Cloud-native security is a vital part of the cloud adoption mix, so how do you embed best practice?
First off, ensure stakeholders understand the difference between security ‘of’ the cloud and ‘in’ the cloud. This is an important point, but it’s often overlooked or misunderstood. Here’s how AWS defines it in relation to the general data protection regulation (GDPR):
Under the shared responsibility model, AWS is responsible for securing the underlying infrastructure that supports AWS services (security ‘of’ the cloud), and customers, acting either as data controllers or data processors, are responsible for any personal data they upload to AWS services (security ‘in’ the cloud).
So, cloud vendors’ security obligations cover the underlying infrastructure of the cloud itself; individual organisations are responsible for data stored there.
A few weeks ago, my colleague Ed Pearson wrote about measures that can be taken to make personal data more secure in the cloud. He covered the use of serverless for ‘principle of least privilege’, advanced logging and monitoring, and sophisticated approaches for encryption.
This might seem daunting if you’re new to cloud or if the volumes of data held there are growing fast. But the good news is that you don’t have to build and manage these capabilities singlehandedly. Far from it.
Leading cloud vendors have an array of robust and efficient tools to address even the most stringent data security requirements. They’re there to be implemented, and we advise doing so at the start of any cloud adoption or migration program. In this post, we look at some of the tools and services available from AWS.
This data security and privacy service uses machine learning and pattern matching to discover and protect sensitive data in AWS. It’s fully automated, making it a great option for large and complex cloud environments. Sensitive data types covered by the service include personal identifiable information (PII) such as names, addresses and credit card numbers. It can be tailored to cover sensitive data types that are unique to your organisation as well.
Macie provides an inventory of all Amazon S3 buckets and continually evaluates them. It also offers constant visibility of the security and privacy of data stored in S3 environments.
Threats to security can come from within the organisation as well as outside it. So, logging internal interactions with AWS, via the command line, web interface or through API, is vital. AWS CloudTrail offers a straightforward way to embed best practice by capturing and consolidating this information.
With CloudTrail, you have full control of log storage and analysis, enabling easier generation of audit reports. By continuously monitoring your organisation’s AWS API use history, this tool can also spot unusual activity and determine root cause. Additional benefits include log file integrity validation and log file encryption.
If you need a threat detection service that monitors for malicious or anomalous activity, consider activating Amazon GuardDuty. It encompasses all AWS accounts and workloads as well as data stored in Amazon S3.
GuardDuty is a good alternative to building in-house solutions, maintaining complex custom rules, or developing internal intelligence of malicious IP addresses. With its quick and accurate threat detection, it eradicates the heavy lifting and complexity associated with monitoring and protection.
Capable of analysing tens of billions of events across multiple AWS data sources, GuardDuty uses machine learning, anomaly detection and integrated threat intelligence. This enables it to identify and prioritise potential threats efficiently and effectively.
This serverless, interactive query service enables rapid analysis of S3 data. There’s no need to set up or manage servers or data warehouses. You simply select the data you want to analyse, define the schema, then run the built-in query editor.
Amazon Athena is provided either on a pay-per-query basis or per GB processed. It also operates directly in S3, so there are no additional storage charges. The service is very fast and automatically executes queries in parallel, so results generally come back within seconds.
Scanning for software vulnerabilities and unintended network exposure can be fully automated with Amazon Inspector. Any vulnerability findings are quickly routed to the appropriate teams for remediation.
Amazon Inspector supports rigorous compliance requirements and best practice approaches. These include those set out in NIST’s Cybersecurity Framework as well as industry regulations like the Payment Card Industry Data Security Standard.
Build an infrastructure that learns and adapts
AWS’ security services are inherently cloud-native. They’ve been built by cloud experts to address the specific security concerns and requirements of cloud-based applications and workloads. Many are designed to support due diligence, making it easier to conduct audits and provide evidence of compliance. This can bolster confidence and assurance for those organisations that operate in heavily regulated industries.
Cloud-vendor services can underpin more sophisticated bespoke security strategies too. They help you go beyond the avoidance of security issues to build an infrastructure that learns, adapts, and improves.
All of this supports cloud best practice for financial services organisations as well as other sectors dealing with sensitive data. Even the most thorough preventative strategy will never be 100% watertight. So, combining prevention with early identification of issues and proactive course-correction takes standards to a higher level. With such robust and effective security services on offer from cloud vendors, there’s no reason not to take this path. But start work early to build familiarity and allow time for fine-tuning before you go into production.