What are we protecting in the cloud?The Information Systems Audit and Control Association’s (ISACA) Control Objectives for Information and Related Technologies (COBIT) framework defines the following as essential IT resources:
The shared cloud security modelAmazon’s AWS is a leader in cloud services. AWS’ initiatives help to set trends in the cloud services industry. AWS features what Amazon calls a Shared Responsibility Model. Here’s what they say on the official AWS policy site:
AWS responsibility ‘Security of the Cloud’- AWS is responsible for protecting the infrastructure that runs all of the services offered in the AWS Cloud. This infrastructure is composed of the hardware, software, networking, and facilities that run AWS Cloud services. Customer responsibility ‘Security in the Cloud’– Customer responsibility will be determined by the AWS Cloud services that a customer selects. This determines the amount of configuration work the customer must perform as part of their security responsibilities. For example, services such as Amazon Elastic Compute Cloud (Amazon EC2), Amazon Virtual Private Cloud (Amazon VPC), and Amazon S3 are categorized as Infrastructure as a Service (IaaS) and, as such, require the customer to perform all of the necessary security configuration and management tasks. If a customer deploys an Amazon EC2 instance, they are responsible for management of the guest operating system (including updates and security patches), any application software or utilities installed by the customer on the instances, and the configuration of the AWS-provided firewall (called a security group) on each instance.So, in a nutshell, AWS will make sure that only authorized parties have physical access to their data centers. AWS will keep the pertinent network security appliances running, such as IPS devices, IDS devices and firewalls. They also monitor logs for security alerts and address any related issues of the security of the network itself. If there’s a vulnerability in your code (which doesn’t belong to Amazon) and a cyber attacker exploits it, that’s on you. AWS will let you know if there’s a security incident and will address the infrastructure related issues for you. Software-related compliance and incident matters are your responsibility as the customer who owns the product which is running in AWS’ cloud. Access management pertaining to your application is up to you to protect.
What's next to help you secure your cloud environment?You’re responsible for the security of your software in the cloud, but you don’t have to do it alone. Securing your applications is a lot of work; it’s a 24/7 job! You should consider deploying a third-party cloud security solution. Configuration management, vulnerability management and log management can be better handled with the help of a company that has specific expertise with these security services. Don’t try this at home, kids! I also strongly recommend that you download Tripwire’s free whitepaper on Securing AWS Cloud Management Configurations, especially if you’re considering AWS as your cloud provider. To learn more about staying secure in the cloud, find out what 18 experts advise for effective and secure cloud migration, here.
Editor’s Note: The opinions expressed in this guest author article are solely those of the contributor, and do not necessarily reflect those of Tripwire, Inc.