nobeastsofierce - Fotolia

Implementing AWS security best practices

AWS has improved its security features and offers a slew of resources for hardening its cloud. But admins still play a part in preventing breaches.

Amazon Web Services has continued to improve its cloud security features, but that doesn't mean enterprises are void of responsibility. No matter the level of AWS security, each enterprise still has to do its share, and that can involve some serious work.

Security consultants and experts agree that most enterprises need to change the way they think about cloud security and take concrete steps toward change, including education, architecture design, monitoring and implementing security technologies.

"The hardest exercise is in just shifting your mindset in how you think about security," advised Ernest Mueller, consultant and founder of The Agile Admin blog. "As a security person you don't just want to say 'no' all the time, nor do you want to approach everything assuming it's not secure. There has to be a better balance."

And finding that balance starts with education.

Hit the (online) books

A good place to begin is with Amazon Web Services (AWS). In its online AWS Security Center and security whitepaper, the company gives a good overview of AWS' native security capabilities. Beyond AWS, publications from the European Union Agency for Network and Information Security, a cloud security guide for SMEs and information from the Cloud Security Alliance may be helpful.

You can't be overeducated when it comes to cloud security. The pace of change and development at Amazon is so swift it's easy to lose track of the latest and greatest, noted Rich Morrow, an independent consultant and trainer who specializes in AWS. "Schedule one person to spend half a day a week just catching up on what is happening," Morrow said. "You can't be secure if you're not staying abreast of new developments."

Ask the right questions

Get educated, but also get real, advises Demetrios "Laz" Lazarikos, founder of BLUELAVA Consulting, LLC. Because enterprises can be so fragmented and it's so simple to get started in the cloud, many enterprises "overshare" data in the cloud without thinking about it, he said.

"Before we can even ask what happens when you move your data in to the cloud you have to ask why you need to put that information up there," Lazarikos added. Part of making security a priority is for everyone involved to understand the business drivers. "Do we want to put financials in the cloud? Is that the best way to go? These are simple questions most companies aren't asking."

Design with cloud security in mind

Once everyone is on the same page, it's all about the architecture. Security needs to be built in right from the beginning, which works well with the Agile/DevOps movement.

"Using best practices, you can do software development in a virtual sense, and if you don't like any part of it, including the security, you can delete it and start over," said Ed Ferrara, principal analyst, for the security and risk professional, at Forrester Research.

Enterprises can develop a proof-of-concept right in AWS, then create a working prototype and adjust it as necessary because all the tools are there.

Pay close attention

Don't overlook the small things. A surprising number of enterprises neglect logging or don't tie that logging data into their systems. Without good logs and alerts, a company could have a security breach and not even know it.

Ensure that the AWS CloudTrail service is activated, as it logs any API call and can aggregate the data. More granular third-party tools might also make sense for your company.

Manage access

Tracking the data is one thing, but managing who has the so-called nuclear launch keys can be tricky. A breach of the control panel at Code Space forced the company out of business last year, as all the data simply vanished.

One answer could be to create a redundant system, which is easy to do in AWS. And be sure that no single person can access both accounts. Another method is to use two-factor authentication for logins or create different security tokens based on user roles.

Many times, companies don't want to take the trouble to do this or are unaware that options like cloud access security brokers or Security as a Service providers exist.

Know who to call

Even if you've deployed the most cutting-edge technology, many companies still miss one important step in the security process -- tabletop exercises. These drills involve practicing what happens if there is a breach. Companies need to know their legal procedures in the event of a breach. They also should know who to contact at AWS and have a policy in place detailing the steps to take if a breach does occur.

Next Steps

Implementing security operations management in AWS

Testing AWS cloud application security

Using DevOps to improve AWS security

Dig Deeper on AWS security