Achieving optimal security in a cloud environment can seem like a moving target. New security threats are constantly popping up along with security implementations meant to fight them off. To help you achieve optimal security in this environment, this post highlights the top 10 best practices for AWS security.
1. Leverage Multi-Factor Authentication
Think of the sheer amount of sensitive, business-critical data being stored in the cloud. Using a standard username and password combo as the sole gatekeeper between your data and hackers is no longer the safest bet. As we’ve seen with many highly publicized hacks in recent years, login credentials are not that hard for hackers to get.
When you implement multi-factor authentication (MFA), you put that extra roadblock in front of your critical data. MFA requires users to take an extra step like receiving an access code on their phone or one-time passwords to complete the login process so that even if a hacker obtains login credentials, they aren’t able to log in.
2. Use Identity and Access Management (IAM)
Users expect two things from your website or application: They want access to be fast with as few roadblocks as possible, and they want you to keep their data secure. As much as users expect their personal data to be secure, they simply can’t be relied on to create and protect strong, unique passwords.
As an organization, you must find the balance between streamlined access and secure data. Identity and access management (IAM) combines the three elements you need to achieve this: identification, authentication, and authorization.
3. Maintain Strong Visibility Into Your Cloud Environment
Blind spots are the enemy to any security posture. You need to be able to see the state of your environment at all times. This includes what’s going on with your infrastructure, applications, data, and users. By knowing exactly how everything is operating, you minimize the chance that an attack will go unnoticed.
Having deep visibility into your cloud environment at all times is essential to maintaining operations, pinpointing issues, and adhering to compliance standards.
4. Implement End-to-End Encryption
Cloud security should be more proactive than reactive. Encrypting data end-to-end is a proactive move that ensures that even if the worst happens — your in-transit data getting into the wrong hands — it’ll still be secure and unreadable. This is achieved by turning your plain text into an unreadable code. It is only converted back to plain text with a carefully guarded encryption key. End-to-end encryption keeps your data protected at every point across the communication chain.
5. Monitor File Integrity
Establishing a known baseline and regularly monitoring file integrity helps alert you to unwanted or malicious changes to your files. Falling under the earlier mention of the importance of visibility, file integrity monitoring (FIM) is crucial in keeping track of activity happening within your cloud environment and alerting you to attacks as early as possible.
File integrity monitoring notifies you of three types of events:
- When files are added to or deleted from a directory
- When files are modified
- When files are opened
The purpose of file integrity monitoring is to alert you to attacks as early as possible.
6. Implement SSL Certificates
Secure Sockets Layer (SSL) certificates enable encrypted communications between a web server and browser. This protects sensitive data such as credit card information from being stolen or tampered with.
SSL certificates are issued by Certificate Authorities (CAs), which are organizations that are trusted to verify both the identity and the legitimacy of the entities requesting the certificate. Part of the importance of SSL certificates is producing a layer of user trust in your website. When users enter a website with an expired SSL certificate or without one at all, their browser could alert them that the website may not be safe.
7. Harden Configuration Management
Configuration management (CM) is an important piece of the DevOps concept of treating infrastructure as code. Since CM executes arbitrary code on your infrastructure, you need to harden the systems to protect sensitive data. There are multiple ways to achieve this: You can leverage tools such as chef-vault to encrypt sensitive data using public keys or implement file integrity monitoring, as suggested above.
8. Ensure Safe Access to Production
If your organization is practicing continuous delivery, you likely give developers access to production for efficiency purposes. Securing and monitoring activity across production servers is critical. Securing access to production can be done in a number of ways. You should be monitoring for events that could be suspicious, such as package installations and updates, to ensure that your CM system is the only entity managing your hosts. You should also track and monitor code that configures systems so you know if users are manually installing packages on hosts, which presents unknown security risks.
9. Set Up Security Alerting
You shouldn’t have to go looking for something wrong. Setting up security alerting ensures that the moment anomalous behavior is detected, you’re aware of it. Sometimes security alerts can seem cumbersome and noisy as a result of false positives and fine tuning that’s required.
The key to useful security alerting is customization. By assigning different severity levels to different types of alerts, you can clear the clutter and hone in on anomalous, and possibly malicious activity.
10. Educate Employees
Security protocols are only useful when your employees understand how and why to use them. Employees should know the security risks associated with the business they do. When you execute a new security practice such as multi-factor authentication, you should educate your employees on why it’s so important and how to use it. Additionally, it benefits the company as a whole when you attempt to make new security measures as pain-free for employees to use on a daily basis.
Final Words . . .
The 10 best practices outlined above should go a long way toward giving you an understanding of what needs to be protected in your AWS environment as well as specific ways of securing your workloads. Individually and in combination, these best practices will enable you to harden your organization’s security posture to meet your current needs and to provide protection as you continue to scale.
To learn more, please download a free copy of the 10 Best Practices for Securing Your Workloads on AWS eBook.
