Protecting AWS Against Credential Theft
It is no secret – Amazon Web Services (AWS) is the number one ranking IaaS provider for the fifth year in a row in Gartner’s Magic Quadrant. But as Business 2 Community suggests, many AWS customers today wonder what the best approach to security is and how to get there.
Of the concerns, each business must be able to answer these three key questions:
- Who has access to which applications and when?
- How can we monitor for key file changes?
- Will we be notified in a timely manner when something anomalous occurs?
Business 2 Community spoke to many of its customers and associates to identify some of the most common challenges when it comes to AWS security.
Protecting Against Credential Theft
Common challenge number five was to understand why attackers are attracted to the cloud.
“Companies trust a lot of sensitive data to cloud service providers like AWS (think healthcare information, credit card data, financial reports). But that also means they become a big target for attackers. However, most security incidents actually occur because of credential theft, not sophisticated zero-day attacks against cloud providers themselves. Credentials are a goldmine for attackers for one very important reason: they are the keys to the kingdom, granting access to a vast amount of data by exploiting a single data source.”
Attackers are hot and heavy on credential theft – just recently SWIFT credential theft resulted $81 million USD stolen from the Bangladesh central bank. China and Russia are making headway into targeting financial services with great success.
Trust, But Verify Because the Reality is Credentials will be Stolen
The Business 2 Community article concludes that “AWS has proven itself to be a strong cloud partner to many of today’s biggest, fastest, and most innovative companies. You can trust them, but as with anything else, you should always verify. That’s where your responsibility as a cloud user lies.”
Unfortunately, the reality is that credentials will be stolen. Protecting what a person can do once they gain access is essential. In the case of AWS, creating a ‘segment of one’ for each user and device combination ensures that the context of the user and the device can be evaluated in real-time before providing network access to the user-authenticated instances and services in the AWS environment.
The cloud clearly offers significant benefits. But just like your on-premises environments, ensuring secure access is essential. That requires solutions that are purpose-built for AWS.
AppGate XDP draws on user context to dynamically create a secure, encrypted network ‘segment of one’ that’s tailored for each user session. It dramatically simplifies the cloud resource user access problem and eliminates IP-based over-entitled network access.
This patent pending access system dynamically matches the context information from the user and device with the context information it polls in real-time from the cloud provider. Users, devices and their context can now be matched by the XDP policy engine to allow access to and only to the desired instances. The context information pulled from the cloud is based on the metadata we get from the cloud APIs such as all/some instances in a certain VPC, security group, with a certain key or value, etc.
Need Secure Access to AWS?
Learn more about AppGate XDP’s ability to ensure secure, authenticated access to AWS.