In my last blog, I walked through the shared responsibility model for security in the cloud and the importance of host-based firewalls to both inbound and outbound communication; intrusion prevention capabilities to protect against vulnerabilities even before you patch; integrity monitoring to catch system changes; and anti-malware with web reputation to protect against viruses and malicious URLs.
A great start, yes… but it is just the beginning. Now that we’ve taken care of the operating system and network security, we have to secure our applications and data.
In motion… at rest… let’s talk data protection
As we talk to customers about moving workloads to the cloud, often one of the first topics is the data. As with any deployment, there are very valid concerns around protecting sensitive company data, where the data is stored and who has access to the data.
In addition to being informed and specifying geographic preferences with a cloud provider like AWS, there are other controls that you can put in place to protect your data at rest and your data in motion. One logical and effective control is encryption.
For sensitive data at rest, you need to think about what makes the most sense to encrypt as well as where the keys are stored and managed. For the application you are deploying, does it share data between boot and data volumes? If so, both need to be encrypted. Does your company have any requirements on where the keys are stored? If you must store keys on your premise, then built-in OS features cannot be used since they all require that encryption keys be stored on the system.
For data-in-motion, understanding where your sensitive data is “in-flight” is extremely important. If sensitive data is being sent between the user’s browser and the application, or between the web application and the database, using security controls like SSL or IPSec is recommended.
What about the apps?
With more production applications migrating to the cloud, continuous protection of these applications becomes critically important. When those applications are available through the web and provide customers, partners or global employees the ability to share information, detection of potential threats or occasional penetration testing is not enough – especially as the number of apps increases. We recommended that continuous detection and protection of potential vulnerabilities is in place once the application is in production to complement any penetration testing or any static testing done during development. As mentioned above, you also want to encrypt the channel of communication between the browser, the web app and the database, typically using SSL from a trusted provider.
So, let’s take stock – what is your security checklist for your instances, apps and data?
- Continuous web application scanning to protect against vulnerabilities
- Boot and data volume encryption with external key management to protect data at rest and keep control of the keys
- SSL to protect data-in-motion with encrypted channels
- Intrusion prevention with virtual patching to protect against vulnerabilities even before you patch
- Host-based bi-directional firewall to prevent unauthorized outbound communication – with logging and alerting capabilities to make it easier to manage
- File integrity monitoring to catch unauthorized system component changes
- Anti-malware with web reputation to protect against viruses and malicious URLs
I am sure some of you are wondering – how in the world am I going to deploy and manage all these capabilities? Stay tuned! Coming soon – what to add to the cloud security checklist to make sure you can deploy and manage in your elastic cloud environment.