As you may know AWS shares the responsibility with the consumer of their IaaS services in terms of security. It terms of ownership, below diagram essentially outlines the part that AWS is responsible for and for the part that consumers of their services are responsible for:-
The whitepaper from AlertLogic outlines the below 7 best practices:-
SEVEN BEST PRACTICES FOR CLOUD SECURITY
There are seven key best practices for cloud security that you should implement in order to protect yourself from the next vulnerability and/or wide scale attack:
1. SECURE YOUR CODE
Securing code is 100% your responsibility, and hackers are continually looking for ways to compromise your applications. Code that has not been thoroughly tested and secure makes it all the more easy for them to do harm. Make sure that security is part of your software development lifecycle: testing your libraries, scanningplugins etc.
2. CREATE AN ACCESS MANAGEMENT POLICY
Logins are the keys to your kingdom and should be treated as such. Make sure you have a solid access management policy in place, especially concerning those who are granted access on a temporary basis. Integration of all applications and cloud environments into your corporate AD or LDAP centralized authentication model will help with this process as will two factor authentication.
3. ADOPT A PATCH MANAGEMENT APPROACH
Unpatched software and systems can lead to major issues; keep your environment secure by outlining a process where you update your systems on a regular basis. Consider developing a checking of important procedures, Test all updates to confirm that they do not damage or create vulnerabilities before implementation into your live environment.
4. LOG MANAGEMENT
Log reviews should be an essential component of your organizations security protocols. Logs are now useful for far more than compliance, they become a powerful security tool. You can use log data to monitor for malicious activity and forensic investigation.
5. BUILD A SECURITY TOOLKIT
No single piece of software is going to handle all of your security needs. You have to implement a defence-in-depth strategy that covers all your responsibilities in the stack. Implement IP tables, web application firewalls, antivirus, intrusion detection, encryption and log management.
6. STAY INFORMED
Stay informed of the latest vulnerabilities that may affect you, the internet is a wealth of information. Use it to your advantage, search for the breaches and exploits that are happening in your industry.
7. UNDERSTAND YOUR CLOUD SERVICE PROVIDER SECURITY MODEL
Finally, as discussed get to know your provider and understand where the lines are drawn, and plan accordingly. Cyber attacks are going to happen; vulnerabilities and exploits are going to be identified. By having a solid security in depth strategy, coupled with the right tools and people that understand how to respond you will out you into a position to minimise your exposure and risk.
SEVEN BEST PRACTICES FOR CLOUD SECURITY
There are seven key best practices for cloud security that you should implement in order to protect yourself from the next vulnerability and/or wide scale attack:
1. SECURE YOUR CODE
Securing code is 100% your responsibility, and hackers are continually looking for ways to compromise your applications. Code that has not been thoroughly tested and secure makes it all the more easy for them to do harm. Make sure that security is part of your software development lifecycle: testing your libraries, scanningplugins etc.
2. CREATE AN ACCESS MANAGEMENT POLICY
Logins are the keys to your kingdom and should be treated as such. Make sure you have a solid access management policy in place, especially concerning those who are granted access on a temporary basis. Integration of all applications and cloud environments into your corporate AD or LDAP centralized authentication model will help with this process as will two factor authentication.
3. ADOPT A PATCH MANAGEMENT APPROACH
Unpatched software and systems can lead to major issues; keep your environment secure by outlining a process where you update your systems on a regular basis. Consider developing a checking of important procedures, Test all updates to confirm that they do not damage or create vulnerabilities before implementation into your live environment.
4. LOG MANAGEMENT
Log reviews should be an essential component of your organizations security protocols. Logs are now useful for far more than compliance, they become a powerful security tool. You can use log data to monitor for malicious activity and forensic investigation.
5. BUILD A SECURITY TOOLKIT
No single piece of software is going to handle all of your security needs. You have to implement a defence-in-depth strategy that covers all your responsibilities in the stack. Implement IP tables, web application firewalls, antivirus, intrusion detection, encryption and log management.
6. STAY INFORMED
Stay informed of the latest vulnerabilities that may affect you, the internet is a wealth of information. Use it to your advantage, search for the breaches and exploits that are happening in your industry.
7. UNDERSTAND YOUR CLOUD SERVICE PROVIDER SECURITY MODEL
Finally, as discussed get to know your provider and understand where the lines are drawn, and plan accordingly. Cyber attacks are going to happen; vulnerabilities and exploits are going to be identified. By having a solid security in depth strategy, coupled with the right tools and people that understand how to respond you will out you into a position to minimise your exposure and risk.