How is security in the cloud different from my data center?
In the cloud you "only" need to worry about securing the cloud services that you use. This responsibility by itself is already challenging enough but unburdens you from the responsibility to provide and secure the data center facilities, physical hardware, and networking services - this separation is commonly called the shared responsibility model. Depending on your selected cloud services, the cloud provider may even handle the patching and configuration management. Less control for you? Certainly - But probably also more secure than your data center. The core competency of cloud providers lies in the ability to provide, maintain, and operate infrastructure that is secure by design. This is their core business model and therefore has the main focus and gets the necessary resources allocated. The idea behind moving to the cloud is that you can focus on your core business (e.g. developing software) while the cloud provides the necessary IT infrastructure for you (e.g. to run your applications globally).
This entire model is based on your trust towards your selected cloud provider(s). This trust is maintained by several certifications that the cloud provider holds as well as regular audits by external authorities. This certifies a certain level of security which you can use as decision base for the selection of your cloud providers / cloud services and should naturally meet with your compliance regulations.
A serverless approach to security in AWS
After answering why it is for most use cases secure to move to the cloud and assuming you trust your selected cloud providers, we have to focus on securing the single services that you use within the cloud. This is entirely your responsibility and we are here to support you with that.
We focus on AWS as cloud provider because it offers the most mature services and gives you the most control over security in the cloud. Additionally, AWS often sets industry standards which are implemented by other cloud providers. Therefore, we can often transfer those best practices to other cloud providers - learn form the industry leaders and apply it everywhere.
Additionally, AWS shines when it comes to serverless services. Of course, everything runs on servers in the end (hence a typical misnomer) but there is no server that you need to take care of, only the service. Another characteristic that defines serverless for us is that you are only charged for the actual amount of resources that you use. AWS provides comprehensive services tailored for security in the cloud of which most of them can be used as a managed serverless service. We use a combination of the following serverless services in AWS to secure your infrastructure and AWS accounts:
- IAM: Control and manage access to AWS resources
- CloudTrail: Monitor and log API calls to your AWS account; often used as trigger for automatic countermeasure
- CloudWatch: Central target for log files which can be analyzed; trigger alarms based on metrics
- GuardDuty: Threat detections based on log file analysis of CloudTrail, VPC, and DNS
- Inspector: Run vulnerability scans against EC2 instances and network configurations
- Config: Create resource inventory, assess your compliance status, and track inventory changes
- Shield: Managed DDOS protection (standard protection enabled by default)
- Systems Manager: Run commands against a fleet of instances, patch instances, secure SSH access to instances
- Firewall Manager: Central management of all WAF rules
Let's not stop here but go to the next layer: Improving the security and data protection of your applications that run in the cloud or on-premises. We integrate a combination of the following serverless services in your application to achieve this:
- KMS: Secure access control and key management for encryption keys
- CloudHSM: Dedicated HSM for high compliance needs; can be used to store KMS keys
- Secrets Manager & Parameter Store: Management, rotation, and storage of encrypted secrets (e.g. for your applications)
- WAF: Inspect HTTPS traffic and protect CloudFront, ALB, and API Gateway resources
- ACM: Management of SSL certificates - public and private ones
Keep in mind that some of these services can even be used to secure your on-premises infrastructure or applications.
Our added value
We will support you with your "security in the cloud" responsibility by mapping your compliance requirements with these services or with similar services of other cloud providers. For general guidance and secure multi cloud provider architectures we also apply best practices of the Cloud Security Alliance, specifically the CSA Security Guidance for Critical Areas of Focus in Cloud Computing.
While designing your cloud architecture, we work closely together with your security department and implement this architecture together with them following Infrastructure as Code. During this process we identify the responsible stakeholders and teams that will operate the infrastructure and guide them through tailored knowledge transfer sessions. The result is a well documented and secure cloud architecture that can be maintained by the responsible teams. Alternatively, if your cloud infrastructure is already up and running, we can review it according to best practices and standards to optimize it where needed.
Why with us?
We are passionate Cloud-Natives and our business grew with AWS. We do not only focus on cloud security projects but every project comes with cloud security challenges - sometimes more, sometimes less. We challenge each solution and architecture that we design or evaluate on best practices in regards to infrastructure security, least privileges, data protection, compliance, and vendor lock-in restrictions. We are Select member of the AWS Consulting Partner Network (APN) and of course hold a AWS Certified Security - Specialty certification. Let's Build Secure Clouds Together!