There is a presiding notion that because established cloud providers such as Amazon deliver enterprise-class infrastructure, security is “taken care of.” When you set up your workloads in AWS, you hopefully configure available settings like access control and firewall port restrictions. That’s all good, and necessary! But outside of the cloud, would that ever be enough?
Hopefully your answer is no. And Amazon agrees. As a customer or prospective user of AWS, you should familiarize yourself with what is known as the “Shared Responsibility Model”, essentially stating where Amazon’s security ends, and your responsibility begins. Here’s their graphical representation:
If you’re familiar with data center security, server security, or security for virtualized infrastructure, you’re probably not surprised with this breakdown. Encrypting data, running host-based anti-malware, and configuring access control are staples of your practice.
Let’s not forget – the cloud has a network too. And its susceptible to threats just like your own datacenter network, and more specific to the cloud. Advanced malware can reach your AWS workloads through network traffic, along with cross site scripting, botnet, and SQL injection attacks. Cloud infrastructure also has its own vulnerabilities – if one virtual server in AWS is compromised, the malware can potentially roam to other vulnerable servers in the same environment. This lateral path is known as “east-west” network traffic, and is much more prominent in virtualized environments. Additionally, there are unique management challenges in the cloud, like orchestrating security controls across a dynamically changing environment, and automating the process. Not to mention, simply gaining visibility into what workloads are being spun up by your organization!
Moving workloads to the cloud confidently means solving these security challenges as you plan your deployment, not after. If you’re responsible for data center and cloud infrastructure, bring your security team in early. Security professionals – don’t assume security in the cloud will hold back the agility your organization needs.
Stay tuned for part 2 of this short series on protecting cloud networks in AWS for our technology recommendations, and a new way to kick the tires with no investment required.