Amazon AWS: Understanding The User’s Role in a Shared Security Model

Add Your Comments

James Mascarenhas is executive director, cloud storage solutions for Endpoint Vault.

james-Mascarenhas-tnJAMES MASCARENHAS
Endpoint Vault

Amazon Web Services, backed up with a huge number of servers around the world, delivers computing (EC2), storage (S3) and other IT Services using an Infrastructure as a service (IAAS) model. These services are available to anyone who wishes to use AWS infrastructure to build own independent virtual computing system.

Amazon provides security of its data center with best security practices and compliance standards, and has developed a shared security model that relies on users to complete the security chain. AWS doesn’t have access to your virtual instance and only you can manage and make changes to it therefore the virtual server now becomes the responsibility of the owner. Some of the ways that Amazon provides security to its data centers and to the users are:

1) Concealed and classified data center locations, with round the clock security.

2) Access is limited to employees and contractors with multi-factor authentication before giving them permission for physical and logical access of the data center.

3) Adhering to different Compliance standard associated with security

  • SOC 1/SSAE 16/ISAE 3402
  • SOC 2
  • SOC 3
  • FISMA, DIACAP, and FedRAMP  among host of other standards

4) Instance isolation from other virtual machines that are running within the same server.

Since physical access is highly restrictive these compliance standards have been publicly made available to verify the security of Amazon Data centers. These are just some of the security measures among host of others that can be analyzed in depth by downloading the AWS Security Whitepapers.

Now that Amazon played its part by taking care of the data center as well as taking care of your virtual instances. The security ball comes to your court and what security measures you take will decide how more or less vulnerable your virtual instance going to be. The basic rule of thumb is that you have to treat your virtual server/instance in the same way as you do for your on premise server except that in cloud you don’t have to worry anything about the physical nature of the server since Amazon has taken care of it.

The basic security measures that Amazon believes you should take is summarized below:

Account/Key Management

Use of MFA for the root account: The root account gives unlimited access to your AWS Resources and anyone with access to it may modify the resources associated with that account. Limit the use of root account and instead create groups to access AWS Resources. The account security can be further enhanced by use of Multi-Factor Authentication (MFA) which will take multiple authentication measures before giving authorization to use particular resources.

Create multiple groups and set permission accordingly: Create different groups to manage and set policies based on the requirement of the group or individual. Even if you want someone to have full admin level access instead of giving them root account URL you should create a group and add specific user in it so that the permission can be easily revoked when necessary without compromising with the instance security.

Patch Management

Audit routinely different software and OS that are running in your virtual environment for potential security threat and lapses. Eliminate these loopholes by updating the application with patches provided by the vendors. You can use tool that will automate such processes for you, IBM Endpoint Manager is one good example for Window, Linux, UNIX and Mac OS patch management.

Securing data by use of encryption

You can upload encrypted file directly to the instance thereby only those with the decryption key will be able to decrypt the data. You can also use server side encryption features provided by Amazon to automate the encryption-decryption process for you, file that is being uploaded will be encrypted before getting saved in the data center and will be decrypted automatically when you download the object. You should also consider encrypting data in transit using SSL for secure delivery of your content when in network.

Access management

How content is available to other people might create security lapse for your digital assists. By default Amazon has set everything to private mode that is accessible only to the root account holder but you can override it and make that specific data available to everyone or with only specific set of people. So share data with those you trust, or if it is necessary to make that piece of data publicly accessible then make sure to take proper measures.

VPN/ Security Gateway from your Site

You can secure or boost the security further by use of VPN to connect your virtual instances directly to your corporate site. Use of security gateway ensures that if something wrong happens with the Amazon servers your data gets uploaded back to your local server safely and securely.

The rule of thumb is that the Amazon will take care of the physical assets and you should take care of the logical assets of the instances that you own. Amazon Shared Security Philosophy states that the final security responsibility lies with the owner and not with Amazon. Let’s put it like this:  the Amazon has built a shiny new car with enough security measures and at the time of handing over the keys, tells you, “buddy the car is yours now, just drive carefully”.

Industry Perspectives is a content channel at Data Center Knowledge highlighting thought leadership in the data center arena. See our guidelines and submission process for information on participating. View previously published Industry Perspectives in our Knowledge Library.

Add Your Comments

  • (will not be published)