AWS Public Sector Blog

Security best practices that accelerate nonprofit mission impact

AWS Branded Background with text "Security best practices that accelerate nonprofit mission impact"

Nonprofit organizations face unique security challenges due to their resource constraints and prioritization of mission-focused initiatives. Strong security can seem to block innovation, making it hard for organizations to invest in security. In this blog post, we discuss Amazon Web Services (AWS) security best practices to accelerate mission impact and demonstrate how upfront security investments can both improve security and save time on redundant processes in the long run.

Nonprofit security challenges

The cloud security landscape presents special challenges to nonprofits. Often, nonprofit technical teams are lean, mission-focused teams that don’t have additional time to focus on security. Many of these teams see adding new security processes as a tradeoff to the speed of innovation. Additionally, nonprofits often have unique workloads that may not be fully covered by “one-size-fits-all” security solutions.

Nonprofits need strong security because they handle sensitive information such as donor, health, and research data that could significantly impact operations and reputation if compromised. Balancing the need for strong security with the need to continuously advance the organization’s mission is challenging for many nonprofits. The following sections will cover three security best practice concepts for speed and security: automating security processes, centralizing security logging and tooling, and leveraging AI-assisted DevOps processes.

Automating security processes

Automating security processes allows nonprofit technical teams to efficiently protect sensitive donor and beneficiary data by rapidly detecting and responding to threats. This minimizes the risk of breaches while freeing up the team’s time to focus on the core mission. Security automation replaces manual tasks with automated processes to detect and respond to security incidents, including vulnerability management and threat intelligence.

For example, in vulnerability management, nonprofit technical teams can automate the scanning of new uploaded objects in selected Amazon S3 buckets for malware by turning on the “Malware Protection for S3 feature” within Amazon GuardDuty. GuardDuty automatically performs scans and optionally adds a “no threats found” or “threats found” tag in the scan result. When GuardDuty detects malware in an S3 bucket, it can trigger an Amazon EventBridge workflow that will invoke an AWS Lambda function. This Lambda function runs custom code that can be configured to automatically delete the malicious file or quarantine it in a separate S3 bucket for further analysis by a security team.

Automation enhances security and saves valuable time and resources for mission-critical tasks. It takes routine and redundant tasks away and allows the development team to focus on other priorities.

Centralizing security logging and tooling

Centralized security logging and tooling provides organizations a comprehensive view of their digital landscape, enabling faster threat detection, improved incident response, and better compliance with security regulations. By providing visibility, centralized security log data can help enhance reliability, improve performance and strengthen the security of organizations system infrastructure. If anything goes wrong, logs serve as a lifeline for quickly pinpointing and resolving those problems.

Nonprofits can use AWS Organizations to create a multi-account structure on AWS. This multi-account structure allows you to consolidate your AWS bill, establish governance, and create a delegated administrator account to centrally store logs from AWS security services. A delegated administrator has privileges to manage centralized logs like Amazon CloudWatch logs. The centralized logs can be automatically analyzed to detect potential threats. In AWS, log sources such as AWS CloudTrail logs, S3 access logs, Amazon Virtual Private Cloud (Amazon VPC) flow logs can be analyzed to detect unusual activities.

Amazon GuardDuty uses threat intelligence, machine learning, and anomaly detection techniques to continuously monitor the log sources for malicious or unauthorized activity. The GuardDuty dashboard provides insights into the real-time health of AWS account and workloads. GuardDuty integrates with AWS Security Hub—a cloud security posture management service that checks for adherence to best practices, aggregates alerts and enables automated remediation. GuardDuty along with other AWS security services like AWS Config or Amazon Inspector can aggregate their findings to Security Hub. This makes Security Hub the single pane of glass for all security findings in AWS. Security Hub can be further integrated with security information and event management (SIEM) solutions to extend monitoring and alerting capabilities.

For organizations seeking robust logging, Amazon Security Lake automatically centralizes security data from AWS environments, SaaS providers, on premises and cloud sources into a purpose-built data lake that is stored in your AWS account. Security Lake allows organizations to get a more complete understanding of their organization security data. It acts as a single source of truth for security tooling and logging allowing security teams to respond and identify a root cause faster. This ultimately takes less time away from work that advances an organization’s mission.

Leveraging AI-assisted DevOps processes

As modern DevOps processes mature, many organizations are finding that they gain benefits by “shifting left,” or moving security processes from the end of the development lifecycle (“right”) toward the beginning (”left“). This “shift left” approach enables earlier vulnerability detection, reduces costs, and improves alignment between development, operations, and security teams. One way to do this is to leverage AI in the DevOps process.

Using Amazon Q Developer, a generative AI powered conversational assistant that can help you understand, build, extend, and operate AWS applications, allows you to perform security-related tasks on your application code. Q Developer can perform code scans within your IDE to identify common security vulnerabilities and help you mitigate them much earlier in the development lifecycle. In addition, Q Developer can generate unit tests and documentation tailored to your existing code. With Q Developer handling these tedious tasks, your development teams can spend more time building technology that directly impacts your organization’s mission.

The Amazon Q Detector Library contains detailed information on supported languages and types of security vulnerabilities that can be addressed by Q Developer code reviews. For example, let’s say your organization has a JavaScript application, and the application contains a vulnerability allowing URL redirection to untrusted sites. The Detector Library provides compliant and noncompliant code examples related to this vulnerability. In practice, Q Developer code reviews can detect this vulnerability in your JavaScript application, provide vulnerability details as described in the Detector Library, and then supply a compliant code snippet to replace existing code.

By shifting your security tooling left and using AI-powered tools like Q Developer to enhance security, your organization can identify vulnerabilities like the untrusted website redirect earlier in the development lifecycle. Otherwise, this vulnerability may have been caught in build or test stages, requiring your developers to resolve the vulnerability and push new code changes. In a worst-case scenario, this vulnerability could have been overlooked in build and test stages and pushed to production. Shifting left improves security and reduces the time your teams spend fixing security vulnerabilities.

Conclusion

The security best practices discussed in this blog post help nonprofits accelerate mission impact by addressing unique security challenges. By automating security processes, centralizing security logging and tooling, and leveraging AI-assisted DevOps, nonprofits can strike a balance between the need for strong security and the imperative to continuously drive mission impact.

To learn more about strengthening your organization’s cloud security, visit AWS for Nonprofits to connect with your AWS account team.

TAGS: , , , ,
David Marsh

David Marsh

David is a senior solutions architect supporting nonprofit organizations as they innovate on AWS. He helps customers with all things AWS, but particularly loves conversations about security, data modernization, and artificial intelligence/machine learning (AI/ML). David is based in Denver, where he enjoys writing music and spending time with his wife and two dogs.

Evence Edoun

Evence Edoun

Evence is a solutions architect supporting nonprofit organizations as they innovate on AWS. He helps his customers build highly scalable, resilient, and secure workloads on the cloud. Evence is based in Austin, Texas, and enjoys traveling and spending time with his wife and daughters when he is not at work.