Data security and governance best practices for education and state and local government
Many organizations within state and local government (SLG) and education must build digital environments and services that meet a variety of dynamic security and compliance considerations, such as StateRAMP and Federal Information Security Management Act (FISMA). How can these organizations design secure and scalable architectures to help meet various compliance programs in the cloud?
A recent webinar from Amazon Web Services (AWS) discusses how organizations can use the secure, scalable, low-cost IT components provided by AWS to architect applications in alignment with these compliance requirements. Read on to learn the key top-level best practices from the webinar for how to use AWS Security Services to meet the unique needs of education and SLG organizations. Then, watch Securing your AWS environment(s): Leveraging native services to dive deeper.
1. Launch a multi-account framework with AWS Control Tower
For organizations that need to establish multiple AWS accounts, customers can deploy a multi-account framework on AWS with AWS Control Tower, which can help provide resource and security isolation for customers’ AWS accounts. AWS Control Tower deploys a landing zone, which is a well-architected, multi-account AWS environment that is designed to be scalable and secure. This landing zone acts as the starting point from which an organization can quickly launch and deploy workloads and applications with confidence in its security and infrastructure environment. The landing zone deployed by AWS Control Tower consists of a management account and a set of member accounts inside of that organization. These can be encompassed by a log archive account, an audit account, and security account, as well as provisioned accounts for applications or shared services or other capabilities. It’s important to note that the organizational unit (OU) structure deployed by AWS Control Tower is represented by things like policies or boundaries. Customers can logically group accounts together in OU.
2. Set up a scalable organization foundation with Landing Zone Accelerator
Customers can deploy AWS security best practices by default using the Landing Zone Accelerator (LZA), an open-source project developed by AWS and available on GitHub. LZA extends the functionality of AWS Control Tower by adding additional orchestration of networking and security services within AWS. Customers can also deploy LZA independently of AWS Control Tower to support regions and partitions that are currently not yet supported by AWS Control Tower.
3. Design and maintain guardrails with service control policies
Service control policies (SCPs) help customers place preventative guardrails inside their AWS Organizations to enforce policies that may be dictated by compliance or other factors. In a popular example for SLG customers, an agency may be required to operate only within the United States. In this case, customers can apply an SCP to deny access to or from regions for an account, so the agency can make sure to use only authorized regions. Even the root principal user inside of that account cannot override actions deployed at the organizational level with an SCP. In general, customers should use SCPs for situations that are security binaries—instances of strict either/or categories. For example, customers can create and deploy an SCP that prevents users or roles in any affected account from changing the configuration of Amazon Elastic Compute Cloud (Amazon EC2) virtual private clouds (VPCs) to grant them direct access to the internet.
4. Manage access privileges with identity federation—not local IAM users
An AWS Identity and Access Management (IAM) user is a user with a name and password credentials. As a security best practice, AWS recommends that customers avoid creating local IAM users. The reason for this is IAM users are considered long-term static credentials which can pose a security risk. If an unauthorized user compromises IAM user credentials, they can use those for as long as they remain valid, until the unauthorized use is detected and access is revoked.
Instead, customers can establish identity federation, in which an identify provider can automatically grant or revoke access to resources based on a user’s group membership. Many SLG and education customers already use some form of centralized identity provider, like Okta. This can allow customers to provide SAML-based access to their AWS environments. AWS IAM Identity Center (successor to AWS Single Sign-On) also lets customers link a federated identity source like Azure AD into a service that provides just-in-time, IAM-role-based, timebound access to important AWS resources.
AWS IAM Access Analyzer can help reduce the risk of accidental public exposure by making sure that resources and principals can’t do more than they’re supposed to do. In SLG, this is often discussed in the context of Zero Trust. IAM Access Analyzer helps identify resources in organizations and accounts that are shared externally, validates IAM policies against best practices, and can generate more appropriate IAM policies based on access activity in AWS CloudTrail logs.
5. Develop a strategy to identify and solve for sensitive data storage requirements
As an operational best practice, SLG and education entities may create a strategy to identify what, where, and how sensitive data is stored, such as personally identifiable information (PII). Customers can use Amazon Macie, a data security service that uses machine learning (ML) and pattern matching to discover and help protect sensitive data. For example, Macie can help identify sensitive data stored in an Amazon S3 location that isn’t authorized to store PII. In this way, Macie can provide visibility into data security risks, enable automatic protection against those risks, and help customers in maintaining their data storage compliance programs.
6. Monitor and audit for compliant configurations
AWS offers multiple services that support customers in monitoring and enforcing compliance in their AWS environments. AWS Config continuously monitors and records an AWS environment’s resource configurations and relationships, and evaluates these against the desired configurations. Customers can incorporate event-driven functions with AWS Lambda or AWS Systems Manager to facilitate immediate alerts to relevant teams, or even automatically attempt to remediate resources that deviate from the desired configuration. Plus, AWS Config rules can now support proactive compliance.
AWS Security Hub provides a comprehensive view of the security state of an AWS environment. It can also verify the environment against security industry standards and best practices from, for example, the Center for Internet Security (CIS) and the Payment Card Industry (PCI) Security Standards Council. Security Hub can help identify the highest priority events that may need remediation, can aggregate alerts across all AWS accounts within multiple regions, and can automatically attempt remediation on those findings.
Customers using infrastructure as code (IaC) can use open source tools like Cfn-lint, which help detect common errors within AWS CloudFormation templates. Similarly, Cloudformation-Guard is an open source policy-as-code tool that can enforce compliance policies for IaC deployments. For example, a customer can set up Cloudformation-Guard to detect in their CloudFormation templates that Amazon Simple Storage Service (Amazon S3) server-side encryption isn’t enabled by default, before deploying the code into production.
For customers that must meet different compliance standards, AWS Audit Manager helps continuously audit AWS usage to make sure it maps to established or customizable compliance requirements. AWS Audit Manager can generate reports that provide evidence of compliance to internal and external auditors.
7. Create a detection and alert strategy for effective remediation
Once a robust monitoring framework is in place, it’s important to create an effective alerting system to elevate issues through the appropriate remediation channel. Managed services like Amazon GuardDuty and Amazon Inspector can help improve an environment’s security posture with threat detection and automated vulnerability management capabilities, respectively—but they can also facilitate sending immediate alerts for identified events through a ticketing system, messaging channel, email address monitored by an organization’s security team, and more. Different alerts can send to multiple locations based on use case.
Note that to optimize security monitoring operations for your AWS environment, it may be important to reduce the noise. The reality of security tooling is that they can generate false positives, so tune services like GuardDuty to suppress findings that aren’t relevant to you.
Learn more about data security and governance for education and SLG
These best practices for data security and governance can help SLG and education customers leverage native AWS Security Services to organize security operations, create scalable design while providing autonomy, gain security visibility with minimal overhead, and support operating in a compliant environment.
To watch the recorded version of the steps that we talked about in this blog post, see the on-demand webinar Securing your AWS Environment. To learn more about AWS Security Services that we discussed in this blog, visit AWS Security, Identity, & Compliance services.
If you have feedback about this post, submit comments in the Comments section below. If you have questions about this post, contact the AWS Public Sector team..
Read related posts on the AWS Public Sector Blog:
- Security, stability, and speed: Strategy essentials for your mission
- How governments can transform services securely in the cloud
- How to create a cybersecurity analytics platform with AWS analytics and machine learning
- Cloud security design considerations for state and local government
Subscribe to the AWS Public Sector Blog newsletter to get the latest in AWS tools, solutions, and innovations from the public sector delivered to your inbox, or contact us.
Please take a few minutes to share insights regarding your experience with the AWS Public Sector Blog in this survey, and we’ll use feedback from the survey to create more content aligned with the preferences of our readers.