5 building blocks of security and governance on AWS Cloud

Successful cloud migration involves understanding the responsibilities shared between an organization and its cloud service provider. With the alarming rise in data breaches and cybersecurity threats, the need to adopt and implement security and governance is one of the key considerations for enterprises journeying to the cloud.

Due to high scalability, reliability, and robust infrastructure, the Amazon Web Services (AWS) Cloud is a popular choice for enterprises. As the top cloud provider, AWS witnessed a market share of 33% and growth rate of 37% in FY 2019. AWS offers customers a wide choice of storage, access, and security options, along with authorized access, data protection, and training support.

This blog takes a close look at the five essential building blocks of security and governance on AWS:

  1. Identity and access management
  2. Continuous monitoring and logging
  3. Network and edge security
  4. Data security and encryption
  5. Auditing and compliance

Identity and access management

DevOps engineers manage the development, testing, and operationalization of data platforms by monitoring network stability, availability, and other key metrics. Some of the common challenges faced by DevOps teams include managing multiple libraries and versions of code, factoring in adequate deployment parameters to avoid application failure, and customizing scripts in a short timespan to ensure optimal performance.

The essential security requirement for any enterprise when moving to the cloud is to govern which resources can be accessed, who can access these and how. AWS provides a wide range of services to effectively manage users as well as access permissions. Here’s a glimpse:

ServiceUse case
AWS Identity and Access Management (IAM)Managing identities and access to resources and services
AWS OrganizationsMulti-account management Consolidated billing
AWS Single Sign-On (SSO)Centrally manage SSO access to multiple accounts
AWS CognitoManage identities and user pools for web and mobile apps
AWS Directory ServiceEnable directory-aware workloads and AWS resources to use managed Active Directory in the AWS Cloud

Continuous monitoring and logging

Logging and monitoring involve collecting data for measurement and governance. They play an important role in modern enterprises, as they measure the health of hardware devices and software applications. Building an effective monitoring solution requires a lot of effort and management. To simplify this, AWS provides an end-to-end monitoring solution which helps to monitor everything deployed on the cloud – from infrastructure to applications.

Data security and encryption

Encryption is the process of making data unreadable using two components – encryption key and encryption algorithm. To ensure that the encrypted data is secure, enterprises need to develop a key management system, which can keep the keys secure, durable, and highly available. However, this can be a cumbersome and complicated process. To manage keys and encryption seamlessly, AWS offers a Key Management Service which is deeply integrated with its other services.

ServiceUse case
AWS Key Management Service (KMS)Manage encryption keys
AWS CloudHSMCryptographic service for creating and managing hardware security modules
AWS Certificate Manager (ACM)Provision and manage certificates
AWS Secrets ManagerManage secrets and passwords

Network and edge security

Network and edge security involve controlling how a request flows through different components, and who can send requests to resources. This is vital to maintain a healthy infrastructure as it can help prevent unauthorized access and network attacks like denial-of-service, malware, and spam. AWS provides various services to help users build a secure networking infrastructure.

ServiceUse case
AWS VPCAbility to provision and manage a private network
AWS Direct ConnectAbility to connect on-premise data centers to the cloud for realizing a hybrid cloud solution
AWS Web Application FirewallActs as a web application firewall enabling creation of security rules that block common attack patterns, such as SQL injection or cross-site scripting, and rules that filter out specific traffic patterns defined by the user
AWS ShieldHelps protect services against distributed denial-of-service attacks

Auditing governance and compliance

A compliance audit is a comprehensive review of an organization’s adherence to regulatory guidelines. Audit reports evaluate the strength and thoroughness of compliance preparations, security policies, user access controls, and risk management procedures over the course of a compliance audit. This is an important requirement, as customers migrating to the cloud have many apprehensions concerning adherence to regulatory guidelines. AWS provides a wide range of services for auditing, compliance of resources, and building reports.

ServiceUse case
AWS CloudTrailRecord API events for all AWS resources and services through the AWS console, command line, or SDKs
AWS IAMUser access and usage report
AWS SSMAutomate management tasks such as collecting system inventory, applying operating system patches, automating the creation of Amazon Machine Images (AMIs), and configuring operating systems, and applications at scale
AWS ConfigAbility to take snapshots of resources and govern resource compliance
AWS Trusted AdvisorProvide recommendations to optimize the AWS environment for cost, performance, security, fault tolerance, and service limits
AWS InspectorAutomatically assess applications for exposure, vulnerabilities, and deviation from best practices

A deep understanding of the major building blocks of security and governance enables organizations to tap the benefits of the cloud successfully. In addition, adopting an automated approach to various components of security and governance can help avoid risks like security lapses, high maintenance costs, and idle resources. While planning to build a cloud infrastructure, it is equally essential to understand the architectural best practices, as these help to create a highly available, robust, secure, and cost efficient ecosystem.

Over the last two decades, Impetus has helped several Fortune 100 enterprises successfully move their data-driven businesses to AWS and other cloud platforms. Leveraging deep domain expertise and a robust cloud governance framework, Impetus can help you address the nuances of IT governance on the cloud, in line with your organization’s goals.

Author
Hussain Saify