Best Practices for Securing Sensitive Data in AWS

Pixabay

Amazon Web Services (AWS) is one of the largest cloud platforms available and is used for storing information, data processing and creating applications. It has been in operation for over 12 years and is available in 66 Availability Zones (AZs) in 21 geographic regions.

The AWS cloud allows you to run a scalable operation without the high cost or expertise requirements of purchasing, maintaining or storing servers. It has the added benefits of built-in support and services, including integrated security features, although it’s up to you to use them effectively.

Shared Security Responsibility Model

AWS operates through a Shared Security Responsibility model in which Amazon is responsible for securing its infrastructures, such as hosting operations and hardware, and you are responsible for securing user access and authentication, data, operating systems and networks, and applications.

AWS provides:

• Built-in firewalls for Amazon VPC web apps to allow the creation of private networks
• Built-in encryption that you can customize and Transport Layer Security (TLS) across services
• Capability to create private or dedicated connections from on-premise environments
• Tools for security policy creation and management

You provide:

• Monitoring of security configurations
• Appropriate network implementations and firewall settings
• Management of user privileges and access, including access by third-party vendors

Best Practices

Effectively securing your data requires understanding general and specific security vulnerabilities and applying this understanding to the tools and policies you decide to use. You must create an actionable security plan that is routinely evaluated and improved with feedback from your existing systems and any incidents that occur.

Creating a functional strategy can be difficult but using best practices, in combination with AWS snapshots in case of loss, will get you started on the right path.

#1. Classify Your Data

Classifying data will help you set security measures appropriately by prioritizing according to importance and liability. Classifications can be used to inform policies and thresholds for preventative and detective tools, decreasing your risk, and dictate response strategies in case of loss or breach, minimizing negative effects.

You can classify your data manually or with the assistance of machine learning solutions like User Behavior Analysis (UBA) that are able to provide feedback on frequency of access, who is accessing data, and how.

#2. Create Secure Policies

AWS Identity and Access Management (IAM) can be used to create and manage permissions and access policies while allowing flexible authentication by separating management flow and database administration tasks from application flow. Via IAM, you can create managed, stand-alone policies that can be connected to users, groups, or roles.

Inline policies can be used on a case-by-case if needed but managed policies are preferred as they are easier to adapt and assign to new cases. Privilege and access policies should grant the least amount of freedom possible without impeding workflow to limit opportunities for data loss or breach. This is true for all users, including security team members.

Creating users and roles that are restricted as needed, and avoiding the use of general permissions or root users, will help ensure that if credentials are compromised, the damage done is minimized. When assigning credentials, you should create them with expiration dates to further limit the harm done with compromised accounts and help ensure that you aren’t leaving “ghost” accounts from time-limited access situations or inactive users.

You should limit access to data by minimizing open ports by instance, particularly those open to the Internet. Access Control Lists (ACLs) can also be used to restrict network traffic as well as what rights traffic is allowed in regards to a given resource. When possible, use ACLs or IAM for micro-segmentation, to limit both lateral and vertical spread of breaches.

You can do this with swim-lane isolation strategies, restricting access between microservices. If micro-segmentation isn’t possible you can increase security by layering security zones from least to most restrictive, requiring multiple authentication levels for higher priority data.

#3. Monitor Your Configuration

The policies you create are only useful if you know they are functioning as designed. You can verify they are effective by actively monitoring your configuration and periodically auditing user access and permissions.

AWS offers built-in notifications for S3 buckets that alert you when buckets or their contents are accessed or modified. You can also set notifications for changes to permissions and user access. These built-in alert functions can be sent to third-party solutions like Security Information and Event Monitoring (SIEM) systems which simplify monitoring with a centralized dashboard and the ability to evaluate data and system access on a larger scale.

You can make use of activity logs, from SIEMs or generated by Virtual Private Cloud (VPC), to audit network and data flow, analyze incidents, and inform policy modifications.

#4. Choose Effective Tools

Any tools you select to use should be easy to integrate into existing systems. They should improve the visibility of security information and increase accessibility through centralized dashboards or some other consolidation of information.

The best tools will be able to analyze security risks in the context of the system and user, respond to predefined threats automatically, and provide functionality that spans external networks and cloud systems. These tools often use machine learning to improve security analysis and coverage over time.

When selecting tools, keep in mind what additional vulnerabilities they may introduce to your system and plan to adjust your policies and standards appropriately.

Wrap Up

AWS takes some of the responsibility of securing cloud use off your plate but data security is still largely your responsibility, and it’s your organization that will be hurt by its loss or theft. By using the tools that AWS provides to their greatest potential, in combination with a solid security strategy and third-party or in-house solutions, you can make sure that your data is kept safe and your liabilities are minimized.

Using a public cloud environment can theoretically increase your security risks, but often the benefit vastly outweighs the disadvantages. You may have to think about security a little differently, but you are probably in better hands than if you were to go it alone.