Let’s begin by understanding what you are doing in the cloud. Are you deploying applications with sensitive data? Are you prototyping new web applications? Are you transferring data to/from your internal environment? Are you exposing applications to customers, partners or even employees around the globe? Are your applications up and running 24×7?
These are examples of situations where there are risks that need to be managed and controls that need to be put into place to ensure that you are protecting your information, applications and systems from attack – regardless of what environment you are using to deploy–cloud, your own data center or something in between.
As mentioned in my previous blog, AWS has set a high standard for ensuring the proper controls are in place to protect the physical infrastructure and hypervisor. However, the information, applications and instances you deploy in that environment are—in the view of AWS—your responsibility. You need to ensure you have the proper controls in place. So, what does this mean – what controls do you need?
Let’s start with your host and network…
When deploying your instances, it is always recommended that you take advantage of the tools provided, such as AWS Security Groups, for foundational security capabilities, and then build upon them with additional controls.
For your hosts and network, we recommend that you put controls in place to:
- restrict communication in and out of your environment to only what is required
- ensure that you are constantly protected against vulnerabilities, even in between your patch cycles
- identify when a system component has changed and if it might be meaningful
- protect against malware and malicious URLs
To be able to cover off all these requirements, you will need a few security controls in place:
- Communication controls: In restricting communication in and out of your environment, it is definitely recommended that you lock down your firewall policy on a per-instance basis to only what is required, while also protecting against both inbound and outbound communication. Look for firewall solutions that offer logging and alerting to make it easier to troubleshoot and manage.
- Consistent system protection: With your organization demanding constant changes in critical enterprise applications, it is often difficult to keep up with patching the systems against known vulnerabilities. This is where intrusion prevention capabilities that protect against potential exploits are important to have on the list. An important feature to look for are intrusion prevention capabilities that can automatically ensure the right protection is consistently applied, even before you have at a chance to patch.
- System Change Detection: Changes in systems components can occur for many reasons – many of which are not due to an attack on your system. That being said, monitoring these systems for changes is becoming more and more critical to your security controls. Not only can it provide an early indication of a problem, it is actually required by various compliance standards like PCI DSS.
- Malware Protection: Finally, anti-malware that includes web reputation scoring will not only protect against viruses, but also detects and protects against known malicious URLs.
So, let’s start that security checklist for your cloud environment with controls:
- Host-based bi-directional firewall to prevent unauthorized inbound and outbound communication – with logging and alerting capabilities to make it easier to manage
- Intrusion prevention with virtual patching to protect against vulnerabilities even before you patch
- File integrity monitoring to catch unauthorized system component changes
- Anti-malware with web reputation to protect against viruses and malicious URLs
Now, what about your apps and data? Coming soon: What should you add to the cloud security checklist to protect your applications and your data?