Managing security controls in the cloud is different than managing them on-premises. When you use the AWS Marketplace...
for applications, you get some of both worlds.
The AWS Marketplace is an Amazon Web Services (AWS) platform that provides software vendors with a venue for offering their products in the AWS cloud. Offerings include software for data analysis, security, business intelligence and monitoring, as well as collaboration and development tools. Much like AWS services, most of these software offerings charge by usage.
This provides a distinct advantage over the old licensing fee models. With licensing fees there is usually a hefty upfront cost that forces users to analyze various licensing options, such as licensing per CPU or per concurrent user. Perhaps the most significant advantage of the AWS Marketplace is the ability to deploy software immediately.
In spite of the rapid software deployment abilities of the platform, it is important to remember that configuring product security will take time. Most importantly, you must consider how you will authenticate users and define authorizations. Authentication is the process of verifying a user's identity, and depending on the application, there are multiple ways to do this.
Application-specific login is one option. With this, administrators create unique accounts for each individual user. This is essentially a "starting from scratch" approach. It's clean and unencumbered, but potentially a great deal of work-- both to set up and to maintain.
Another authentication method is integration with your on-premises directory. In this case, you may have to set up the cloud server to use your on-premises Active Directory. With this option, there may be additional security issues to take into consideration in regards to your network. For example, a virtual private network between your premises and the AWS cloud will present further security challenges.
If your purchased software allows for it, AWS' own authentication service, Amazon Identity and Access Management, may be the path of least resistance; there are third-party authentication services available, as well. When using an authentication service, an administrator will still have to configure user roles and groups to organize identities and sets of authorizations.
The second security factor, authorization, determines how administrators specify individual user privileges when using an application. Similar to authentication, application-specific authorization is usually a viable method. Using this method, administrators will have to create user accounts within an application and assign specific privileges for each user or group of users. Again, utilizing an existing directory is also an option. This may save time when configuring authorizations, especially if you can use existing groups and roles.
Once you determine how to support authentication and authorization, consider how you will monitor and audit the application. For example, when employees with access to an application leave a company, their privileges should be revoked in the authentication system. If a separate system is used to define privileges for the application, you will need to establish procedures to ensure their privileges are revoked there as well. Leveraging your existing authentication and authorization services could reduce your administrative overhead.
It is important to consider how you will support compliance reporting. If the application doesn't have sufficient reporting and logging, you may have to develop a custom report, or simply choose a different software package.
Many of the issues you face when working with AWS Marketplace packages exist when you install and use packages on your in-house servers. However, if you are using multiple AWS services, chances are you have invested a lot of time and resources in configuring an identity management service. If you cannot leverage that, you may have to duplicate work.