AWS Cloud Enterprise Strategy Blog

Use the Cloud to Protect the Cloud: A Holistic Approach to Securing AWS at Enterprise Scale

Note: The following is a guest post from Matt Trentler, an AWS professional services manager from our security, risk, and compliance practice.

Introduction by Clarke Rodgers, AWS Enterprise Strategist

I often meet with CxOs who understand in principle that a well-architected cloud implementation can be more secure than their current datacenter. However, “How do I build that minimum security baseline and operational capability?” is the question I typically get from these CxOs who are looking for a place to start. The following guest post from Matt Trentler, an AWS professional services manager from our security, risk, and compliance practice, addresses the “How” of building out that security capability.

-Clarke


There are powerful ways to secure the cloud, and this article demystifies the complexity and offers a structured approach to securing the cloud at enterprise scale. Customers may ask themselves: Where do I start? What is most effective? What am I going to do? The good news is securing the cloud doesn’t have to be challenging. In fact, the cloud offers more granular security options than on-premise infrastructures.

Reaching security in the cloud is achievable by following a structured framework consisting of five core pillars, which we refer to as the Core 5:

  • Identity & Access Management
  • Detective Controls
  • Infrastructure Security
  • Data Protection
  • Incident Response

These pillars are organized in a strategic order as part of the AWS’ Cloud Adoption Framework, Security Perspective. They provide a structured approach to building security capabilities at enterprise scale. These core security pillars follow a very prescriptive order, where each pillar builds upon its predecessor. Delivery follows an Agile methodology, allowing one to continually evaluate infrastructure changes to determine new security controls. It is important to understand the shared responsibility model between AWS and the customer. This blog post will focus on the customer’s responsibility in that model.

Identity & Access Management

Customers start with Identity & Access Management. In a traditional datacenter, infrastructure is provisioned before granting user access. In the cloud this has flipped. Identity and access controls must precedeprovisioning infrastructure. The cloud offers extremely granular access control, including conditional logic. It is important to understand that users in AWS have zero access by default. Access must be granted in order to perform actions, such as deploy EC2 instances, configure Virtual Private Networks (VPC), or access data in S3 buckets. This is when customers begin integrating with their identity directories (i.e., Active Directory) and/or SSO solutions. Step 1 also includes designing an enterprise AWS account hierarchy. AWS Organizations makes it easy to group multiple AWS accounts into Organizational Units (OU’s) where top-down Service Control Policies (SCP) can be applied.

Detective Controls

Now that access is provisioned, the next step is to set up and configure logging. AWS provides a full range of detective controls to ensure granular visibility in the environment. There are countless logging options: CloudTrail, Guard Duty, CloudWatch, AWS Config, and others are cornerstone logging components in AWS. Actions performed in an AWS account are API calls. CloudTrail logs API calls made from the web console, CLI, or the SDK. To ensure a comprehensive detection program, consider consuming AWS logs into an existing SIEM logging solution. Customers should evaluate their environments and enable logging everywhere possible. Proper logging sets the foundation for future automated incident detection, response, and remediation.

Infrastructure Security

After access has been provisioned and logging is set, it’s time to begin building! Infrastructure Security in the cloud involves strategic design and implementation of secure infrastructure, such as network segmentation, routing, IDS/IPS controls, firewall configurations, edge security, DDoS protection, web app firewalls, and more. The key is to design for scale, elasticity, and future-state. Consider connectivity across multiple AWS accounts, third parties, or hybrid connectivity back to on-premise datacenters. AWS offers pre-built reference architectures called Quickstarts. Quickstarts are CloudFormation templates that make it easy to deploy a hardened, preconfigured environment in minutes. NIST, CIS, HIPAA, and others have built pre-configured AWS Quickstart templates for easy deployment.

Data Protection

Just prior to loading data, best practice is to develop a cloud-based data encryption strategy to ensure data is protected. Cloud based data protection techniques include both strategic and tactical elements, such as key management, network encryption, certificate and secrets management, encrypting block, and object and file level storage such as EBS volumes, databases, S3, etc. It’s not one-size-fits-all; best practices are to evaluate each workload and follow a risk-based approach.

Encryption options are extensive and their performance impact is negligible. AWS offers a range of encryption options to meet different workload needs. Customers can manage their own keys using AWS Key Management System (KMS), bring their own key material, or use an AWS CloudHSM, which is a dedicated FIPS 140-3 compliant hardware security module.

Incident Response

Once the basics are in place, it’s time to build another important capability: incident response. At this point a solid foundation has been established. Incident response in the cloud can range from manual to fully automated response. The level of automation a company can build and support depends on factors such as current technology posture and staff sophistication. Limitations to automating incident response capabilities in the cloud are left to one’s imagination. An example scenario includes Amazon Guard Duty sending logs to CloudWatch Events during a security event. CloudWatch Events can trigger a Lambda function which executes automated remediation actions, such as quarantine or snapshot a compromised EC2 instance without human intervention.

Whether you are just starting out or securing a massive enterprise, AWS offers many options to meet customers’ workload needs. The five core security pillars described here provide a foundational approach to achieving security in the cloud. But don’t stop here. Use this, build from it, and iterate—rinse and repeat. Security professionals must “use the cloud to protect the cloud’, it’s the only way we can keep up!

 

 

Clarke Rodgers

Clarke Rodgers

Clarke is an Enterprise Security Strategist with Amazon Web Services. In this role, Clarke works with enterprise security, risk, and compliance focused executives on how AWS can strengthen their security posture and to help understand the security capabilities/possibilities of the cloud. Prior to AWS, Clarke was a CISO for the North American operations of a multinational insurance/reinsurance company where he took a strategic division all-in to AWS for security reasons, to include achieving SOC2/Type2 attestation. Clarke's 20+ year career in IT operations and security focused roles helps him align with the needs of today's enterprise customers during their cloud transformation journeys. Clarke attended the University of North Carolina and served as a United States Marine.