Protecting AWS Against Credential Theft

June 30, 2016 |
Protecting AWS Against Credential Theft

It is no secret – Amazon Web Services (AWS) is the number one ranking IaaS provider for the fifth year in a row in Gartner’s Magic Quadrant. But as Business 2 Community suggests, many AWS customers today wonder what the best approach to security is and how to get there.

Of the concerns, each business must be able to answer these three key questions:

  • Who has access to which applications and when?
  • How can we monitor for key file changes?
  • Will we be notified in a timely manner when something anomalous occurs?

Business 2 Community spoke to many of its customers and associates to identify some of the most common challenges when it comes to AWS security.

Protecting Against Credential Theft

Common challenge number five was to understand why attackers are attracted to the cloud.

“Companies trust a lot of sensitive data to cloud service providers like AWS (think healthcare information, credit card data, financial reports). But that also means they become a big target for attackers. However, most security incidents actually occur because of credential theft, not sophisticated zero-day attacks against cloud providers themselves. Credentials are a goldmine for attackers for one very important reason: they are the keys to the kingdom, granting access to a vast amount of data by exploiting a single data source.”

Attackers are hot and heavy on credential theft – just recently SWIFT credential theft resulted $81 million USD stolen from the Bangladesh central bank. China and Russia are making headway into targeting financial services with great success.

Trust, But Verify Because the Reality is Credentials will be Stolen

The Business 2 Community article concludes that “AWS has proven itself to be a strong cloud partner to many of today’s biggest, fastest, and most innovative companies. You can trust them, but as with anything else, you should always verify. That’s where your responsibility as a cloud user lies.”

Unfortunately, the reality is that credentials will be stolen. Protecting what a person can do once they gain access is essential. In the case of AWS, creating a ‘segment of one’ for each user and device combination ensures that the context of the user and the device can be evaluated in real-time before providing network access to the user-authenticated instances and services in the AWS environment.

The cloud clearly offers significant benefits. But just like your on-premises environments, ensuring secure access is essential. That requires solutions that are purpose-built for AWS.

AppGate XDP draws on user context to dynamically create a secure, encrypted network ‘segment of one’ that’s tailored for each user session.  It dramatically simplifies the cloud resource user access problem and eliminates IP-based over-entitled network access.

This patent pending access system dynamically matches the context information from the user and device with the context information it polls in real-time from the cloud provider. Users, devices and their context can now be matched by the XDP policy engine to allow access to and only to the desired instances. The context information pulled from the cloud is based on the metadata we get from the cloud APIs such as all/some instances in a certain VPC, security group, with a certain key or value, etc.

Need Secure Access to AWS?

Learn more about AppGate XDP’s ability to ensure secure, authenticated access to AWS.

Simpler, More Seucre AWS Access Control. Fix Issues that Static, IP address-based AWS security groups can't control. Get the infographic now.

Back to Blog Home

Philip Marshall

As Cryptzone’s Director of Product Marketing, Phil Marshall brings over 14 years of experience in both product and services marketing as well as 10 + years experience in the high-tech publishing space with publications including Dr. Dobb’s Journal and Byte magazine. Prior to joining Cryptzone, Phil worked at security firms Rapid7, Positive Technologies and RSA. He also was a Senior Product Marketing Manager at Black Duck, the leading open source governance and management firm.

A speaker at recent (ISC)2 conferences and ISACA, he’s participated in numerous webinars, in panel discussions and presented on topics including Identity Security, Application Security and Open Source Governance and Management.

Marshall earned a BA at Bates College and an MBA, cum laude, at the F.W. Olin Graduate School of Business at Babson College.

Leave a Reply

Your email address will not be published. Required fields are marked *