In the realm of cloud computing, security is something that possesses duality. Duality in the sense, for example, for some incumbents, security must have been the need that made them adopt cloud whereas for some people it might be a concern hence they are still hesitant to step into the cloud. But what’s the reality? Is the cloud really unsecure or is it more secure?
Actually, it’s nothing like that. In simple words, security is a shared responsibility in the world of cloud computing. You must have heard the term ‘Shared Responsibility Model’, if not then you can search about it on the web. On a very high level, it clearly states that maintaining the security of cloud is a responsibility of the cloud service provider while maintaining security in the cloud is a responsibility of the customer. And if we dig deep into it there are different perimeters defined for different services across different service models in different cloud platforms.
Let me break it down for you in simple words to just have a gist of it. Suppose you’ve put your jewellery in a bank locker and the bank has given you a password for the locker. Now it’s the responsibility of the bank to take care of your things. The bank will ensure that the physical security, proper access management, authorization, etc are in place or not. You’ve just shared your responsibilities with your bank. If it hasn’t been like this then you’d have to take care of all the things on your own. i.e., you’d have to keep your jewellery at your home and then protect it. Now after putting it into the locker, the only thing that you’ve to take care of is the password that they’ve given to you. It’s nearly impossible for someone to gain access to your stuff even if she or he has your password but still, we shouldn’t share our passwords with anyone.
Now I hope you’ve got a basic understanding of the shared responsibility model. Let’s come back to the cloud. In cloud, you don’t have to worry about the things that cloud service providers are required to take care of. You just have to take care of the things which are on your platter. But the problem is security is not getting enough attention. Also, there’s a blurry line between the shared responsibilities. In this article, I’ve tried to list out some generic steps that would help to maintain security in the cloud. I’ve taken AWS for the sake examples but the principles are almost the same across all the clouds.
- Get familiar with your account and don’t miss out leveraging existing security features
In order to protect your cloud, you got to be familiar with your account, as it’s a door to your cloud. It happens quite often that we forget to implement or enable the security features that the Cloud Service Providers provide to us.
For example, you can find the best practices and security alerts in your IAM dashboard in AWS. So, it’s not something that should be ignored, instead if implemented all those things will enhance your security.
Service(s): AWS IAM
- Enhance your authentication
Well, you’ve protected your door but what about the lock? Yes, I’m talking about the authentication. Organizations with their workload on cloud ought to have a strong authentication mechanism. Enhance your authentication with Multi-Factor Authentication. And in that too, avoid using security questions or text messages. Use of genuine Authenticator Applications is recommended. Hardware MFA Devices can be used as well.
https://aws.amazon.com/iam/features/mfa/
Service(s): AWS IAM
- Say no to hard-coded secrets and transmission of unencrypted sensitive information
Sometimes programmers leave access keys exposed in the plain format in code that can become a risk of compromise. And it might happen that due to some security misconfiguration, that some sensitive information in transit is unprotected. Hence, we should avoid hard-coded secrets and we must encrypt all of our sensitive data in transit.
For example, you can use your IAM Credentials to authenticate into your RDS instance instead of the traditional authentication methods.
Click the link given below to know more.
https://aws.amazon.com/premiumsupport/knowledge-center/users-connect-rds-iam/
And to encrypt the data in transit, AWS Certificate Manager can be used.
Also, you can even encrypt a connection to a DB Instance.
Click the link given below to know more.
https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/UsingWithRDS.SSL.html
Service(s): AWS Certificate Manager
- Implement proper access controls
Grant access to the users in your organization on the basis of least privilege or need to know basis. Define proper segregation between workloads & networks and use tags wherever possible. Through these practices, it’d be easy to manage your resources and keep them secure.
Service(s): AWS IAM
- Protect your storage
AWS S3 uses buckets to store date inside. You can even use these buckets to host data on your website(s). And for that you’d have to allow the public access to the bucket. Now in some cases, you might have your sensitive information residing in the same bucket for which you’ve allowed the public access. This can compromise your data. So, it’s very important to disable the public access for your sensitive objects or buckets. Same goes with the CORS configuration, use it as per your requirements. Also, do not forget to implement encryption for your data at rest. There are many ways to encrypt your data in S3.
Click the link given below to know more.
https://docs.aws.amazon.com/AmazonS3/latest/userguide/UsingEncryption.html
Service(s): Amazon S3, AWS KMS
- Centralize your logs
Logs are very necessary to keep an eye on your workloads. They can have many applications, but in security perspective it’s very important to have the logs of critical actions, operations, access attempts to your critical resources etc. Maintaining logs is one side of a coin, the other side is to review them and fetch out the relevant information. At the same time, consolidating your logs from multiple sources at a single place makes the reviewing process much easier.
In AWS, Always store the access logs of your S3 bucket in a different bucket, otherwise it’ll create an infinite series of events that can cause trouble.
Service(s): AWS CloudTrail, AWS CloudWatch, Amazon S3
- Review and Validate your , Roles, Security Groups & NACLs
As discussed above, it’s good to have a proper access control for your organization. But it should be a consistent effort. It might happen that the admin forgot to revoke access granted to someone for a limited period of time, or to delete the access keys that are no longer in use. There can be many such cases, hence it’s important to keep reviewing & validating your Roles, Security Groups & NACLs.
Service(s): AWS IAM, Amazon EC2, Amazon VPC
- Be proactive with security findings
CSPs offer many services that will help you to keep your cloud secure, like Amazon Macie, Amazon Inspector in AWS & Azure Security Center in Azure, etc. Do leverage these services as they offer quite flexible and efficient features over the other third-party tools available in the market.
Along with that, it’s very important to take actions on the security findings these tools show, otherwise they won’t be of any good.
Service(s):
https://aws.amazon.com/products/security/
- Don’t forget to rotate your keys
You’ve protected the door, the lock but what about the keys? It’s always a good practice to keep rotating your keys i.e., changing your keys. You can also automate the process to rotate your keys at regular period of intervals. And in fact, a lot of compliance standards demands the same thing.
Services: AWS KMS, AWS IAM
- Make security a habit
Even after implementing all the required security services and incorporating the best practices, you just can’t sit idle, as I mentioned security is a consistent effort. So, it’s always good to make security a habit. It can be a burden sometimes, but it’s always worth the risk, depending upon your risk appetite. So, whenever performing any operation whether it’s a tiny one like deploying an virtual instance or huge like migrating your entire workload to cloud, keep security in mind.
Stay safe, Stay Secure!
Thank you! :)
Top comments (3)
AWS Shared Responsibility dev-to-uploads.s3.amazonaws.com/up...
Excellent explanation of the Shared Responsibility Model!
Thank you!