Security concerns are often cited as a reason for not hosting enterprise applications/data on the public cloud. In this post, let’s have a glimpse at the level of security offered by AWS, a prominent Public Cloud provider, for hosting business applications & data. This is just a brief overview of important aspects of Cloud security offered by this vendor. For a fuller understanding, download and read the entire document (pdf).
Whose Responsibility is Security on the Cloud — Cloud Provider or Customer?
On the Public Cloud, security responsibility is shared between the cloud service provider and the customer. With managed services, the security responsibility is lesser for the customer as OS/Application patching, vulnerability assessment, etc. is conducted by the Cloud provider on a regular basis. But with basic services like EC2, VPC, etc. security responsibility is more for the customer.
Cloud Providers take Physical Security Seriously
Physical security including security guards, building security systems like surveillance cameras and perimeter access controls through two factor authentication (twice) even for staff members, etc. is enforced strictly in Data Center locations.
For storage device decommissioning, industry standard procedures for media sanitization is followed so that customer data is not leaked. Every block of storage is reset before passed on to another customer; memory allocated to a guest is scrubbed (set to zero) before it is unallocated.
Firewalls & Load Balancers for the Perimeter
Of course, there are security devices like firewalls to monitor and control data at the edge of the data centers and key internal points. Firewall rules and ACLs are enforced to manage the flow of traffic and prevent attacks like DDoS, MITM, IP/Mac Spoofing, etc.
Custom monitoring tools are employed to monitor server/network usage, port scanning activities, application usage, intrusion attempts, etc. Personnel are notified when unusual activities are detected and critical threshold levels are crossed.
Load Balancers, employed to distribute traffic between multiple instances, log all requests sent to it, and make additional information like requesting IP address, ports, etc. available to the clients.
User Activity & Authentication
User activity is logged for all account users. Multiple factor authentication including passwords, cryptographic keys, digital certificates, etc. is available to prevent erroneous logins. All API requests to change key parameters should be signed by digital certificates and can be encrypted. Passwords are forced to be complex and users are expected to change them once in 90 days.
Instance Isolation and Per-Instance Firewall Rules
Since multiple customer instances maybe hosted within the same server, a firewall resides within the hypervisor layer and enforces all data packets to pass through it first. So the data intended for neighboring hosts/instances cannot be accessed by another.
The mandatory inbound firewall is configured in a default deny-all state and customer needs to explicitly open only those ports that are required. Traffic can be restricted by protocol, service port, source IP address, etc. Different groups of instances can be configured with different firewall rules. Customers can apply additional per-instance filters with host-based firewalls, if required.
Virtual Private Cloud (VPC)
Normally, instances are assigned to a public IP address. But VPC enables customers to have instances with private IP addresses. Customers can have private subnets, public subnets or both. VPC with VPN access to the customer’s data center creates an encrypted private network between the public cloud and the on-premise data center.
Storage & Encryption
Customers are encouraged to encrypt all stored data using their own encryption technology, or use the cloud provider’s AES-256 server-side encryption technology for the same. All access requests to storage resources, including requester’s IP address, date/time, requested resource details, etc. are logged and made available to the customer.
In case of shared volumes, only the account that created the volume (and the associated instance) is allowed to alter/delete the original snapshot. Specialized wiping of data for compliance purposes is allowed.
This article is meant for better understanding of some of the security processes employed by cloud service providers for business/enterprise. This is by no means comprehensive or accurate — there maybe changes with time. For a fuller understanding of security processes employed by AWS, whose document was researched for this article, please refer to this document (pdf).
You could stay up to date on Computer Networking/IT Technologies by subscribing to this blog with your email address in the sidebar box that says, ‘Get email updates when new articles are published’.