Continuous Compliance: Best Practices For A “Secure Cloud Infrastructure”

Security practices required for continuous compliance – to ensure that our cloud infrastructure remain secure – comprise multiple layers and different mechanisms at each of these layers. Bearing in mind the trajectile growth in complexity of today’s data, the increased focus on data privacy, customers often struggle to understand how they can continuously secure their data. At CK, we ensure that we address this as a top priority item and also work on prioritizing a Security Strategy first. This is followed by deciding the AWS tools and controls which can be put in place for that particular Customer’s requirement. We ensure that security is integrated into all the possible business functions and workflows.

Let us touch a little bit on the angle at which AWS looks at security. AWS Cloud Security clearly states that security is a shared responsibility between AWS, the AWS Partner in charge of managing the environment and the Customer. We feel that it is of prime importance to encourage discussions with the Customers regarding the Shared Responsibility Model followed by AWS Cloud. AWS will be responsible for the Security of the Cloud Infrastructure which comprises of the physical infrastructure (regions/availability zones/edge locations), the hardware that hosts workloads (network, compute, storage, databases) and the software that provides the different functionality of Cloud.

The Customer will be responsible for all and sundry that lies above this layer (i.e.) everything related to the Application. AWS Partners like CK are expected to liaison between the Customer and AWS and also provide consultation on the layers, wherever possible.

Getting back to the various security measures to be designed and enabled from a Customer Standpoint, we will list down the layers and the services/controls put in place.

Continuous Compliance: Best Practices

Account readiness

The first layer (or the bottom-most layer) deals with the Baseline Cloud Account-level security practices setup from an Account-level itself. The following AWS services are enabled by default and I have given a short description of each accordingly.

Securing the Root Account – The IAM Root User needs MFA (Multi-Factor Authentication) to be enabled. This is a recommended best Security practice that adds an extra layer of protection on top of the user name and password, and requires an authentication code from the AWS MFA device while attempting a Sign-In

CloudTrail – With CloudTrail, AWS account owners can ensure every API call made to every resource in their AWS account is recorded. CloudTrail is a service that enables governance, compliance, operational auditing, and risk auditing of your AWS account. With CloudTrail enabled, we can log, continuously monitor, and retain account activity related to actions across the AWS infrastructure being managed. CloudTrail provides event history of the AWS account activity, including actions taken through the AWS Management Console, AWS SDKs, command line tools, and other AWS services

VPC Flow Logs – VPC Flow Logs are enabled allowing us to capture information about the IP traffic going to and from network interfaces in the VPC. Flow log data are also published to Amazon CloudWatch Logs or Amazon S3

Config – AWS Config provides a detailed inventory of the managed AWS resources and their current configuration while continuously recording changes. This helps in evaluating these configurations and changes for compliance with ideal configurations defined by AWS Config Rules

GuardDuty – GuardDuty is a managed cloud security monitoring service that detects behavior or threats that can compromise AWS accounts, resources and workloads. It is a threat detection service that continuously analyzes cloud events in AWS CloudTrail, Amazon Virtual Private Cloud (VPC) Flow Logs and domain name system (DNS) logs for possible malicious activity

Security Hub – Security Hub provides a comprehensive view of the security alerts and security posture across the AWS account. It is a single place/view point that aggregates, organizes, and prioritizes the various security alerts from multiple AWS services such as Amazon GuardDuty, Amazon Inspector, etc.

Network layer

Designing the Customer’s network security is also imperative and this is carried out at the design stage itself along with the other design considerations as applicable.

AWS components (like S3 & EC2) should not be unnecessarily exposed to the internet ∙ The Subnet Design is verified and carried out as fitting the Customer’s requirement ∙ The Requirements for Public IPs & Elastic IPs are validated

Shield – Shield is a managed Distributed Denial of Service (DDoS) protection service that safeguards applications running on AWS. It provides always-on detection and automatic inline mitigations that minimize application downtime and latency

Workload-specific security

  • Hardening of the Customer’s Virtual Machines to comply with the CIS Benchmark standards or any other specific standards
  • Endpoint security measures
  • Storage & Data Encryption using AWS KMS (Key Management Service)

Application layer

WAF – WAF is a web application firewall that helps protect the web applications or APIs against common web exploits and bots that may affect availability, compromise security, or consume excessive resources. AWS WAF provides control over how traffic reaches the applications, we create and customize security rules that control bot traffic and block common attack patterns, such as SQL injection or cross-site scripting

At CK, we maintain security in all layers via stringent policies set in place. First, we ensure that our customers are sensitized about the nature of the security measures implemented. We aim to create a shared philosophy which communicates that the customers appreciate the way their organization’s security has been extended to the cloud space as well. Moving forward, they will continue to view their cloud servers as an extension of their on-premise data center, with the same responsibilities and expectations in place.

Our Managed Support Services portfolio includes the use of ArcusTM, our indigenous Cloud Management SaaS platform. ArcusTM is built to enable Cloud Engineers and Technology Managers to Migrate, Operate,

Monitor, Manage and Optimize Cloud Infrastructure Assets. Our Managed Services team keeps a close eye on the security posture of the Customer’s account via the Compliance audits which can be enabled via ArcusTM following the recommended best policies. These audits run automatically across the platform, the relevant Policy Audit reports are automated and can be scheduled to be received by our Team and the Customer’s stakeholders as well. While our team conducts manual weekly audits for all our Customer’s accounts as a part of the regular process flow, this effort has been reduced considerably due to the automation and security measures brought around by ArcusTM.

As a final word, while implementing security at each layer is important, CK’s Managed Support Services ensures that the overall environment also remains complaint. The usage of ArcusTM (coupled with the AWS Security Services setup in place) gives us an advantage and Continuous Compliance is achieved accordingly.

Tags: Amazon Web Services (AWS) Arcus Cloud Management Platform Automation Cloud Managed Services Cloud Security