Secure Cloud Infrastructure, Data Protection, and Incident Response

Posted: December 9, 2020
Category: AWS

As organizations embrace digital transformation and migrate to the cloud, it is crucial to keep security in mind. The traditional methods and legacy tools they’ve depended on to defend their local applications and data are not sufficient in the cloud. It is important to understand the unique attributes of the cloud and design security that has both the agility and scalability to keep up. Let’s take a closer look at three important elements of effective cloud security—infrastructure security, data protection, and incident response.

Cloud Infrastructure as Code

As technology has evolved, the line between hardware and software has blurred. Servers are now virtual machines, and the underlying network infrastructure is defined and implemented by software. Infrastructure as code provides a variety of unique advantages that are necessary in a cloud environment.

The Cloud Controls Matrix—which was discussed in more detail in the second post of this series—is a meta framework of cloud security controls created by the Cloud Security Alliance. It includes 13 infrastructure security controls that map to leading cloud security standards, best practices, and applicable regulations.

The Cloud Controls Matrix also helps illustrate the ways that infrastructure as code helps to mitigate security risks. Things like change detection, clock synchronization, documentation, network security, and OS hardening are all crucial elements of effective cloud security but can be daunting to implement and incorporate. Infrastructure as code simplifies it.

Take a look at AWS CloudFormation—the AWS implementation of infrastructure as code. AWS CloudFormation relies on nested stacks, which are reusable, component template patterns. They are standard components that can be declared and referenced from within other templates—reducing the need to copy and paste and simplifying the update process. Using nested stacks for your security infrastructure ensures consistency over time and enables you to easily detect drift from the established security standards. AWS CloudFormation templates are stored as text files in JSON or YAML formats, making them very easy to create and edit.

Data Protection

Organizations have a lot of data, but it is not all created equally. The first step in data protection is to understand which data you are trying to protect. You should have a data categorization and classification policy to clearly identify sensitive data.

Business units and the IT team need to understand and agree on the risk elements and data groups. It is also important to keep the data classification scheme simple. Introducing too much granularity just makes the system complex and confusing—which leads to users ignoring or circumventing it. One suggestion is to limit it to four distinct levels:

  • Public: Data that can be freely disclosed to the public
  • Internal Only: Data like organization charts, sales playbooks, or marketing strategy
  • Confidential: Sensitive data that could negatively affect business operations if compromised
  • Restricted: Highly sensitive data that could the business in legal or financial risk if compromised

You can also employ tools like Amazon Macie to assist with data protection. Amazon Macie uses machine learning (ML) to automatically discover, classify, and protect your data in AWS. Macie provides a dashboard that allows you to view access patterns and user activities related to the data. Amazon Macie is currently only supported for S3 bucket data sources, but more data source types are expected in the future.

Another critical component of data protection is data encryption—for data at rest, as well as for data in flight. AWS KMS (Key Management Service) is a managed service that makes it easy to create master keys for encrypting your data. AWS KMS relies on FIPS 140-2 validated hardware security models to protect master keys, and it is a natural fit for data protection in AWS because it integrates seamlessly with most AWS services.

Incident Response

Incident response in the cloud is different than the traditional incident response workflow. The Cloud Security Alliance created Cloud Incident Response (CIR) to address these differences. There are three critical components of CIR: governance, shared responsibility model, and visibility.

Cloud data is often mirrored across different datacenters around the world, and that is compounded even further for organizations that use a hybrid or multi-cloud strategy. Obtaining information from different cloud service providers, in different parts of the world, operating under different compliance frameworks and privacy regulations is tricky.

The shared responsibility model is also important to keep in mind. As we discussed in an earlier post in this series, the basic premise of the shared responsibility model is that AWS is responsible for security of the cloud, while you are responsible for security in the cloud. In other words, AWS will ensure that the cloud infrastructure and cloud services it is providing to you are secure, but the security of the applications you run in the cloud and the data you store in the cloud is your responsibility.

Visibility is a consistent challenge, but it is even more difficult in the cloud. Having servers, applications, and data spread across a hybrid or multi-cloud environment and accessed from devices that could be virtually anywhere adds a layer of complexity to the visibility problem.

The CIR framework enables you to holistically and consistently address the view across your cloud environment. There are five phases to the CIR framework:

  • Preparation: Proactively planning for what will be needed for incident response, such as establishing roles and responsibility and a list of emergency contacts
  • Detection and analysis: Detection, confirmation, and analysis of suspected security incidents
  • Containment and eradication: Minimizing loss, theft of information, or disruption of service, and elimination of the threat
  • Postmortem: Assessment of the incident response to learn lessons and improve response to future incidents
  • Coordination and information: It is important to effectively communicate and coordinate resources throughout all phases of the CIR framework

Embrace the Cloud

There are many benefits to the cloud, and organizations of all sizes need to take advantage of them. You can embrace the cloud with confidence as long as you understand the security implications of infrastructure as code, and have solid data protection and cloud incident response strategies in place.


This blog was written by Jeanice Russell, Chief Cloud Security Architect at Set Solutions.