This post is supported by Penta Security.

“Security is job zero at AWS,” said Jonathan Rault to a packed room of security professionals. The security, risk and compliance practice lead for Amazon Web Services (AWS) was invited to share his insights about cloud security at the AISP (Association of Information Security Professionals). This event was free for members, though non-members like myself paid a small fee to attend.

The secure AWS cloud

Rault started with an overview of the AWS cloud to those not already familiar with it. With more than 90 services today, he observed that AWS is actively used by large organizations including Singapore Post and DBS bank – the latter had publicly shared their plans to move 80% of their compute to the cloud eventually.

He debunks the common notion that security is poorer in the cloud. “Security is job zero”, he says, pointing to how every façade of security are amplified and deployed on a larger scale in the cloud. With literally millions of users on its cloud platform, security an overriding consideration that AWS puts substantial resources and thought into, he explains.

Rault also touching briefly on the tight security practiced in AWS data centers, pointing to the practice of physically shredding failed storage drives to protect data confidentiality. You can read more about the multi-layer security in an AWS data center by reading this report I wrote of a session by Jerry Hunter, vice president of infrastructure at the 2015 AWS re:Invent conference in Las Vegas.

AWS for the enterprise

This fanatical attitude towards security is amply evidenced by how the AWS team manages its software subsystems. AWS adopts a shared responsibility model, says Rault, with administrators given the same privilege. Crucially, the control plane that undergirds the AWS cloud must be renewed manually by managers every 90 days – or it will be automatically revoked.

IT professionals who had ever overlooked the revocation of credentials for former colleagues will identify with the utility of enforced account renewal. Rault also notes that the AWS cloud is accredited to comply with up to 50 different standards, including the likes of PCI DSS (Payment Card Industry Data Security Standard) and ISO 27001.

The Monetary Authority of Singapore (MAS) also has no objections to financial firms using the cloud, Rault noted, citing new guidelines it issued last year for cloud service providers (CSP). Indeed, financial institutions don’t even need to pre-notify the Monetary Authority of Singapore (MAS) when they use the cloud, he notes, though they must be prepared to demonstrate due diligence upon request.

Cloud for better security

The ability to manage infrastructure from a web browser is superior to having to roll up one’s sleeve to physically set up racks of equipment at a data center, says Rault. Instead of having to unplug cables to see which servers are connected to which, the same information can be readily accessed through a graphical user interface (GUI), he said.

Similarly, non-compliant cloud resources can be quickly identified through the same interface, and new instances can be spun up using predefined rules to ensure compliance from the get-go. And because AWS will not move data across region unless explicitly configured to do so, data stays in the same region – great for addressing data sovereignty concerns.

There is also a range of other mechanisms to ensure security. For instance, the software defined network that powers the AWS cloud offers an iron-clad way to segment the network based on IP subnets. Spoofing won’t work, and there are no physical span ports for surreptitious logging or monitoring of network traffic. Hint: Any IDS or IPS resources will need to be deployed inline where they will be visible to all administrators.

Tips for a secure deployment in the cloud

So how can organizations ratchet up the security on their cloud deployments? Rault has a few ready recommendations to make. Good security boils down to how quickly one can react and respond to an incident or situation, observes Rault, who suggests using a cloud service to continuously monitor and automatically block web attacks.

He suggestions include: Redesigning cloud infrastructure as objective changes, deploy just enough infrastructure for an application, and patch within hours of a new security update. Moreover, enterprises will do well to offer continuous assurance that compute environments are not vulnerable by monitoring for drift, and explore features like DBMS engine encryption. Finally, Rault suggests using a key management system to protect and backup encryption keys.

There is a lot more to cloud security than the brief introduction by Rault can address. However, the presentation likely broke down many of the participant’s preconceived notion of the cloud, and how it can be leveraged for a more secure deployment.

 

If you are looking to learn more about IT security, be sure to check out the upcoming Singapore International Cyber Week that will be held from 18 to 21 September 2017. It is anchored by the GovernmentWare (GovWare) conference, which attracts practitioners to network, discuss and collaborate on all things cybersecurity. Penta Security Systems will be there as an exhibitor, so do check them out.