In our previous tips in this series on Amazon Web Services best practices from a recent Gartner paper on Cloud Workload Security, we covered how security responsibility is shared between Amazon Web Services and you, the user. Next we covered how important visibility is to ensuring your part of the shared responsibility model.
Another important best practice from the Gartner paper on Cloud Workload Security is baking in security right from the start. We have entered the era of DevOps where increasingly the app developers are responsible for the ongoing operation. Including security or adopting DevSecOps is a natural extension to this operational best practice.
So how do you bake in security from the start?
Of course it all starts with writing a secure application, and there are training and tools to help in this area. Once you are going to deploy, a common method of hosting applications is on Amazon EC2.
A cloud workload often starts out as a template or Amazon Machine Image (AMI). This image defines the operating system and applications that make up running Amazon EC2 instances. It is important to start with a solid base; after all you wouldn’t want to build your house on sand. AWS provides a set of base operating systems that are well maintained and trusted.
From the AMI you, as a user, have the choice of further modifying the template with your application or building the application dynamically through scripting or automation tools. Neither option is ‘wrong’, however if you are building your own AMI it is important to harden, test and prepare the EC2 instance before taking another AMI snapshot. For instance don’t leave personal credentials in the snapshot, or unnecessary applications that may increase your threat surface. Amazon has great information on preparing an AMI and AWS Trusted Advisor can help.
Once you have decided how you are going to deploy your application dynamically or via templates, it’s time to decide how security is deployed. Once again you have the choice to dynamically script your additional security services (such as intrusion prevention, vulnerability scanning, integrity monitoring, etc.) or to include them in your template. Either way, you want to make sure you choose a tool like Deep Security that works they way YOU want to deploy and manage your security.
You choose how much you want to make dynamic vs. static, however it is very important that security be a part of your development and deployment process, and not just in production. Your test environment and continuous integration process should include the same full environment as your production environment. Automation is the key to ensure your deployment pipeline is optimized and security is a part of every step.
If you bake security in from the start you ensure your workload is safe every step of the way.
Interested in learning more best practices for securing AWS workloads? Read the Gartner paper on best practices for securing AWS workloads.
If you have questions or comments, please post them below or follow me on Twitter: @justin_foster.