS
NEW FEATURES
BOOST AWS SECURITY
ENSURE YOU’RE SECURE2
EDITOR’SNOTE
Users Need to Do Their Part
It would be nice to think of Amazon Web Services as a place where you can run work-loads, store data, and conduct business with-out ever giving more than a passing thought to security. Unfortunately, that’s not how things work.
As IT consultant Dan Sullivan writes in this guide, AWS security is built around a shared-responsibility approach. This means users need to do their part to protect their public cloud assets.
Amazon secures the cloud infrastructure, Sullivan notes, but it’s incumbent on IT teams to participate in the security effort. Tasks such as user authentication and OS protection are the responsibility of users, and can’t be over-looked. He breaks down the shared-respon-sibility model, and points out where—and how—AWS users should be engaged in security matters.
This three-part guide includes guidance
from cloud expert Ofir Nachmani, who writes about specific tools and security features that can help safeguard AWS resources. Tools such as AWS Config and capabilities for identity access, he writes, can be important allies.
Also included here is an update on features Amazon itself is developing in the continu-ing effort to strengthen security. TechTar-get’s Beth Pariseau gets into specifics about key management and Lambda support for virtual private clouds, and she talks with AWS users about how the availability of such technologies changes their views on cloud security.
In security terms, the success—or failure—of a cloud initiative will depend on how well an organization has played its part in comple-menting the protections offered by AWS. n
Phil SweeneySenior Managing Editor
Data Center and Virtualization Group, TechTarget
HOME
EDITOR’S NOTE
THE ROLE
USERS PLAY IN
SECURING AWS
TOOLS CAN FILL
AWS SECURITY GAPS
NEW FEATURES
BOOST AWS SECURITY
ENSURE YOU’RE SECURE3
USER’S ROLE
The Role Users Play in Securing AWS
Moving an application from an on-premises infrastructure into the public cloud generates a number of benefits—especially in information security. Cloud providers such as Amazon assume responsibility for securing the cloud infrastructure, but that doesn’t mean there’s nothing left to do.
Cloud users themselves bear the burden for securing applications and data. This distribu-tion of effort is known as the shared-security model.
One of the benefits of cloud computing is that Amazon manages the security of the infra-structure, such as network devices, servers, storage systems and physical infrastructure. AWS provides all aspects of physical security, such as controlling physical access to data cen-ters and monitoring network infrastructure. As a general rule, if a service or device is at or below the level of a hypervisor, then AWS will manage all aspects of its security.
AWS customers using services such as Elastic Compute Cloud (EC2) servers and Ama-zon Simple Storage Service (S3) are respon-sible for securing applications, operating systems and identities, as well as authentica-tion and authorizations. The exception to this rule is that AWS provides additional security for platform as a service (PaaS). These would include DynamoDB and Relational Database Service. In the case of PaaS, AWS provides for the security of the underlying database, while users still maintain access controls on database structures.
AWS manages a significant portion of over-all security. Still, there is much for Amazon customers to consider, starting with operating systems.
AWS customers have the same type of responsibility for OS security in the cloud as on premises. System administrators should enforce good practices, such as limiting the
HOME
EDITOR’S NOTE
THE ROLE
USERS PLAY IN
SECURING AWS
TOOLS CAN FILL
AWS SECURITY GAPS
NEW FEATURES
BOOST AWS SECURITY
ENSURE YOU’RE SECURE4
USER’S ROLE
types of applications and libraries available on servers. Production instances should not have compilers installed and network traffic should be blocked on unneeded ports, for example. The Center for Internet Security offers free guidelines on hardening operating systems.
For operating systems, think about how to configure available applications and services, and close down ports. Consider using a hard-ened operating system, such as CIS Ubuntu.
It’s also important to encrypt data at rest and in motion. S3 may be encrypted auto-matically using server-side encryption. Cli-ent applications can write unencrypted data to an S3 bucket, where that data will be encrypted automatically. When the data is retrieved, it will be decrypted and returned to the calling application.
Data also can be encrypted in DynamoDB, but users will need to use client-side encryp-tion. In this model, the data is encrypted before it is saved to the data store and decrypted by the client when the data is retrieved.
AWS manages encryption keys when server-side encryption is used; the client application
needs to manage encryption keys when client-side encryption is used.
USING SECURITY GROUPS
Another good practice is segmenting traffic on the network. Virtual private clouds (VPCs) are used to define a logical network for a set of related server, load balancing and related resources. VPCs can be thought of as virtual data centers. A corporate customer can, for example, restrict network traffic that originates from IP addresses in its on-premises network. Within a VPC, traffic can be further segmented using security groups and network access control lists.
Security groups are stateful firewalls that control access to EC2 instances. Security groups consist of sets of rules that specify the protocols allowed to communicate with an instance (HTTP, HTTPS, SSH and so on) and any restrictions on the sources of that traffic. A single security group can be applied to multiple instances, so it is a useful way to apply com-mon sets of firewall rules for multiple servers.
Network access control lists (NACLs) are
HOME
EDITOR’S NOTE
THE ROLE
USERS PLAY IN
SECURING AWS
TOOLS CAN FILL
AWS SECURITY GAPS
NEW FEATURES
BOOST AWS SECURITY
ENSURE YOU’RE SECURE5
USER’S ROLE
stateless firewalls that provide for fine-grained control over protocols. NACLs are used in con-junction with security groups to implement network security policies.
With CloudWatch and CloudTrail, AWS offers two cloud-monitoring services to assist with performance management and security.
CloudWatch monitors performance and measures key metrics on instances, storage systems and platform services. Although it is not primarily a security tool, it can help iden-tify anomalous events on infrastructure, such as an unusually large download from a database server.
CloudTrail is a logging service that captures details of calls made to Amazon APIs. This allows cloud administrators to monitor signifi-cant events, such as starting or shutting down instances, as well as other changes, such as adding users to the identity and access man-agement (IAM) repository.
MINIMIZE YOUR RISKS
Organizations that need additional secu-rity applications could look to the AWS
Marketplace for Amazon partners that offer enhanced security tools. Alert Logic, for example, provides Web application fire-wall and vulnerability scanning tools, while Sophos offers a unified threat-management application.
As part of the shared-security model, AWS customers should plan for disaster recovery. AWS services are designed to be durable and available, but outages occur. If you need high availability at all times, consider application architectures that span multiple regions.
Another way to minimize the risk of con-figuration errors is to employ DevOps proce-dures to automate infrastructure deployment. Cloud administrators should review automa-tion scripts to minimize the risk of undetected configuration errors. Consider putting the AWS Config service to work to catch misconfigured infrastructure.
The shared-security model relieves busi-nesses and other users of cloud services from many security concerns associated with run-ning a data center, but there are still many facets of information security that remain in the hands of AWS customers. —Dan Sullivan
HOME
EDITOR’S NOTE
THE ROLE
USERS PLAY IN
SECURING AWS
TOOLS CAN FILL
AWS SECURITY GAPS
NEW FEATURES
BOOST AWS SECURITY
ENSURE YOU’RE SECURE6
TOOLS TO HELP
Tools Can Fill AWS Security Gaps
To do business securely in Amazon’s public cloud, IT teams need to stay current on best practices. These include making use of the native AWS building blocks and avail-able services, as well as essential third-party products.
By 2018, half of all businesses with more than 1,000 users will use security broker prod-ucts to monitor and manage their use of soft-ware as a service and other forms of public cloud, suggests a Gartner 2016 predictions report.
Businesses will also build secure infrastruc-tures via the AWS Management Console or APIs. Focusing on building blocks, such as network security, access control and visibil-ity, can help IT teams automate and enforce
security policies at scale, and stay a step ahead of potential threats to an AWS operation.
NETWORKS, ACCESS AND VISIBILITY
Security groups are the most common build-ing block for supporting network security. They can help organize pools of AWS resources and apply network security policies on those resources.
When setting up an AWS deployment, IT teams should place a security group within an AWS Virtual Private Cloud (VPC). This helps developers take advantage of the private vir-tual network capabilities of the AWS network. Developers should also use network access lists to control and define the inbound and
Focusing on building blocks can help IT teams automate and enforce security policies at scale and stay a step ahead of threats.
HOME
EDITOR’S NOTE
THE ROLE
USERS PLAY IN
SECURING AWS
TOOLS CAN FILL
AWS SECURITY GAPS
NEW FEATURES
BOOST AWS SECURITY
ENSURE YOU’RE SECURE7
TOOLS TO HELP
outbound traffic of a subnet.Each AWS user has a secret access key and
access key ID that are used to secure an AWS account. Temporary access to an account can be given with an AWS Security Token Ser-vice. In addition, Amazon’s identity and access management (IAM) tool provides role-based access. Users and applications are given defined roles, which tightly control access to specific resources and applications. AWS also provides a multifactor authentication option.
In every IT environment, visibility is critical to security success. AWS has multiple security services, including Trusted Advisor, Amazon Inspector and AWS Config. Trusted Advisor helps users identify vulnerabilities, such as:
■n Misconfigured security groups, including open ports;
■n IAM password policies that are not enabled; and
■n An Elastic Load Balancer that does not have a Secure Sockets Layer certificate.
AWS Trusted Advisor can also scan backup configurations. It will alert users to outdated
volume snapshots or notify them if their load is not balanced across enough availability zones to avoid single points of failure.
AWS announced in 2015 the debuts of Ama-zon Inspector and AWS Config Rules. Amazon Inspector is like an expansion of AWS Trusted Advisor, because it is an assessment tool. The agent-based Amazon Inspector, meanwhile, is an up-the-stack tool that analyzes application behavior and correlates it to the behavior of the underlying AWS resources.
AWS Config automates compliance checks. It captures the current state of AWS resources, tracks changes and then alerts users of a change that doesn’t comply with AWS best practices.
AWS Config Rules expanded AWS Con-fig capabilities by allowing administrators to set custom rules that target specific types of resources. AWS Config helps maintain consis-tent resource tagging and provides alerts on misconfigured security groups. AWS Config also gives users a more granular look into the history of each resource configuration change, which adds another way to gain visibility over the AWS stack.
HOME
EDITOR’S NOTE
THE ROLE
USERS PLAY IN
SECURING AWS
TOOLS CAN FILL
AWS SECURITY GAPS
NEW FEATURES
BOOST AWS SECURITY
ENSURE YOU’RE SECURE8
TOOLS TO HELP
VPC flow logs and AWS CloudTrail are also important audit and log services that main-tain proper visibility and control over an AWS deployment.
WHAT ELSE TO INCORPORATE
For high availability, developers must automate backups and implement disaster recovery (DR) processes around the basic instance using vol-ume snapshots and Amazon Machine Images. In addition, it is prudent to choose AWS offer-ings with built-in high-availability measures.
Amazon Simple Storage Service (S3) and Relational Database Service (RDS) are two examples of robust AWS storage options. S3 is a highly available storage utility and has inher-ent redundancy. According to Amazon, S3 is designed to provide 99.999999999% durabil-ity and 99.99% availability of objects over a given year.
Amazon RDS is automatically backed up and enables point-in-time recovery for a database instance. One pitfall, however, is that if a user
deletes the RDS, all the automatic snapshots will be removed as well.
Amazon cloud engineers had the foresight to create an API-first strategy, which allows secu-rity vendors to complement the base infra-structure as a service offering. Vendors can provide comprehensive network security man-agement to help deploy and secure security groups.
Log management is also important when implementing AWS security best practices. Popular tools, such as Splunk, automatically aggregate log data and run intelligent analysis. Evident.io and CloudCheckr also enhance vis-ibility into a deployment; both options offer third-party alternatives to Amazon Inspector and Trusted Advisor tools. Additional third-party DR and backup tools can be found in the AWS Marketplace.
Other AWS security best practices include using cross-region backup for workloads and deploying a bastion server on the network perimeter in order to help detect threats.
—Ofir Nachmani
HOME
EDITOR’S NOTE
THE ROLE
USERS PLAY IN
SECURING AWS
TOOLS CAN FILL
AWS SECURITY GAPS
NEW FEATURES
BOOST AWS SECURITY
ENSURE YOU’RE SECURE9
NEW FEATURES
New Features Boost AWS Security
Amazon has made incremental improve-ments to AWS security features in Lambda and the Relational Database Service, ones that will significantly affect how AWS environments can be locked down.
AWS users say these additions, and other ongoing updates, will make AWS a more secure place to operate. Features include the ability to encrypt Elastic Block Store boot volumes as well as changes and improvements to the AWS Key Management System (KMS), which give customers greater control over encryption keys.
“They’re starting to really catch up and give people the controls they need,” said Erik Peter-son, director of technology strategy in the office of the CTO at Veracode, makers of a cloud-based Web application risk assessment service that runs on AWS.
“Before this, if you wanted to use AWS, and you were concerned about data privacy, it was really complex,” Peterson said. “You would have
to manage all the keys yourself, come up with some kind of customized solution that you developed, or try to purchase something, which may or may not work with your use case.”
The latest changes include new support for encrypting shared snapshots in the Relational Database Service (RDS), the ability to encrypt existing databases within RDS, support for Lambda to access resources behind a Virtual Private Cloud (VPC), and the addition of cus-tom authentication to API Gateway through Lambda functions.
LAMBDA VPC SUPPORT EMERGES
Peterson was particularly interested in the ability for AWS Lambda to access resources that live in VPCs. “No doubt [not having] that was slowing down adoption,” he said.
Lambda VPC support became available in early 2016.
HOME
EDITOR’S NOTE
THE ROLE
USERS PLAY IN
SECURING AWS
TOOLS CAN FILL
AWS SECURITY GAPS
NEW FEATURES
BOOST AWS SECURITY
ENSURE YOU’RE SECURE10
NEW FEATURES
“Lack of VPC support has prevented us from fully committing to Lambda’s use,” said Kevin Felichko, CTO of PropertyRoom.com, an online auction company based in Frederick, Md. The most important resources for Lambda to access in PropertyRoom’s environment are non-RDS database servers; this new addition will let the company move more scheduled tasks to Lambda.
“It also helps us implement new microser-vices via a Lambda and API Gateway combina-tion without having to swap our data store or implement some other workaround,” Felichko said.
This addition also puts the puzzle pieces in place to take advantage of the fact that API Gateway recently added custom functions for authentication via Lambda.
“The two of those together means that you can do things like using Memcached or RDS resources for authentication,” said Chris Moyer, vice president of technology with ACI Informa-tion Group, a Web content aggregator based in New York, and a TechTarget contributor. “It’s pretty slick what they’re doing lately.”
The custom authorizer has a maximum cache
of one hour, but allowing access to Memcached lets users easily increase this and store other session-based information in Memcached, which Moyer said is still the de facto standard for session-based authentication.
“This brings the ability to do traditional Memcached-style authentication that people are used to,” Moyer said. “Also, if you’re storing user information in RDS, as many people still do, it makes sense to be able to query that to check a user’s credentials.”
Technically it’s better to do session-based authentication in something like DynamoDB, but this allows a sort of bridge to interact with legacy systems, Moyer said.
Amazon also enhanced AWS security with new encryption options for RDS, including the ability to encrypt shared snapshots—an
Amazon also enhanced Amazon Web Services’ security with new encryption options for RDS, including the ability to encrypt shared snapshots.
HOME
EDITOR’S NOTE
THE ROLE
USERS PLAY IN
SECURING AWS
TOOLS CAN FILL
AWS SECURITY GAPS
NEW FEATURES
BOOST AWS SECURITY
ENSURE YOU’RE SECURE11
NEW FEATURES
item prominent on users’ wish lists when RDS shared snapshots first became available late in 2015. Additionally, users for the first time have the ability to add encryption to an existing RDS database.
“Adding encrypted snapshots is a great secu-rity feature enhancement,” said Adam Book, principal engineer and senior cloud archi-tect for Relus Technologies, a cloud consulting firm.
Customers must be aware, however, that KMS keys work in only one region, Book added. “There are many use cases where snapshots are being used to rehydrate databases in a sec-ondary region.” In that scenario, he said, “If the snapshot is encrypted with KMS, then it will have issues being unencrypted.”
AWS users should take advantage of other security features when sharing snapshots to ensure the correct person receives them, advised Edward Haletky, CEO of the Virtualiza-tion Practice in Austin, Texas.
“This is where two-factor authentication is an absolute necessity, if you’re doing RDS snapshot sharing, because you don’t want the
wrong person to have it,” he said.AWS security features such as AWS Cloud-
Trail can also be used to report on whether the right workflows have been followed in access-ing the shared snapshot. Users interested in RDS snapshot sharing can also follow instruc-tions in the AWS documentation to revoke access to a shared snapshot if a business part-nership or the employment of the recipi-ent ends. This is done by removing the person from the access policy on the snapshot or the key.
Still, Haletky would like to see this taken a step further, so that a change in an HR or accounting management application that accesses the data or shared snapshots automat-ically revokes access when the change is made.
“Providing the technology is one thing,” he said. “Providing the workflow processes around it is another.”
This can be done, theoretically, through con-figuration management and scripting tools such as Puppet or Chef, but Haletky wonders: “Is it tied in to enough places that people will use it?” —Beth Pariseau
HOME
EDITOR’S NOTE
THE ROLE
USERS PLAY IN
SECURING AWS
TOOLS CAN FILL
AWS SECURITY GAPS
NEW FEATURES
BOOST AWS SECURITY
ENSURE YOU’RE SECURE12
ABOUT THE
AUTHORS
OFIR NACHMANI is a business technology advisor, blogger and lecturer with extensive experience in business tech-nology. His IamOnDemand.com blog is the go-to guide for modern technology startups and cloud developers.
BETH PARISEAU is senior news writer for SearchAWS. Write to her at [email protected] or follow her on Twitter: @PariseauTT.
DAN SULLIVAN is an author, systems architect and consultant with more than 20 years of IT experience. He has had engagements in advanced analytics, systems architecture, database design, enterprise security and business intelligence across a broad range of industries.
Ensure You’re Secure is a SearchAWS.com e-publication.
Margie Semilof | Editorial Director
Phil Sweeney | Senior Managing Editor
Dan Cagen | Associate Features Editor
Linda Koury | Director of Online Design
Rebecca Kitchens | Publisher [email protected]
TechTarget 275 Grove Street, Newton, MA 02466
www.techtarget.com
© 2016 TechTarget Inc. No part of this publication may be transmitted or re-produced in any form orby any means without written permission from the publisher. TechTarget reprints are available through The YGS Group.
About TechTarget: TechTarget publishes media for information technology professionals. More than100 focused websites enable quick access to a deep store of news, advice and analysis about the technologies, products and pro-cesses crucial to your job. Our live and virtual events give you direct access to independent expert commentary and advice. At IT Knowledge Exchange, our social community, you can get advice and share solutions with peers and experts.
COVER ART: FOTOLIA
STAY CONNECTED!
Follow @SearchAWS today.