5 building blocks of security and governance on AWS Cloud
by Hussain Saify
Successful cloud migration involves understanding the responsibilities shared between an organization and its cloud service provider. With the alarming rise in data breaches and cybersecurity threats, the need to adopt and implement security and governance is one of the key considerations for enterprises journeying to the cloud.
Due to high scalability, reliability, and robust infrastructure, the Amazon Web Services (AWS) Cloud is a popular choice for enterprises. As the top cloud provider, AWS witnessed a market share of 33% and growth rate of 37% in FY 2019. AWS offers customers a wide choice of storage, access, and security options, along with authorized access, data protection, and training support.
This blog takes a close look at the five essential building blocks of security and governance on AWS:
- Identity and access management
- Continuous monitoring and logging
- Network and edge security
- Data security and encryption
- Auditing and compliance
Identity and access management
The essential security requirement for any enterprise when moving to the cloud is to govern which resources can be accessed, who can access these and how. AWS provides a wide range of services to effectively manage users as well as access permissions. Here’s a glimpse:
|AWS Identity and Access Management (IAM)||Managing identities and access to resources and services|
|AWS Organizations||Multi-account management
|AWS Single Sign-On (SSO)||Centrally manage SSO access to multiple accounts|
|AWS Cognito||Manage identities and user pools for web and mobile apps|
|AWS Directory Service||Enable directory-aware workloads and AWS resources to use managed Active Directory in the AWS Cloud|
Continuous monitoring and logging
Logging and monitoring involve collecting data for measurement and governance. They play an important role in modern enterprises, as they measure the health of hardware devices and software applications. Building an effective monitoring solution requires a lot of effort and management. To simplify this, AWS provides an end-to-end monitoring solution which helps to monitor everything deployed on the cloud - from infrastructure to applications.
|AWS CloudWatch||Managing logs from multiple disparate sources through centralized monitoring
Monitor and track metrics
Alarms to notify in case of anomalies
|AWS Elasticsearch||Centralized log storage and analysis|
|AWS Config||Resource configuration snapshots and compliance|
|AWS Inspector||Automated security assessment|
|AWS GuardDuty||Intelligent threat detection|
Data security and encryption
Encryption is the process of making data unreadable using two components – encryption key and encryption algorithm. To ensure that the encrypted data is secure, enterprises need to develop a key management system, which can keep the keys secure, durable, and highly available. However, this can be a cumbersome and complicated process. To manage keys and encryption seamlessly, AWS offers a Key Management Service which is deeply integrated with its other services.
|AWS Key Management Service (KMS)||Manage encryption keys|
|AWS CloudHSM||Cryptographic service for creating and managing hardware security modules|
|AWS Certificate Manager (ACM)||Provision and manage certificates|
|AWS Secrets Manager||Manage secrets and passwords|
Network and edge security
Network and edge security involve controlling how a request flows through different components, and who can send requests to resources. This is vital to maintain a healthy infrastructure as it can help prevent unauthorized access and network attacks like denial-of-service, malware, and spam. AWS provides various services to help users build a secure networking infrastructure.
|AWS VPC||Ability to provision and manage a private network|
|AWS Direct Connect||Ability to connect on-premise data centers to the cloud for realizing a hybrid cloud solution|
|AWS Web Application Firewall||Acts as a web application firewall enabling creation of security rules that block common attack patterns, such as SQL injection or cross-site scripting, and rules that filter out specific traffic patterns defined by the user|
|AWS Shield||Helps protect services against distributed denial-of-service attacks|
Auditing governance and compliance
A compliance audit is a comprehensive review of an organization's adherence to regulatory guidelines. Audit reports evaluate the strength and thoroughness of compliance preparations, security policies, user access controls, and risk management procedures over the course of a compliance audit. This is an important requirement, as customers migrating to the cloud have many apprehensions concerning adherence to regulatory guidelines. AWS provides a wide range of services for auditing, compliance of resources, and building reports.
|AWS CloudTrail||Record API events for all AWS resources and services through the AWS console, command line, or SDKs|
|AWS IAM||User access and usage report|
|AWS SSM||Automate management tasks such as collecting system inventory, applying operating system patches, automating the creation of Amazon Machine Images (AMIs), and configuring operating systems, and applications at scale|
|AWS Config||Ability to take snapshots of resources and govern resource compliance|
|AWS Trusted Advisor||Provide recommendations to optimize the AWS environment for cost, performance, security, fault tolerance, and service limits|
|AWS Inspector||Automatically assess applications for exposure, vulnerabilities, and deviation from best practices|
A deep understanding of the major building blocks of security and governance enables organizations to tap the benefits of the cloud successfully. In addition, adopting an automated approach to various components of security and governance can help avoid risks like security lapses, high maintenance costs, and idle resources. While planning to build a cloud infrastructure, it is equally essential to understand the architectural best practices, as these help to create a highly available, robust, secure, and cost efficient ecosystem.
Over the last two decades, Impetus has helped several Fortune 100 enterprises successfully move their data-driven businesses to AWS and other cloud platforms. Leveraging deep domain expertise and a robust cloud governance framework, Impetus can help you address the nuances of IT governance on the cloud, in line with your organization’s goals.