Security in the cloud (Part 1: Shared Responsibility Model for Infrastructure Services )

When it comes to moving to public cloud like AWS, Customers vary from believing there is no security in public cloud to everything is taken care for them. They complicate the matters by either trying to reproduce every security measure like for like from their traditional on premise environment into the cloud or don’t do enough. The truth however lies in between as “Shared responsibility model” for Security and Compliance in cloud.

Shared responsibility means Security and compliance in cloud is shared between the cloud provider and the customer. There are steps both have to take to create a secure infrastructure in the cloud.

Cloud providers like Amazon AWS is responsible for what is known as Security ‘OF’ the cloud. This covers their global infrastructure elements including Regions, Availability Zones, and Edge Locations, and the foundations of their Compute, Storage, Database, and Network services.

Customer is responsible for what is known as Security ‘IN’ the cloud. This depends on the cloud services the customer uses. Customer is responsible for protecting their data stored in AWS as well as the custom applications deployed in AWS.  AWS provides many powerful security controls, however how and when to apply them is the responsibility of the Customer not AWS.

Security IN the cloud is not one size fit for all. It varies based on the type of the services customer uses and on how mature the organisation is in using cloud. It depends on whether they are primarily using it for infrastructure or deploying applications using abstracted services (e.g., using Elastic Beanstalk,) or building an application using cloud native services  (e.g., using Lambda, Machine learning API e.t.c.). Hence when considering securing an enterprise cloud, it is imperative to consider solutions to handle the different types of applications/environments. Here in this Blog Series I am going explore the shared responsibility model in different scenarios - IaaS, PaaS and SaaS with respect to Amazon AWS. And the first part will cover IaaS.

Infrastructure as Service (IAAS) – Security:

As many companies are still in lift and shift mode into AWS, foundation services of AWS are the entry point into the cloud. AWS provides basic building blocks, access to networking features, computing capability and data storage. This means more flexibility for customer and their cloud environment feels similar to their existing on-premise. But it brings in different set of security responsibilities.

 

Responsibility Chart:

EC2 Security:

Amazon Elastic Compute Cloud (EC2) providing resizable computing capacity using server instances in AWS’s data centers. You create and launch instances, which are collections of platform hardware and software. Security within Amazon EC2 is provided on multiple levels: the operating system (OS) of the host platform, the virtual instance OS or guest OS, a firewall, and signed API calls.

Virtual PRIVATE Cloud(VPC) Security:

VPC is a software defined network or a virtual network overlay on top of AWS physical infrastructure. VPC allows customers to create their own network isolated from other AWS customers. This also allows customers to securely scale their infrastructure. Security features within Amazon VPC include security groups, network ACLs, routing tables, and external gateways. Each of these items is complementary to providing a secure, isolated network that can be extended through selective enabling of direct Internet access or private connectivity to another network.

S3 Security:

One of the first service introduced by Amazon is Amazon Simple Storage Service (S3). It allows you to upload and retrieve data at any time, from anywhere on the web. Amazon S3 stores data as objects within buckets. Security is implemented by customer through

  •  Identity and Access Management (IAM) Policies, Access Control Lists (ACLs), Bucket Policies.
  • Data transfer - Customer can securely upload/download data to Amazon S3 via the SSL encrypted endpoints. 
  • Data Storage - Amazon S3 provides multiple options for protecting data at rest. For customers who prefer to manage their own encryption, they can use a client encryption library like the Amazon S3 Encryption Client to encrypt data before uploading to Amazon S3. Alternatively, you can use Amazon S3 Server Side Encryption (SSE) if you prefer to have Amazon S3 manage the encryption process for you.

 

ReferencES and further reading:

·      Amazon Web Services: Overview of Security Processes white paper

·      AWS Shared Responsibility Model: Cloud Security

·      Amazon EC2 Foundations

·      Amazon EC2 Security Solutions