Unlimited and instant scalability. Pay per use. Globally distributed infrastructure. These are just some of the reasons organizations have turned to the cloud. But securing the data that organizations are storing on AWS has become a tremendous challenge as would-be threats see the opportunity of what lies behind a successful breach
AWS Security Basics
Amazon Web Services is built off a shared responsibility model. If you are on AWS or considering moving to AWS, you are no doubt very familiar with the idea that Amazon will ensure the security of the cloud's infrastructure (the hardware, software, networking, and facilities) but ultimately leaves the responsibility with your organization for the data you put in their cloud (user PII, financial data, etc.) and how it is stored.
Being able to accurately determine what is your responsibility versus Amazon's is critical when it comes to offering a secure solution if and when a breach happens. Ultimately, it serves cloud-based organizations well to treat the edges of responsibility Amazon oversees as their own to ensure overlap where there could actually be a gap. More on that later.
Shared responsibility. Remember that, because as you peel back the layers of AWS security things can begin to get a bit complex.
6 Foundational Tips Securing Your AWS Environment
Achieving security assurance with the data you are storing in the cloud comes from the ability to look across your entire digital environment. Cloud security is more than just some anti-malware or stronger passwords.
When you begin to map out your AWS security responsibilities, there are a few pieces of groundwork you should lay out before onboarding a bunch of tools and services, even if you have the means to do so. If you adopt these mindsets, you will find that AWS security can be more streamlined that you thought when you initially set out.
1. Prioritize Simplicity
First and foremost, let's establish the precedent that vulnerabilities are going to occur and breaches will happen. I'm not trying to be a pessimist. But when you presume a leak may happen, you can plan your security stack with the right question in mind: how do I identify and remediate the vulnerability or breach as quickly and effectively as possible?
AWS security tools and solutions are bountiful. The goal should be to identify what sort of tools you need and then ensure you are avoiding adding noise.
2. Start with the End in Mind
Simplicity on it's own can still leave you in a less than ideal predicament when it comes to preparing your organization for a compelling event like a compliance certification (or recertification). If your organization plans to adopt SOC 2, HITRUST, NIST or some other cybersecurity framework, even if not imminently, keep that at the forefront of your minds as you outline your security stack.
There is nothing worse than late night and weekend scrambling to hit your certification. On the flip side, failing your compliance audit can be detrimental to your bottom line or bring your business to a halt.
3. Embrace DevSecOps
Whether you manage a security team, are the security team or security is just another responsibility in your growing list, you have undoubtedly experienced the frustration and headaches that result from security being towards the end of what is on a development team's mind.
With DevSecOps, you distribute security responsibilities across the organization, incorporating collaboration between security operations and engineering at the start and avoiding a lot of the backtracking and pitfalls associated with leaving security last. DevSecOps can also help your team remain agile as they grow, keeping deployment cycles short, while prioritizing security from the beginning. This drastically limits the impact of security vulnerabilities.
4. Navigating Liability
Take a proactive approach when it comes to managing liability. Presume something is your responsibility, even when it may not be (but especially if it is a gray area), and you will be left holding the bag far less often. Incorporate tools that make it easy to determine who has access to what, how applications and data are monitored, and how alerts will be handled.
Being able to easily notify the owner of a vulnerable code repo of an unsuspected change automatically ensures potential issues are floated to the top of the pile early.
5. Map Relationships in the Cloud
Understanding AWS security vulnerabilities is easy if you have a clear picture of what entities, users and resources have access to what and whether or not that has changed. As you build out your security stack, focus on being able to not just answer the "what happened", but also the "why". This context will help you avoid chasing down false positives.
6. Avoid Alert Fatigue [at all costs]
This is one of the most important considerations to make when it comes to AWS security. Alert fatigue is a real problem. Organizations are either unable to set accurate thresholds or the tools they are leveraging are just limited when it comes to determining if an issue is a problem or expected. This is a real problem. Why?
If you are comfortable receiving and ignoring alerts, you will eventually miss something real and detrimental to you organization. Case in point - we've seen several major data breaches over the last couple of years. Each of these organizations had security teams, tool and compliance frameworks, yet breaches went undetected. Likely alerts were coming in, but dismissed or ignored.
AWS Security Starts & Ends with Your Team (not Amazon)
Take these steps and prevent a false reliance on Amazon to secure the data you are storing in the cloud. Amazon does a tremendous job maintaining the infrastructure but there is a lot more that ultimately falls to your team than you may realize. So how do you keep up with the constant changes in your AWS environment to maintain an up to date picture of your digital resources and assets while also ensure you are aligned with a compliance framework? DevSecOps.
DevSecOps is a proactive approach to AWS security that will actually result in streamlined security operations, limited blast radii and, ultimately, security assurance. To learn more about how to create a DevSecOps culture within your organization, download our free ebook: 6 Steps for Creating a DevSecOps culture.
Already bought in to the DevSecOps approach for maintaining your AWS security? Then test drive JupiterOne, precision security built on a DevSecOps approach with the ability to drastically simplify, centralize and maintain your security operations from a single location.