Agile deployments and scalability seem to be the most dominant trend in public cloud, today; especially on AWS. While you scale your business on cloud, AWS too keeps scaling its services as well as upgrading its technology from time to time, to keep up with the technology disruptions happening across the globe. To that end, your cloud engineers have to constantly adapt to architectural changes as and when updates are announced. While all these architectural changes are made, AWS Cloud Security best practices and audits need to be relooked too from time to time.
As a CISO, have you ever questioned your old practices and relooked at them whether it’s relevant in the present day.
Here are few excerpts from our AWS Cloud Security Think Tank: A collation of deliberations we had recently at Botmetric HQ with our security experts on why anyone on cloud should question their old AWS cloud security best practices.
1. Relooking at Endpoint Security
“Securing the server end is just one part of enterprise cloud security. If there is a leakage at the endpoints, the net result is adverse impact on your cloud infrastructure. Newer approaches to assert the legitimacy of the endpoint is more important than ever.” — Upaang Saxena, Botmetric LLC.
As most cloud apps provide APIs, the client authentication mechanisms have to be redesigned. Moreover, as the endpoints are now mobile devices, IOT devices, and laptops that might be anywhere in the world, increasingly the endpoint security is moving away from perimeter based security model giving way to Identity based endpoint security model. Hence, newer approaches to assert the legitimacy of the endpoint is more important than ever.
2. Revisiting Policies Usage
“Use managed policies, because with managed policies it easier to manage access across users. ” — Jaiprakash Dave, Minjar Cloud Solutions
Earlier, only Identity-based (IAM) inline policies were available. Managed policies came later. So not all old AWS cloud best practices that existed during inline policies era might hold good in the present day. So, it is recommended to use managed policies that is available now. With managed policies you can manage permissions from a central place rather than having it attached directly to users. It also enables to properly categorize policies and reuse them. Updating permissions also becomes easier when a single managed policy is attached to multiple users. Plus, in managed policies you can add up to 10 managed policies to a user, role, or group. The size of each managed policy, however, cannot exceed 5,120 characters.
3. Make Multiple Account Switch Roles
“We encourage our clients to make multiple account switch roles for access controls as per their security needs.” — Anoop Khandelwal, Botmetric LLC.
Earlier, it was not recommended to switch roles for access controls while using VPC. However, now it is recommended to make multiple account switch roles for access controls as per their security needs. Plus, earlier VPCs came with de facto defaults, which was inherently less than ideal from a security perspective. Now, Amazon VPC provides features that you can use to increase and monitor the security for your Virtual Private Cloud (VPC).
4. Redesigning Architecture for New Attack Vectors
DDOS attacks through compromised IOT devices such as Mirai Bot attacks caught the security professionals by surprise. The possibility of the scale of the attack was not predicted by any security analyst. Such new attack vectors will be designed by hackers to penetrate popular and highly sensitive websites and it would be difficult to anticipate all potential attack vectors. So cloud professionals have to revisit their architecture and be ready with better contingency measures in case of such unanticipated attack vectors.
“You (cloud security engineer) need to relook into your architecture now and then and come up with better contingency measures for new age attack vectors like massively distributed denial of service(DDOS). ” — Abhinay Dronavally, Botmetric LLC.
5. New API Security Mechanisms
Today, most enterprise applications consume data from external web services and also expose their data. The authentication mechanisms for the APIs cannot be the same as human user authentication, like earlier days. APIs must fit into machine to machine interactions. Focus more on integration API security mechanisms with specialized API security solution.
“As data breaches can happen through API, integration of API security mechanisms are a must.” — Shivanarayana Rayapati, Minjar Cloud Solutions.
As the sophistication of the attacks keep increasing, the security solutions too would have to improve their detection methods. Today’s security solutions leverage Artificial Intelligence (AI) algorithms like Random Forest Classification, Deep Learning techniques, etc. to study, organize, and identify the underlying access patterns of various users. A well thought-through approach is pivotal in securing your AWS cloud. For that matter, any cloud.