Cloud Security in Amazon Web Systems

Moving your ICT systems to the cloud makes business sense. However, it takes security out of your own provision. If the servers sat in a back room and you had an IT person to take care of them, then that was all you need, unless there’s a fire, of course — then you are in trouble.

If your servers are in the cloud, then there are a number of areas to be careful about. Security procedures are shared between the client and Amazon Web Systems (AWS) — both sides need to be careful to ensure that best practice is followed.

Firstly, your own staff needs to be careful about passwords, downloading dodgy malware and leaving weak spots for hackers to find. Recently a UK MP revealed on Twitter she gave out her own password to Parliament’s computer system to many people from her office, including interns. All the best security is useless if people don’t comply with it. Training and emphasizing this is important.

The cloud provider, such as AWS, also needs to have a first-class cloud security architecture in place. By having dedicated security staff, AWS is able to give its clients a much higher level of expertise and technology in this area than most businesses can afford.

“Amazon Web Services is responsible for protecting the global infrastructure that runs all of the services offered in the AWS cloud. This infrastructure is comprised of the hardware, software, networking, and facilities that run AWS services. Protecting this infrastructure is AWS’s number one priority, and while you can’t visit our data centers or offices to see this protection first-hand, we provide several reports from third-party auditors who have verified our compliance with a variety of computer security standards and regulations.”

Amazon built its data-centers for a high level of security. Access is strictly controlled and the facilities are housed in temperature controlled buildings with automatic fire detection and suppression systems. The architecture is resilient and has multiple redundancies and backups. If there was a catastrophic failure, like an earthquake, the traffic would be automatically re-routed to another of Amazon’s data centers with little or no disruption. “AWS has designed its systems to tolerate system or hardware failures with minimal customer impact.”

The data centers are located all around the world, which adds extra options. Distributing applications across multiple availability zones provides the ability to remain resilient in the face of most failure modes, including natural disasters or system failures.

Teams are on hand 24/7 to analyze incidents and troubleshoot problems as they occur. Customers can choose the level of security that is appropriate to their business. Most users will connect to an AWS access point via HTTP or HTTPS using Secure Sockets Layer (SSL), a cryptographic protocol that is designed to protect against eavesdropping, tampering, and message forgery.

There are additional layers of security available. For example, AWS offers the Amazon Virtual Private Cloud (VPC), which provides a private subnet within the AWS cloud, and the ability to use an IPsec Virtual Private Network (VPN) device to provide an encrypted tunnel between the Amazon VPC and the data center.

Network Monitoring and Protection

AWS continuously monitors its systems, with procedures in place to flag up unusual activity, which could include unauthorized activities and conditions at incoming and outgoing communication points. These tools monitor server and network usage, port scanning activities, application usage, and unauthorized intrusion attempts.

The various Amazon networks need individual authorization for access. Individual credentials are authorized by an appropriate administrator or manager. Background checks on employees are rigorous. The system only allows complex passwords, which must be changed every 90 days.

Amazon encourages Multi-Factor Authentication (MFA), also called Two Factor Authentication (2FA). This is where, in addition to your password, a 6 digit code is sent to another device, usually your smartphone, which you have to input before you can access the system. This means that someone who gets hold of your password cannot access the platform (unless they’ve got your smartphone as well, which is unlikely).

Individual User Accounts

AWS provides a centralized mechanism called AWS Identity and Access Management (IAM) for creating and managing individual users within an AWS Account. Each individual can have his or her own account which is limited to the areas of the cloud they need to access to do their job.

In the event of a security breach or other issue, Amazon provides comprehensive logs so admins can find out what happened and put procedures in place to rectify the situation. To help management with after-the-fact investigations and near-real-time intrusion detection, AWS CloudTrail provides a log of events within your account. For each event, supervisory personnel can see what service was accessed, what action was performed, and who made the request.

In addition Amazon’s Trusted Advisor customer support service makes checks on the security of each system and makes recommendations where there are areas that could be improved. They inspect the AWS environment and finds opportunities to save money, improve system performance, and, most importantly, close security gaps.

Amazon’s Firewall

Numerous other systems work to segregate systems from each other to reduce vulnerabilities and entry and egress are protected by Amazon’s strong firewall system.

Conclusion

Overall, Amazon Web Services is capable of providing very effective security for users, from small operations to the most demanding global business systems. Careful attention to detail and use of the most high-level defenses such as encryption, fire-walling, and MFA mean that migrating to the cloud will represent an increase in security for most businesses.

Ali H. Askar,
AWS Cloud Solutions Consultant, Zero & One
a.askar@zeroandone.me

A Quant Trader | Data Scientist | can I help you? linkedin.com/in/ali-h-askar