Digital transformation and migrating to the cloud are nothing new. Moving to cloud computing and SaaS (software-as-a-service) platforms and applications has been a growing trend for years. Gartner estimated that revenue for public cloud platforms would increase by 17% to more than $260 billion in 2020—and that was before the COVID-19 pandemic hit. Companies of all sizes and across all industries shifted overnight to a remote, work-from-home business model in response to the pandemic—accelerating cloud transformation efforts in many cases.
As organizations embrace the benefits of cloud transformation, it is also crucial to focus on cloud security as well. It’s important to understand the difference between traditional on-premise security controls versus security controls in the cloud on a platform like AWS. You need to understand the shared responsibility model, the unique challenges of securing applications and data in the cloud, and the basic principles of cloud security.
Shared Responsibility Model
When you’re dealing with an on-premise infrastructure, and your network, applications, and data are all completely under your own jurisdiction, you also know you are responsible for security. There is no gray area or room for interpretation. When you migrate to the cloud, or adopt a hybrid or multi-cloud infrastructure, security gets a bit more complicated. It is essential for you to understand the shared responsibility model and know what the cloud service provider will manage and what is still your burden to protect.
While it may seem confusing at face value, the shared responsibility model for cloud security makes perfect sense if you think about it. Put simply, the cloud service provider, such as AWS, will protect the things they provide—the cloud infrastructure itself and the applications or services they provide on top of it. You are responsible for securing all of the things you upload to or run within that cloud platform—your applications and data. You are also responsible for understanding and properly using the security controls provided by the cloud provider. The cloud provider will give you the tools you need, but you can’t expect AWS to be responsible for you failing to configure access controls or permissions on your data.
Core Principles of Cloud Security
There are five core security control themes you should be aware of: identity and access management, logging and monitoring, infrastructure security, data protection, and incident response.
- Identity and Access Management: AWS IAM (Identity and Access Management) is used to control access and authorization to your resources in AWS.
- Logging and Monitoring: The AWS CloudTrail service is enabled by default upon AWS account creation and logs all activity. AWS CloudWatch monitors your AWS applications and resources and enables you to capture tracking and metrics data.
- Infrastructure Security: Infrastructure is treated as code in AWS, and security infrastructure is the first code tier. AWS CloudFormation creates stacks and nested stacks for managing infrastructure security.
- Data Protection: AWS provides a variety of features and services for protecting data at rest and data in motion. Services like VPN, TLS, SSO, Certificate Manager, AWS KMS and AWS Cloud HSM work together to protect your data in the cloud.
- Incident Response: AWS automation streamlines and improves aspects of your incident response workflows and investigative tools to help you work more efficiently and increase your incident response speed.
In this series of blog posts, I will be diving into each of these areas in more detail. I will outline the key practices and technologies necessary for effective cloud security, drilling into more detail on each of these five principles of cloud security.
This blog was written by Jeanice Russell, Chief Cloud Security Architect at Set Solutions.