Five golden rules of security planning in the AWS cloud
Whatever you put in the cloud, it needs to be secure — from day one. When you choose Amazon Web Services (AWS), you have the confidence of knowing that AWS is securing the hardware, software, networking and facilities. But you’re responsible for securing everything you put in the cloud, including:
- Customer data
- Platform, applications, identity and access management
- Operating system, network and firewall configuration
- Client-side data encryption and data integrity authentication
- Server-side encryption for your file systems and/or data
- Networking traffic protection, including encryption integrity and identity
Security is a shared responsibility between you and AWS. So you’ve got to do your part. You can’t risk exposing confidential data or being compromised, and so protection and monitoring for your AWS cloud environment is vital.
In this article, I discuss the importance of security engineering through five golden rules to follow when planning and building your cloud environment — always with security in mind.
1. Security engineering should be your first step
Always start with security. Once you know what you’re going to do with your AWS cloud environment, but before you add data or apps, have proper security controls in place — and a process that mandates that happening.
There might be pressure to make things secure later — too often, organizations prioritize other business goals. But unless you put security upfront, you’ll risk compromised environments, data loss and attacks by malicious actors — all before you’ve had the chance to put proper security controls in place.
2. One size does not fit all
The security landscape is complex. There are many tools and ways to do things. Not every security solution or product is best suited to every environment — and they all have different capabilities.
You must use the most appropriate security tools and products, and adapt them to how you use your cloud environment, the data you store in it and regulatory compliance requirements.
It’s therefore crucial to have people on your team — or partners to work with — who have a thorough understanding of security and the cloud environments you use. By combining those skills, you can ensure you have proper security controls in place.
3. People are core to security engineering
You need the right team in place to successfully set up a secure AWS cloud environment. But don’t make the mistake of then immediately dropping people from the equation. All the cloud native tools and monitoring you set up won’t be valuable if you lack teams and processes that enable you to respond to problems.
Tools can tell you about what’s happening in your cloud environment, but if you don’t have anyone monitoring it 24x7, you risk getting compromised and losing data. So ensure your organization has a SOC-like capability to more thoroughly protect your cloud environment.
4. Security is not a one-time engagement
Don’t set up a secure AWS environment and think the job’s done when it’s only just begun. Security engineering is not a one-time engagement that occurs when you spin up a new account. It needs to evolve constantly, based on your use of the cloud.
Create processes that mandate a regular review of your AWS cloud environment. Work with people who understand what you’re doing with it, how your use of the cloud has changed and any new services you’ve started to use. Security controls and processes must then adapt accordingly.
5. The cloud is radically different from what came before
Some organizations struggle when transitioning to the cloud from dedicated environments. They are used to segregating internal resources — the secure environment — from the outside world by using a perimeter protection device. This provides a good level of protection in a dedicated scenario, but it’s not enough in the cloud.
Not everything in the cloud runs on the server. You cannot protect everything with a single firewall. Your security approach must therefore be very different. Think beyond your network regarding threat detection (such as considering API calls to your cloud environment that won’t necessarily go through your corporate firewall), use appropriate rather than solely familiar tools and products, and work with people who understand the threats, risks and security solutions and tools inside-out.
Security in partnership
To be effective in securing your AWS cloud, you need expertise in security, the cloud environment itself, and cloud native security products — all while being aware of the rapid changes in security engineering and keeping pace with such developments. This can overwhelm, which is why organizations often partner with experts in the field.
Rackspace Technology is the first consulting managed security service provider (MSSP) partner for AWS Security Hub, offering consulting services for AWS cloud native security products, including around-the-clock support from certified security experts in our global Security Operations Center (SOC).
Rackspace Technology believes in the core fundamentals outlined in this article: security must come first; one size does not fit all; and security engineering needs evolve over time. This is why we offer managed security services using cloud native security products, such as our Cloud Native Security solution for AWS.
Our aim is to combine skills and expertise to help you achieve your security goals and protect your cloud environment. But whether you choose to partner up or handle it alone, do prioritize making sure your cloud environments are secure — before it’s too late.