5 building blocks of security and governance on AWS Cloud
Impetus/Resources/5 building blocks of security and governance on AWS Cloud
Successful cloud migration involves understanding the responsibilities shared between an organization and its cloud service provider. With the alarming rise in data breaches and cybersecurity threats, the need to adopt and implement security and governance is one of the key considerations for enterprises journeying to the cloud.
Due to high scalability, reliability, and robust infrastructure, the Amazon Web Services (AWS) Cloud is a popular choice for enterprises. As the top cloud provider, AWS witnessed a market share of 33% and growth rate of 37% in FY 2019. AWS offers customers a wide choice of storage, access, and security options, along with authorized access, data protection, and training support.
This blog takes a close look at the five essential building blocks of security and governance on AWS:
Identity and access management
Continuous monitoring and logging
Network and edge security
Data security and encryption
Auditing and compliance
01.
Identity and access management
DevOps engineers manage the development, testing, and operationalization of data platforms by monitoring network stability, availability, and other key metrics. Some of the common challenges faced by DevOps teams include managing multiple libraries and versions of code, factoring in adequate deployment parameters to avoid application failure, and customizing scripts in a short timespan to ensure optimal performance.
The essential security requirement for any enterprise when moving to the cloud is to govern which resources can be accessed, who can access these and how. AWS provides a wide range of services to effectively manage users as well as access permissions. Here’s a glimpse:
Service
Use case
AWS Identity and Access Management (IAM)
Managing identities and access to resources and services
AWS Organizations
Multi-account management Consolidated billing
AWS Single Sign-On (SSO)
Centrally manage SSO access to multiple accounts
AWS Cognito
Manage identities and user pools for web and mobile apps
AWS Directory Service
Enable directory-aware workloads and AWS resources to use managed Active Directory in the AWS Cloud
02.
Continuous monitoring and logging
Logging and monitoring involve collecting data for measurement and governance. They play an important role in modern enterprises, as they measure the health of hardware devices and software applications. Building an effective monitoring solution requires a lot of effort and management. To simplify this, AWS provides an end-to-end monitoring solution which helps to monitor everything deployed on the cloud – from infrastructure to applications.
03.
Data security and encryption
Encryption is the process of making data unreadable using two components – encryption key and encryption algorithm. To ensure that the encrypted data is secure, enterprises need to develop a key management system, which can keep the keys secure, durable, and highly available. However, this can be a cumbersome and complicated process. To manage keys and encryption seamlessly, AWS offers a Key Management Service which is deeply integrated with its other services.
Service
Use case
AWS Key Management Service (KMS)
Manage encryption keys
AWS CloudHSM
Cryptographic service for creating and managing hardware security modules
AWS Certificate Manager (ACM)
Provision and manage certificates
AWS Secrets Manager
Manage secrets and passwords
04.
Network and edge security
Network and edge security involve controlling how a request flows through different components, and who can send requests to resources. This is vital to maintain a healthy infrastructure as it can help prevent unauthorized access and network attacks like denial-of-service, malware, and spam. AWS provides various services to help users build a secure networking infrastructure.
Service
Use case
AWS VPC
Ability to provision and manage a private network
AWS Direct Connect
Ability to connect on-premise data centers to the cloud for realizing a hybrid cloud solution
AWS Web Application Firewall
Acts as a web application firewall enabling creation of security rules that block common attack patterns, such as SQL injection or cross-site scripting, and rules that filter out specific traffic patterns defined by the user
AWS Shield
Helps protect services against distributed denial-of-service attacks
05.
Auditing governance and compliance
A compliance audit is a comprehensive review of an organization’s adherence to regulatory guidelines. Audit reports evaluate the strength and thoroughness of compliance preparations, security policies, user access controls, and risk management procedures over the course of a compliance audit. This is an important requirement, as customers migrating to the cloud have many apprehensions concerning adherence to regulatory guidelines. AWS provides a wide range of services for auditing, compliance of resources, and building reports.
Service
Use case
AWS CloudTrail
Record API events for all AWS resources and services through the AWS console, command line, or SDKs
AWS IAM
User access and usage report
AWS SSM
Automate management tasks such as collecting system inventory, applying operating system patches, automating the creation of Amazon Machine Images (AMIs), and configuring operating systems, and applications at scale
AWS Config
Ability to take snapshots of resources and govern resource compliance
AWS Trusted Advisor
Provide recommendations to optimize the AWS environment for cost, performance, security, fault tolerance, and service limits
AWS Inspector
Automatically assess applications for exposure, vulnerabilities, and deviation from best practices
A deep understanding of the major building blocks of security and governance enables organizations to tap the benefits of the cloud successfully. In addition, adopting an automated approach to various components of security and governance can help avoid risks like security lapses, high maintenance costs, and idle resources. While planning to build a cloud infrastructure, it is equally essential to understand the architectural best practices, as these help to create a highly available, robust, secure, and cost efficient ecosystem.
Over the last two decades, Impetus has helped several Fortune 100 enterprises successfully move their data-driven businesses to AWS and other cloud platforms. Leveraging deep domain expertise and a robust cloud governance framework, Impetus can help you address the nuances of IT governance on the cloud, in line with your organization’s goals.
Learn more about how our work can support your enterprise
We use cookies on our website to give you the most relevant experience by remembering your preferences and repeat visits. By clicking “Accept All”, you consent to the use of ALL the cookies. However, you may visit "Cookie Settings" to provide a controlled consent.
This website uses cookies to improve your experience while you navigate through the website. Out of these, the cookies that are categorized as necessary are stored on your browser as they are essential for the working of basic functionalities of the website. We also use third-party cookies that help us analyze and understand how you use this website. These cookies will be stored in your browser only with your consent. You also have the option to opt-out of these cookies. But opting out of some of these cookies may affect your browsing experience.
Necessary cookies are absolutely essential for the website to function properly. These cookies ensure basic functionalities and security features of the website, anonymously.
Cookie
Duration
Description
__cf_bm
1 day
This cookie is used to distinguish between humans and bots. This is beneficial for the website, in order to make valid reports on the use of their website.
_grecaptcha
1 day
This cookie is used to distinguish between humans and bots. This is beneficial for the website, in order to make valid reports on the use of their website.
_GRECAPTCHA
179 days
This cookie is used to distinguish between humans and bots. This is beneficial for the website, in order to make valid reports on the use of their website.
CONSENT
2 years
Used to detect if the visitor has accepted the marketing category in the cookie banner. This cookie is necessary for GDPR-compliance of the website.
li_gc
179 days
Stores the user's cookie consent state for the current domain.
pa_enabled
1 day
Determines the device used to access the website. Th is allows the website to be formatted accordingly.
rc::a
1 day
This cookie is used to distinguish between humans and bots. This is beneficial for the website, in order to make valid reports on the use of their website.
rc::b
1 day
This cookie is used to distinguish between humans and bots.
rc::d-15#
1 day
This cookie is used to distinguish between humans and bots.
test_cookie
1 day
Used to check if the user's browser supports cookies.
Analytical cookies are used to understand how visitors interact with the website. These cookies help provide information on metrics the number of visitors, bounce rate, traffic source, etc.
Cookie
Duration
Description
lang
1 day
Remembers the user's selected language version of a website.
Advertisement cookies are used to provide visitors with relevant ads and marketing campaigns. These cookies track visitors across websites and collect information to provide customized ads.
Cookie
Duration
Description
_cc_cc
1 day
Collects statistical data related to the user's website visits, such as the n umber of visits, average time spent on the website and what pages have been loaded. The purpose is to segment the website's users according to factors such as demographics and geographical location , in order to enable media and marketing agencies to structure and understand their target groups to enable customised on line advertising.
_gcl_au
3 months
Used by Google AdSense for experimenting with advertisement efficiency across websites using their services.
ads/ga-audiences
1 day
Used by Google AdWords to re-engage visitors that are likely to convert to customers based on the visitor's on line behaviour across websites.
bcookie
1 year
Used by the social networking service, LinkedIn , for tracking the use of embedded services.
bscookie
1 year
Used by the social networking service, LinkedIn, for tracking the use of embedded services.
demdex
179 days
Via a unique ID that is used for semantic content analysis, the user's n avigation on the website is registered and linked to offline data from surveys and similar registrations to display targeted ads.
dpm
179 days
Sets a unique ID for the visitor, that allows third party advertisers to target the visitor with relevant advertisement. This pairing service is provided by third party advertisement hubs, which facilitates real-time bidding for advertisers.
IDE
1 year
Used by Google DoubleClick to register and report the website user's actions after viewing or clicking one of the advertiser's ads with the purpose of measuring the efficacy of an ad and to present targeted ads to the user.
lang
1 day
Set by LinkedIn when a webpage contains an embedded "Follow us" panel.
lidc
1 day
Used by the social networking service, LinkedIn, for tracking the use of embedded services.
lpv#
1 day
Used in context with behavioral tracking by the website. The cookie registers the user’s behavior and navigation across multiple websites and ensures that no tracking errors occur when the user has multiple browser-tabs open.
pagead/1p-user-list/#
1 day
Tracks if the user has shown interest in specific products or events across multiple websites and detects how the user navigates between sites. This is used for measurement of advertisement efforts and facilitates payment of referral-fees between websites.
pixel.gif
1 day
Collects in formation on user preferences and/or interaction with web-campaign content - This is used on CRM-campaign -platform used by website owners for promoting events or products.
site/#
1 day
Unclassified.
ssi
1 year
Registers a unique ID that identifies a returning user's device. The ID is used for targeted ads.
u
1 year
Collects data on user visits to the website, such as what pages have been accessed. The registered data is
used to categorise the user's interest and demographic profiles in terms of resales for targeted marketing.
UserMatchHistory
29 days
Ensures visitor browsing-security by preventing cross-site request forgery. This cookie is essential for the security of the website and visitor.
visitor_id#
10 years
Used in context with Account-Based-Marketing (ABM). The cookie registers data such as IP-addresses, time spent on the website and page requests for the visit. This is used for retargeting of multiple users rooting from the same IP addresses. ABM usually facilitates B2B marketing purposes.
visitor_id#-hash
10 years
Used to encrypt and contain visitor data. This is necessary for the security of the user data.
VISITOR_INFO1_LIVE
179 days
Tries to estimate the users' band width on pages with integrated YouTube videos.
w/1.0/cm
1 day
Presents the user with relevant content and advertisement. The service is provided by third-party advertisement hubs, which facilitate real-time bidding for advertisers.
YSC
1 day
Registers a unique ID to keep statistics of what videos from YouTube the user has seen.
yt-remote-cast-available
1 day
Stores the user's video player preferences using embedded YouTube video.
yt-remote-cast-installed
1 day
Stores the user's video player preferences using embedded YouTube video.
yt-remote-connected-devices
1 day
Stores the user's video player preferences using embedded YouTube video.
yt-remote-device-id
1 day
Stores the user's video player preferences using embedded YouTube video.
yt-remote-fast-check-period
1 day
Stores the user's video player preferences using embedded YouTube video.
yt-remote-session-name
1 day
Stores the user's video player preferences using embedded YouTube video.
yt.innertube::nextId
1 day
Registers a unique ID to keep statistics of what videos from YouTube the user has seen.
yt.innertube::requests
1 day
Registers a unique ID to keep statistics of what videos from YouTube the user has seen.
yt.innertube::requests
1 day
Registers a unique ID to keep statistics of what videos from YouTube the user has seen.
ytidb::LAST_RESULT_ENTRY_KEY
1 day
Stores the user's video player preferences using embedded YouTube video.
Other uncategorized cookies are those that are being analyzed and have not been classified into a category as yet.
Cookie
Duration
Description
__utm.gif
1 day
Google Analytics Tracking Code that logs details about the visitor's browser and computer.
__utma
2 years
Collects data on the number of times a user has visited the website as well as dates for the first and most
recent visit. Used by Google Analytics.
__utmb
1 day
Registers a timestamp with the exact time of when the user accessed the website. Used by Google Analytics to calculate the duration of a website visit.
__utmc
1 day
Registers a timestamp with the exact time of when the user leaves the website. Used by Google Analytics
to calculate the du ration of a website visit.
__utmt
1 day
Used to throttle the speed of requests to the server.
__utmz
6 months
Collects data on where the user came from, what search engine was used, what link was clicked and what
search term was used. Used by Google Analytics.
_omappvp
11 years
This cookie is used to determine if the visitor has visited the website before, or if it is a new visitor on the
website.
_omappvs
1 day
This cookie is used to determine if the visitor has visited the website before, or if it is a new visitor on the
website.
ab
1 year
This cookie is used by the website’s operator in context with multi-variate testing. This is a tool used to combine or change content on the website. This allows the website to find the best variation /edition of the site.
AnalyticsSyncHistory
29 days
Used in connection with data-synchronization with third-party analysis service.
omVisits
1 day
This cookie is used to identify the frequency of visits and how long the visitor is on the website. The cookie is also used to determine how many and which subpages the visitor visits on a website – this in formation can be used by the website to optimize the domain and its subpages.
omVisitsFirst
1 day
This cookie is used to count how many times a website has been visited by different visitors - this is done
by assigning the visitor an ID, so the visitor does not get registered twice.
pa
1 day
Registers the website's speed and performance. This function can be used in context with statistics and load-balan cing.
ziwsSession
1 day
Collects statistics on the user's visits to the website, such as the number of visits, average time spent on the website and what pages have been read.
ziwsSessionId
1 day
Collects statistics on the user's visits to the website, such as the number of visits, average time spent on the website and what pages have been read.