Network Security in the Amazon Web Services Cloud – It’s Your Responsibility!

There is a presiding notion that because established cloud providers such as Amazon deliver enterprise-class infrastructure, security is “taken care of.” When you set up your workloads in AWS, you hopefully configure available settings like access control and firewall port restrictions. That’s all good, and necessary! But outside of the cloud, would that ever be enough?

Hopefully your answer is no. And Amazon agrees. As a customer or prospective user of AWS, you should familiarize yourself with what is known as the “Shared Responsibility Model”, essentially stating where Amazon’s security ends, and your responsibility begins. Here’s their graphical representation:

Fig. 1 The AWS Shared Responsibility Model. For more visit https://aws.amazon.com/compliance/shared-responsibility-model/

If you’re familiar with data center security, server security, or security for virtualized infrastructure, you’re probably not surprised with this breakdown. Encrypting data, running host-based anti-malware, and configuring access control are staples of your practice.

Let’s not forget – the cloud has a network too. And its susceptible to threats just like your own datacenter network, and more specific to the cloud. Advanced malware can reach your AWS workloads through network traffic, along with cross site scripting, botnet, and SQL injection attacks. Cloud infrastructure also has its own vulnerabilities – if one virtual server in AWS is compromised, the malware can potentially roam to other vulnerable servers in the same environment. This lateral path is known as “east-west” network traffic, and is much more prominent in virtualized environments. Additionally, there are unique management challenges in the cloud, like orchestrating security controls across a dynamically changing environment, and automating the process. Not to mention, simply gaining visibility into what workloads are being spun up by your organization!

Moving workloads to the cloud confidently means solving these security challenges as you plan your deployment, not after. If you’re responsible for data center and cloud infrastructure, bring your security team in early. Security professionals – don’t assume security in the cloud will hold back the agility your organization needs.

Stay tuned for part 2 of this short series on protecting cloud networks in AWS for our technology recommendations, and a new way to kick the tires with no investment required.

No computer system can be absolutely secure. The product plans, specifications and descriptions herein are provided for information only and subject to change without notice, and are provided without warranty of any kind, express or implied. McAfee and the McAfee logo are trademarks or registered trademarks of McAfee, LLC or its subsidiaries in the US and other countries. Other marks and brands may be claimed as the property of others. Amazon Web Services and AWS are trademarks of Amazon.com, Inc. or its affiliates in the United States and/or other countries. The Chef™ Mark and Chef Logo are either registered trademarks/service marks or trademarks/ service marks of Chef, in the United States and other countries and are used with Chef Software Inc.’s permission. We are not affiliated with, endorsed or sponsored by Chef Software Inc. Puppet is a trademark or registered trademark of Puppet, Inc. and are used in compliance with their trademark policy. No endorsement by Puppet, Inc. is implied by the use of this mark. Copyright © 2017 McAfee, LLC.

Leave a Comment

1 + 7 =