The move to cloud by business is nothing new and seems to be an inevitability. A recent survey of I.T. professionals showed 94 percent use cloud, and public cloud (Amazon Web Services, Microsoft Azure) adoption is 91 percent. Two things the recent pandemic has accelerated are:
Maybe you are an IT professional charged with maintaining an AWS environment. Maybe you are a marketing professional in charge of maintaining your customer-facing website that is hosted on AWS. Some of the following content is technical, but it is meant to be an approachable road map for what to do to ensure you are properly securing your data in AWS. If you work in the IT sector this should all be familiar, and you will know what to do with these steps. If you are in Marketing or the business side, you can take this roadmap to your IT team and make sure these steps are being followed.
Start with a data flow and a data inventory. Talk to your stakeholders and map out all of the data elements you store and where you store them. Then rate each element based on:
Click here for an example data risk matrix
For example, take social security numbers (SSNs). If you only store a user SSN in a few select cases, the likelihood of a breach is low. However, if this data point were to be compromised, the impact on your company’s reputation may be unacceptable.
For some more help in identifying sensitive data and the impact of a disclosure, here is a nice guide.
You will notice that at the end of this exercise you may decide that risk avoidance, in some cases, maybe the best course of action. For example, in our SSN example, you may decide you don’t need to store this data element after all, and so avoid any risk.
Once you have your data inventory - which is a snapshot of all your data elements - you need to create a data flow. In other words, determine where your data is stored and how it is processed and utilized in your systems. If you use AWS a data flow analysis could be realized through an assessment of:
[check back for an example data flow diagram]
CIS BENCHMARKS
We never want to reinvent the wheel, so start with existing security benchmarks or frameworks and tailor them to your needs. In this case, start with the CIS Benchmarks for AWS and focus first on the areas of your data flow that relate to the data elements you’ve bubbled up as high likelihood/high impact. Once you have a plan for securing those high-value data elements, then circle back to the lesser ones.
The CIS AWS benchmarks are separated into the following areas:
Start off by paying close attention to the first benchmark area, AWS IAM, which will provide prescriptive guidance on password policies, Multi-Factor Authentication (MFA), and deleting your root account keys. Spend time to analyze your AWS user base, ensuring roles and policies are appropriate and follow the principle of least privilege. In a recent post regarding securing AWS, we outline some steps to make sure your AWS IAM policy is up to par.
WEB APPLICATIONS
Conduct an analysis and security assessment of your critical web applications. Submit them to vulnerability testing that can assess them against industry standards. For example, analysis against the OWASP Top-10 web application vulnerabilities is highly recommended. Check out our earlier blog post on securing your website.
ENCRYPTION
Make wise use of encryption: a robust use of encryption is table stakes for cloud deployments. Use this abbreviated checklist to make sure your data is safe from theft:
It’s easy, but AWS is controlling the keys. If you’re not okay with that, then a solution such as StrongKey or Vault could be a better choice.
AWS makes it easy to enable encryption for data at rest. Make sure it’s enabled. There’s no reason to leave data unencrypted in S3 buckets, RDS and Aurora databases, and EC2 EBS volumes
If you’re using CloudFront, you’ll need certificates to set up HTTPS connections. Use the AWS Certificate Manager to create them and configure your databases to accept secure connections.
AWS has no shortage of logging options. Make sure you’ve configured the following logging services to greatest effect.
AWS has published a Centralized Logging Implementation Guide. Check it out to get the most out of your monitoring capabilities.
Once you have implemented your benchmarks and system and application security controls, you will need to remain constantly vigilant; after all, we are not carving granite. Security is an ongoing battle and just like anything else in IT it requires ongoing assessment, learning, and training to stay up to date with the latest tools, threats, and mitigations.
Cloud Security Alliance - training and education