Are Public Clouds really Secure? Thought of the day for Middle East CIO’s
A typical conversation with my customer on cloud computing.
Me: Have you thought about moving to Public Clouds as they offer flexibility, scalability, agility, and cost savings?
Customer: Not at all. We don’t believe in Cloud. Its insecure and local regulations don’t allow us to keep our data off-shore.
Then I try to move the conversation to find more about the controls currently deployed on current on-site infrastructure deployment. In most cases, I find out that security is merely limited to deploying a “UTM” appliance and some kind of endpoint protection. A vendor has pitched the UTM box as “all-in-one-magic-appliance” showcasing protection from all internal and external threats. You may also find a “permit any any” statement on the outside interface of the UTM box while auditing.
Sometimes it surprises me to hear from security professionals that they consider their WAN connectivity (MPLS) as a trusted part of their network. After all its a private network. It should be noted that there is no inherent encryption within MPLS. It is, simply, a traffic routing mechanism that creates the feel of private lines by directing packets based on predetermined labeled paths within the network.
Should we really be scared of public cloud deployments while on the other hand traffic moving across our branches over WAN(MPLS) is insecure? Try tapping your WAN link.
So why move to the Cloud?
- Trade capital expense for variable expense
- Benefit from massive economies of scale
- Stop guessing about capacity
- Increase speed and agility
- Stop spending money running and maintaining data centers
- Go live in minutes
In this article, I will give a brief overview of Amazon Web Services(AWS) security architecture – the biggest public cloud player in the world.
What is Amazon Web Services (AWS) Cloud?
AWS provides a highly reliable, scalable, low-cost infrastructure platform in the cloud that powers hundreds of thousands of businesses in 190 countries around the world. AWS serves over a million active customers today with its expanding global infrastructure to help customers.
Security in the cloud is much like security in your on-premises data centers—only without the costs of maintaining facilities and hardware. In the cloud, you don’t have to manage physical servers or storage devices. Instead, you use software-based security tools to monitor and protect the flow of information into and out of your cloud resources.
An advantage of the AWS Cloud is that it allows you to scale and innovate while maintaining a secure environment and paying only for the services you use. This means that you can have the security you need at a lower cost than in an on-premises environment.
The below schematic shows the shared responsibility matrix model applied by AWS.
The AWS Cloud enables a shared responsibility model. While AWS manages the security of the cloud, you are responsible for security in the cloud. This means that you retain control of the security you choose to implement to protect your own content, platform, applications, systems, and networks no differently than you would in an on-site data center.
AWS Infrastructure Security:
The IT infrastructure that AWS provides to its customers is designed and managed in alignment with security best practices and a variety of IT security standards, including:
• SOC 1/SSAE 16/ISAE 3402 (formerly SAS 70)
• FISMA, DIACAP, and FedRAMP
• DOD CSM Levels 1-5
• PCI DSS Level 1
• ISO 9001 / ISO 27001
• FIPS 140-2
• MTCS Level 3
Physical & Environment Security
Automatic fire detection and suppression equipment have been installed to reduce risk. The data center electrical power systems are designed to be fully redundant and maintainable without impact to operations, 24 hours a day, and seven days a week. Uninterruptible Power Supply (UPS) units provide backup power in the event of an electrical failure for critical and essential loads in the facility.
When a storage device has reached the end of its useful life, AWS procedures include a decommissioning process that is designed to prevent customer data from being exposed to unauthorized individuals. AWS uses the techniques detailed in NIST 800-88 (“Guidelines for Media Sanitization”) as part of the decommissioning process.
Network devices, including firewall and other boundary devices, are in place to monitor and control communications at the external boundary of the network and at key internal boundaries within the network. ACLs, or traffic flow policies, are established on each managed interface, which manages and enforces the flow of traffic. ACL policies are approved by Amazon Information Security.
You can connect to an AWS access point via HTTP or HTTPS using Secure Sockets Layer (SSL), a cryptographic protocol that is designed to protect against eavesdropping, tampering, and message forgery.
For customers who require additional layers of network security, AWS offers the Amazon Virtual Private Cloud (VPC), which provides a private subnet within the AWS cloud, and the ability to use an IPsec Virtual Private Network (VPN) device to provide an encrypted tunnel between the Amazon VPC and your data center.
Data centers are built in clusters in various global regions. All data centers are online and serving customers; no data center is “cold.” In case of failure, automated processes move customer data traffic away from the affected area. Core applications are deployed in an N+1 configuration so that in the event of a data center failure, there is sufficient capacity to enable traffic to be load-balanced to the remaining sites.
AWS provides you with the flexibility to place instances and store data within multiple geographic regions as well as across multiple availability zones within each region. Each availability zone is designed as an independent failure zone. This means that availability zones are physically separated within a typical metropolitan region and are located in lower-risk flood plains (specific flood zone categorization varies by region). In addition to utilizing discrete uninterruptable power supply (UPS) and onsite backup generators, they are each fed via different grids from independent utilities to further reduce single points of failure. Availability zones are all redundantly connected to multiple tier-1 transit providers.
The AWS production network is segregated from the Amazon Corporate network and requires a separate set of credentials for logical access.
AWS conducts criminal background checks, as permitted by law, as part of pre-employment screening practices for employees and commensurate with the employee’s position and level of access.
To help ensure that only authorized users and processes access your AWS Account and resources, AWS uses several types of credentials for authentication. These include passwords, cryptographic keys, digital signatures, and certificates. We also provide the option of requiring multi-factor authentication (MFA) to log into your AWS Account.
Compute Services Security
Amazon Elastic Compute Cloud (EC2) is a key component in Amazon’s Infrastructure as a Service (IaaS), providing resizable computing capacity using server instances in AWS’s data centers. Security within Amazon EC2 is provided on multiple levels: the operating system (OS) of the host platform, the virtual instance OS or guest OS, a firewall, and signed API calls.
Different instances running on the same physical machine are isolated from each other via the Xen hypervisor. Amazon is active in the Xen community, which provides awareness of the latest developments. In addition, the AWS firewall resides within the hypervisor layer, between the physical network interface and the instance’s virtual interface. All packets must pass through this layer, thus an instance’s neighbors have no more access to that instance than any other host on the Internet and can be treated as if they are on separate physical hosts. The physical RAM is separated using similar mechanisms.
Security features within Amazon isolated network(VPC) for the individual customers include security groups, network ACLs, routing tables, and external gateways. Each of these items is complementary to providing a secure, isolated network that can be extended through selective enabling of direct Internet access or private connectivity to another network.
Firewall (Security Groups): Like Amazon EC2, Amazon VPC supports a complete firewall solution enabling filtering on both ingress and egress traffic from an instance. The default group enables inbound communication from other members of the same group and outbound communication to any destination. Traffic can be restricted by any IP protocol, by service port, as well as source/destination IP address (individual IP or Classless Inter-Domain Routing (CIDR) block).
The below schematic shows a typical isolated network design using VPC’s,
Network Access Control Lists: To add a further layer of security within Amazon VPC, you can configure network ACLs. These are stateless traffic filters that apply to all traffic inbound or outbound from a subnet within Amazon VPC. These ACLs can contain ordered rules to allow or deny traffic based upon IP protocol, by service port, as well as source/destination IP address.
Customer Infrastructure Security:
On the customer infrastructure side, you have full control over your instances to apply security controls as per your organizational policy. All leading security vendors provide ready-to-install images for virtual firewalling, IPS, endpoint protection, etc that can be used to provide security at all layers.
The other argument presented to justify on-premises deployment is “local regulation”. “Regulations do not allow us to move to Public Clouds”. CIO’s need to pay careful attention to these arguments because,
- There exists a number of proven designs to keep your data local while using Public Clouds – think about hybrid deployments.
- Be aware of “vendor catches” where the salesman is using this argument to sell his on-premises appliance/box/virtual infrastructure.
- Is your team aligned ? or they consider it a threat?
It’s time for customers especially in the Middle East to re-align their infrastructure roadmap. Build your trust in software-defined security
Now if you are still confused about how and where to get started, then IPSpecialist is the place for you. What is IPSpecialist you ask? IPSpecialist is a one-stop solution for all your problems. We provide online courses, study guides, e-book, practice questions, quick reference sheets, and much more! Visit our website https://ipspecialist.net/ to learn more and get amazing deals!