How to Strengthen Cloud Security
The rush to exploit Cloud advantages of speed and high velocity must be carefully balanced with thoughtful security. Given that attacks are increasingly more sophisticated and vicious, this has become even more pertinent. Often despite the best precautions someone, somewhere makes a mistake and hackers make the most of it. Automation—one of the hallmarks of Cloud deployments—raises the bar for security providing inherent capabilities to protect and mitigate risks. Cloud enhances the security posture with tools and capabilities that embed security into the DNA of deployments by automating permissions, tracking usage and continuously monitoring deployments. Umbrella has implemented more than 200 deployments in AWS Cloud using secure design architectures and best practices. Based on our experience here are the top three recommendations to strengthen security.
Identity and Access Management
IAM enables to manage secure access to resources by controlling authentication (sign-in) and authorization (permissions) to resources. AWS IAM allows to prevent or remove root use and manage users by allowing or denying permissions based on roles or federated users. You can use AWS managed policies to assign permissions; create groups related to job functions and define or change permissions for each group for
easy manageability; grant least privilege to users and enable multi-factor authentication (MFA) for privileged IAM users.
Protecting data at rest and in transit with encryption helps minimize risks even if there is a breach. AWS data storage services including S3, EBS volumes and database such as RDS, DynamoDB, ElasticCache for Redis inherently support encryption. Data in EC2 can be encrypted using disk encryption or file system level encryption. You can encrypt and decrypt CLI and take advantage of advanced data protection built into AWS Encryption SDK,
including envelope encryption and strong algorithm suites. Default encryption capabilities in S3 encrypts objects using server-side encryption with either S3-managed keys (SSE-S3) or KMS-managed keys (SSE-KMS). When you use server- side encryption, S3 encrypts object before saving and decrypts when you download. AWS networking and delivery services such as load balancer and CloudFront inherently support SSL certificates for secure transmission of data in transit.
Continuous Monitoring and Logging
Continuous monitoring and logging help achieve continuous compliance by codifying infrastructure, monitoring logs and setting alerts in case of breach. AWS Config continuously monitors and records AWS resource configurations and allows automatic evaluation for compliance auditing and troubleshooting. AWS CloudTrail increases visibility into user and resource activity by recording AWS Management Console actions and all API calls. Close and continuous monitoring can be further strengthened by configuring AWS Lambda to send notifications in case of non-compliance and initiate auto- remediation including denying access and auto-correction of specific conditions.
Umbrella has helped organizations achieve PCI DSS compliance using secure frameworks and above methodologies. If you want to know more about securing organization data in the Cloud, reach out to us.