How to secure customer data on cloud workloads
4 min read
Cloud data security has been featured in the news recently due to the Capitol One data breach, which was the result of the lender’s poor settings surrounding data transactions and storage. Data breaches have affected wide-ranging industries from financial institutions and government to banking and healthcare.
With modern IaaS infrastructure, a large portion of the responsibility for keeping customer data secure falls to cloud architects, developers, and operations team members. Customer data security best practices vary, but the AWS Well-Architected Framework defines a streamlined set of steps that ensure cloud security implementation is well-rounded and thorough. The framework is based on five pillars: operational excellence, security, reliability, performance efficiency, and cost optimization.
In this article, I’ll focus on security. How can you ensure customer data is secure in the cloud? Let’s look at a few steps and important things to pay attention to.
1. Know your users and enforce strict access control
Identity foundation and authorization enforcement are basic steps of cloud workload security. You need to understand user needs to properly assign permissions and create a strict access hierarchy.
User and access management play a key role in many security breach scenarios. If someone were to gain unauthorized access using a single master password, for example, then there would be no more powerful key to supersede their actions or confirm their identity. No one should be able to guess a single password and get access to all your data. To prevent scenarios like these, you should:
• Use the principle of least privilege. First, don’t use AWS root credentials for all users. Ask why people and systems access AWS resources. Then allocate unique accounts with only the minimum set of necessary permissions for each person or system using AWS Identity and Access Management (IAM). Adjust credentials as needs or circumstances change. Remove credentials when a user leaves or a system gets decommissioned.
• Adhere to strict password standards. Require unique, complicated passwords for each user and that they change frequently. Enforce use of multi-factor authentication. Enable notification if someone uses the root user. Audit password access on a routine basis to ensure only qualified users have proper access.
• Be aware of changes in infrastructure. If someone adjusts a resource unexpectedly, this deserves attention. AWS Config continuously monitors the configuration of your resources and alerts for potential security problems. The use of configuration management tools such as AWS Systems Manager and CloudFormation can enforce and validate secure configurations automatically.
2. Automate best practices
Let’s say a hacker finds their way into your system and begins rummaging around. Without automated responses in place, it may be hours or days before you realize what has happened—plenty of time for criminals to make off with valuable data or wreak havoc on your system’s infrastructure. With automation, the careful design of your system includes alerts and containment triggers, which mitigate compromised data and give you a chance to react in time. To employ automation in your system, you should:
• Automate credential management. Paired with the principle of least privilege, automated management of credentials can save you some effort in maintaining proper access.
• Use automated alerts to notify of issues. Configure CloudWatch and CloudTrail to trigger alarms and send notifications to your operations team.
• Integrate alerts with ticketing systems. Use automated alerts to automatically generate tickets for your teams to take future action.
• Create and employ checklists as code. Create checklists to consistently work to appropriate standards. Use AWS Config to implement checklists as code and trigger in response to events.
• Automate preventative actions. Use behavior-based rules to isolate suspect behavior using services like Amazon GuardDuty, AWS CloudTrail, Amazon VPC Flow Logs, and DNS logs. Then use GuardDuty and CloudWatch Events to automatically trigger a Lambda function to execute a change in your system such as closing a port in a security group.
3. Be proactive about quality control
Environmental disaster response is a procedure in place for businesses of all sizes. Preparation is key when time is of the essence, and cloud security is no different. If you have an untested runbook that suddenly doesn’t work properly when a real incident occurs, suddenly your problem is compounded! To increase your confidence about responding to security incidents, you should:
• Capture and analyze logs frequently. These are where your actionable insight comes from. Define service requirements for logs, metrics, and alerts. Analyze logs centrally. Create automated alerts on key indicators.
• Stay up-to-date on security news. This includes knowing the latest security threats, legal and compliance requirements, and new security features.
• Conduct operations metrics reviews regularly with cross-team participants from other areas of the business. Engage stakeholders to validate findings from immediate feedback and retrospective analysis. Maintain proper lines of communication with diverse stakeholders to ensure you get accurate data.
• Implement runbooks as code. Create incident response runbooks to give your team a clear list of steps to follow in case of a security incident. Create a threat model to thoroughly identify potential scenarios in advance. Use AWS Systems Manager Automation and Lambda to implement runbooks as code. Use CloudWatch Events to trigger runbooks in response to events.
• Game days. Train properly to ensure teams can recognize and troubleshoot issues. Give your teams—and other key stakeholders—time to simulate a security incident and test your response.
With the right systems in place, cloud workload security is manageable. Teams can use AWS Well-Architected Reviews to engage certified AWS Certified Solutions Architect Professionals to evaluate their processes and stay proactive about protecting their digital assets.