5 Steps to Improved AWS Security
AWS offers many benefits and as it continues to lead the IaaS pack, security professionals must look to secure it in the same way they secure internal networks. Because employees access AWS from anywhere or contractors use it from various locations, it becomes a possible hole in your network. And where there is a hole, there is a hacker.
Yet public cloud security is a shared responsibility. AWS takes responsibility for security ‘of’ the cloud, but puts the onus on the customer for security ‘in’ the cloud. Those adopting AWS need to reconcile tightly controlled access with wide open access.
And there’s also the compliance challenge. How to ensure that those responsible for auditing AWS can track who accessed what, when and what action they took. Auditing this can take months and plenty of resources – resources that are expensive or aren’t always available.
5 Steps to Improve AWS Security
Here are five steps that can help any person making use of the AWS environment protect their resources stored in the cloud.
1. Stop using IP addresses for security, start using a Software-Defined Perimeter solution
The IP address-centric approach of AWS Security Groups makes managing fine-grained user access control to resources a huge challenge. Adopting a Software-Defined Perimeter (SDP), a security model that dynamically assigns network permissions to each user, helps overcome this. SDP ensures that all endpoints attempting to access a given resource (whether in the cloud or on-premises) are authenticated and authorized prior to accessing any resources on the network. All unauthorized network resources are made inaccessible. This not only applies the principle of least privilege to the network, it also reduces the attack surface area by hiding network resources from unauthorized or unauthenticated users.
2. Increase security with a segment of one
When you start using a SDP, you can lock down resources by dynamically matching the context information from the user and device with the context information polled in real-time from AWS. Using this dynamic context and device information, you can create a segment of one for each user. His or her network access is automatically adjusted based on a set of simple policies – access policies that precisely control which resources each user can access – including server and port –- based on user and server attributes. Each user can only see what they have permission to see, the rest is invisible. A segment of one for each user ensures they are fully productive, IT workload is reduced and over-entitled network access is eliminated.
3. Get the comprehensive logs you need for achieving compliance
Today’s regulated industries and potential for data breaches requires that you know what’s happening on your network and are able to demonstrate your knowledge for compliance. But with AWS, auditors are often challenged with finding adequate resources to effectively provide full logs of what happened. To improve AWS security, you need help. Get a solution in place that gives you full visibility of your cloud network by offering comprehensive logs for achieving and demonstrating regulatory compliance. Look for a solution that does all of this through a simple policy engine.
4. Enable consistent user policies across hybrid environments
Users require access to business applications, data and services whether on-premises or in the cloud, at work or on the road. Yet managing secure network access for hybrid environments, in the cloud or on-premises can lead to hard to manage policy sprawl and different controls for different environments. When looking to improve AWS security, look to your internal network security approach. If it can’t be replicated, then it might not be fit for purpose for this phase of computing. You want a secure access solution that can be deployed across a hybrid infrastructure, protecting both on-premises and cloud-based resources.
5. Dynamically adapts to changes, such as new server instances within EC2.
When adopting SDP, you’ll also improve security because the model is designed with today’s dynamic, cloud-centric environments in mind. Using a solution like Cryptzone’s AppGate, you can automatically detect new cloud server instances and automatically adjust user access. This lets organizations achieve the agility promised by cloud and virtualized environments without sacrificing security or compliance.
Learn more about securing AWS by watching the on-demand webinar on AWS and IaaS Security – Simplify, Secure and Scale User Access.