AWS Startups Blog

A Users Guide to Cloud Security for Startups

Guest post by Stephen Coty of Alert Logic


AlertLogic1
Stephen Coty is the Chief Security Evangelist at Alert Logic in Houston TX and a member of ISSA, Infragard and the HTCIA.

Many years ago I started a security and development business with big dreams and little capital. When I began to build out the necessary infrastructure and development platforms, I quickly realized the cost of doing business. This was in the early 2000s, when cloud infrastructure was not available: If you built it, you paid for it. On top of wearing HR, operations, finance, sales, and marketing hats, I was now building and maintaining the infrastructure my teams needed for their work.

As a startup building in the cloud, you likely have your own list of essential business tasks. With its self-service installations and variety of services, the cloud today makes a lot of those responsibilities easier. Even so, security can often be an afterthought. However, it’s important to remember that the cloud is an extension of your business network, whether you know it exists or not. A breach in security not only endangers your internal network, but can also put customers’ data in jeopardy.

Public Cloud Security Threats

Although the public cloud comes with great financial benefits, like any other infrastructure, it also has its share of threats. Over the years, we’ve seen a rise in both attack frequency and diversity of malicious software used. With increases in cloud incidents related to vulnerability scanning, web applications, and brute force attacks, it is crucial for you to understand the types of threats affecting the cloud so you can build a proper security-in-depth strategy to defend your environment from malicious attacks.

Shared Security Model

In the public cloud, a key to being secure is a solid understanding of the shared security model that exists between you (the customer) and a service provider such as AWS. Without this, you may make assumptions that your service provider is protecting you, when you are actually responsible for particular security functions.

For example, your service provider is responsible for 100% of the foundational services, such as computer power, storage, database, and networking services. At the network layer, your service provider is responsible for network segmentation, perimeter services, some DDOS and spoofing.

But you, the end user, are responsible for network threat detection, reporting, and any incident response. At the host layer, you are responsible for access management, patch management, configuration hardening, security monitoring, and log analysis. The application components of your site are 100% your responsibility. See the chart below for a breakdown of responsibilities between you (the customer) and your service provider:

AlertLogic2

Understanding your role and the role of your cloud provider will not only help you make the best decision concerning your cloud infrastructure, it will also ensure that once implemented, your cybersecurity strategy will efficiently and cost-effectively protect your data from threats to the cloud.

Cloud Security Best Practices

  1. Securing Your Code – Securing code is 100% your responsibility. First, make sure that security is part of your software development lifecycle (SDLC). To do that, develop a checklist like the following:

• Verify your code is consistently updated and that any plug-ins have the latest patches.
• Add delays to your code to prevent you from being a victim of a botnet.
• Use encryptions where possible.
• Test all libraries and third-party dependencies.
• Stay informed of the vulnerabilities that you may have with the different products you are using.
• Finally, scan your code constantly after any changes are made.

2. Create an Access Management Policy – First, determine what all your assets are. Once you have your list, define the roles and responsibilities required for access to assets. Centralize authentications if possible, and start with a privilege model to implement authentication. AWS offers several options for authentication management.

3. Adopt a Patch Management Approach – Again, consider developing a checklist of important procedures:

• Inventory your assets.
• Determine a plan for standardization if possible.
• Research the vulnerabilities that could affect you. Classify the risk based on vulnerability and likelihood.
• Test patches before you release them, if possible.
• Set up a regular patching schedule and don’t forget to include your third-party products that will require manual updating.

4. Log Management – Logs are now useful for far more than compliance; they have become a powerful security tool. You can use log data to monitor for malicious activity and for forensic investigation. The trick to making logs an effective security tool is the 24×7 monitoring it takes to find anomalous behavior.

One groundbreaking offering in this area is AWS CloudTrail. With CloudTrail, you or your security provider can monitor access to your cloud instance from the Amazon management environment. Everyone tends to focus on monitoring and protecting their environments from the Internet; they seldom think to monitor activity from the back end. That’s where CloudTrail is innovative and provides customers with a level of transparency in managing interactions with the AWS API.

5. Build a Security Toolkit – You need to treat the cloud as you would a business network. You have to implement a defense-in-depth strategy that covers all your responsibilities in the stack. Implement IP tables, web application firewalls, antivirus, intrusion detection, encryption, and log management. Explore your security options and make sure you have the right solution for your business.

6. Stay Informed – You have to stay informed about vulnerabilities that you may have in your environment. The sites listed here follow some of the best researchers in the world. These resources will help you to stay up to date on vulnerabilities, exploits, and attacks that may be spreading:
http://www.securityfocus.com
http://www.exploit-db.com
http://seclists.org/fulldisclosure/
http://www.securitybloggersnetwork.com/
http://www.sans.org/
http://www.nist.gov/

7. Understand your service provider – Finally, get to know the security responsibility you share with your security provider and what security offerings your provider offers. Make sure your security strategy is efficiently and effectively implemented through constant testing.

@StephenCoty

Alert Logic, AWS Advanced Technology Partner and provider of Security-as-a-Service solutions for the cloud, integrates advanced security tools with 24×7 monitoring to defend against threats and address compliance.