Cloud computing and software as a service have changed the IT security landscape, but not everyone who spins up...
an environment within AWS is aware of that at first.
That was the message from one cloud consultant who presented at an AWS Meetup in Boston last week, as well as attendees who took in the presentation and have experience securing AWS environments.
One of the most significant recent changes to hit the IT security world, as cloud computing and software as a service (SaaS) become common, is an uptick in activity from regulators such as the Federal Trade Commission (FTC) and the U.S. Securities and Exchange Commission, according to Gaurav Pal, cloud broker platforms architect and secure DevOps strategist at stackArmor Inc., a cloud consulting firm and AWS partner in Potomac, Md.
Just last year, the FTC won a case against Wyndham Worldwide Corp., which established its jurisdiction for the first time in data security matters. In January 2016, the FTC extracted a $250,000 settlement from Henry Schein Inc., a dental practice software provider based in Melville, N.Y., which the FTC charged with falsely advertising the level of encryption it used to protect patient data.
The regulatory framework is starting to catch up with cloud computing, and now, "lack of security has a cost," Pal said in his presentation.
Meanwhile, the Web, as well as SaaS products, have changed what it means to secure an IT environment, as cloud users -- particularly startup SaaS companies -- tend to be strong on the "Dev" part of DevOps, and relatively weak on "Ops."
Top AWS security concerns to address
Avoiding AWS security mistakes is only half the battle. Read on to find out what our experts say about how to secure your AWS environment, including:
- Lock down APIs
- Applying the principle of least privilege
- Tools to use
Check out our feature on ways to secure AWS environments from the ground up.
"Ten years ago, apps shipped on a CD -- now, the SaaS model requires vendors to do Ops," Pal said.
Computer science education programs don't have a strong focus on security and operations the way they do on pure programming, according to audience member Jason Dunkerley, director of IT for RBM Technologies Inc., a retail merchandising SaaS provider in Boston, who spoke with SearchAWS in a separate interview after the Meetup.
Given that the cloud and SaaS industries are still in their infancy, there is no central professional society for software engineers, such as the National Society of Professional Engineers, which vet civil, electrical and mechanical engineers, Dunkerley pointed out. However, in the cloud era, developers can create a product quickly and have the ability to serve thousands of people at once without making a huge upfront investment.
"That's exciting, but it's also really dangerous," Dunkerley said. "You may focus so hard on improving the product and iterating so that your product does what your clients are asking for ... that you don't focus on the operations side of it that protects you."
Common AWS security mistakes to avoid
In the Wild West era of cloud computing, the combination of heady business process and lack of operational experience meant that companies could wind up in situations like the ones Pal gave as cautionary examples in his presentation. One data warehousing company he described brought in a consultant when its cloud network egress bill ran in excess of $2,000 a day.
A financial analysis quickly became a security operations analysis when it was discovered the charges were related to a foreign entity that was siphoning the company's data out of its back-end databases on a daily basis.
"Technology is changing, and the implications for security are not clear to us," Pal said.
Compounding this issue is the fact that the AWS platform offers a huge range of choices for deploying resources in the cloud, which is great for flexibility, but might allow novice users more rope with which to hang themselves when it comes to securing the environment, Dunkerley said.
"You don't get a lot of hand-holding around, 'You shouldn't be doing this,'" Dunkerley said.
While it's all too easy, however, the last thing a new AWS user should do is ignore Amazon recommendations to secure the environment with Virtual Private Clouds (VPCs), Identity and Access Management (IAM) roles, and IAM identities.
"If you start out doing it the way they recommend, you're light-years ahead," Dunkerley said. "If you don't start out in that direction ... it gets really hard to take what you've done and then put it into the way that they do things."
Follow AWS best practices
That's when users start needing experts to get involved to help them merge their way of doing things into the way Amazon has their security set up, Dunkerley said.
For example, if a user doesn't take the time to really understand security, and how a server needs to be configured and locked down to only allow certain things in, he might open something to the world temporarily, but then move on without fixing it, Dunkerley said.
Users need to find out which port is needed, specify from where and to where the data interchange must happen, and then narrow it do so that only certain ports across certain VPCs talk to each other according to AWS best practices, Dunkerley said. If they don't, leaving instances and services open to the world can roll out the welcome mat for hackers.
A lack of a strong security operations plan also tops the list of common mistakes Pal sees users make when setting up an AWS environment. This requires a well-thought-out set of procedures for patching, updating software and monitoring critical vulnerabilities.
Set up firewalls and manage access
"The other area where people should focus a little bit more attention is Web Application Firewalls for boundary protection," Pal said. "There are solutions even around using [virtual private networks] VPNs to access the environment for privileged users and then general firewalls."
It may be a best practice, Pal said, but VPNs can be cumbersome to install and maintain, and sometimes don't get used.
"You'd be amazed to see how many SaaS companies, especially the smaller ones, don't use VPNs when privileged users are accessing their cloud environments," Pal said.
Other common security gaps include creating unnecessary access and secret keys for Identity and Access Management users; Pal said console users don't need keys. Instead, users should provision IAM roles that allow for temporary credentials when accessing instances.
IAM roles that allow for separation of duties should also be provisioned, Pal said. All too often, there's a lack of restrictions on access to production instances, which allows any user to perform actions on them.
New Lambda, RDS features beef up AWS security
Access management keeps AWS cloud safe
Thwart attacks on AWS infrastructure