Talk To a CK Expert

M

Continuous Compliance – Best Practices for a “secure” Cloud Infrastructure

Continuous Compliance

The Security Practices required for Continuous Compliance to ensure that our Cloud Infrastructure remain secure, comprise of  multiple layers and different mechanisms at each of these layers. Bearing in mind the trajectile growth in  complexity of today’s data, the increased focus on Data Privacy, Customers often struggle to understand  how they can continuously secure their data. At CK, we ensure that we address this as a top priority item  and also work on prioritizing a Security Strategy first. This is followed by deciding the AWS tools and  controls which can be put in place for that particular Customer’s requirement. We ensure that security is  integrated into all the possible business functions and workflows. 

Let us touch a little bit on the angle at which AWS looks at Security. AWS Cloud Security clearly states  that security is a shared responsibility between AWS, the AWS Partner in charge of managing the  environment and the Customer. We feel that it is of prime importance to encourage discussions with the  Customers regarding the Shared Responsibility Model followed by AWS Cloud. AWS will be responsible  for the Security of the Cloud Infrastructure which comprises of the physical infrastructure  (regions/availability zones/edge locations), the hardware that hosts workloads (network, compute,  storage, databases) and the software that provides the different functionality of Cloud.

The Customer will  be responsible for all and sundry that lies above this layer (i.e.) everything related to the Application. AWS  Partners like CK are expected to liaison between the Customer and AWS and also provide consultation on  the layers, wherever possible. 

Getting back to the various security measures to be designed and enabled from a Customer Standpoint, we  will list down the layers and the services/controls put in place. 

Continuous Compliance – Best Practices


Account Readiness


The first layer (or the bottom-most layer) deals with the Baseline Cloud  Account-level security practices setup from an Account-level itself. The following AWS services  are enabled by default and I have given a short description of each accordingly. 

  • Securing the Root Account – The IAM Root User needs MFA (Multi-Factor Authentication) to  be enabled. This is a recommended best Security practice that adds an extra layer of  protection on top of the user name and password, and requires an authentication code from  the AWS MFA device while attempting a Sign-In 
  • CloudTrail – With CloudTrail, AWS account owners can ensure every API call made to every  resource in their AWS account is recorded. CloudTrail is a service that enables governance,  compliance, operational auditing, and risk auditing of your AWS account. With CloudTrail enabled, we can log, continuously monitor, and retain account activity related to actions  across the AWS infrastructure being managed. CloudTrail provides event history of the AWS  account activity, including actions taken through the AWS Management Console, AWS SDKs,  command line tools, and other AWS services
  • VPC Flow Logs – VPC Flow Logs are enabled allowing us to capture information about the IP  traffic going to and from network interfaces in the VPC. Flow log data are also published to  Amazon CloudWatch Logs or Amazon S3 
  • Config – AWS Config provides a detailed inventory of the managed AWS resources and their  current configuration while continuously recording changes. This helps in evaluating these  configurations and changes for compliance with ideal configurations defined by AWS Config  Rules 
  • GuardDuty – GuardDuty is a managed cloud security monitoring service that detects behavior  or threats that can compromise AWS accounts, resources and workloads. It is a threat  detection service that continuously analyzes cloud events in AWS CloudTrail, Amazon Virtual  Private Cloud (VPC) Flow Logs and domain name system (DNS) logs for possible malicious  activity 
  • Security Hub – Security Hub provides a comprehensive view of the security alerts and security  posture across the AWS account. It is a single place/view point that aggregates, organizes,  and prioritizes the various security alerts from multiple AWS services such as Amazon GuardDuty, Amazon Inspector, etc. 

Network layer

Designing the Customer’s network security is also imperative and this is carried  out at the design stage itself along with the other design considerations as applicable.

  • AWS components (like S3 & EC2) should not be unnecessarily exposed to the internet ∙ The Subnet Design is verified and carried out as fitting the Customer’s requirement ∙ The Requirements for Public IPs & Elastic IPs are validated 

  • Shield – Shield is a managed Distributed Denial of Service (DDoS) protection service that  safeguards applications running on AWS. It provides always-on detection and automatic inline  mitigations that minimize application downtime and latency 

Workload-specific security 

  • Hardening of the Customer’s Virtual Machines to comply with the CIS Benchmark standards or any other specific standards 
  • Endpoint security measures 
  • Storage & Data Encryption using AWS KMS (Key Management Service) 

Application layer 

  • WAF – WAF is a web application firewall that helps protect the web applications or APIs against  common web exploits and bots that may affect availability, compromise security, or consume  excessive resources. AWS WAF provides control over how traffic reaches the applications, we  create and customize security rules that control bot traffic and block common attack patterns,  such as SQL injection or cross-site scripting 

At CK, we maintain security in all layers via stringent policies set in place. First, we ensure that our  customers are sensitized about the nature of the security measures implemented. We aim to create a  shared philosophy which communicates that the customers appreciate the way their organization’s  security has been extended to the cloud space as well. Moving forward, they will continue to view their  cloud servers as an extension of their on-premise data center, with the same responsibilities and  expectations in place. 

Our Managed Support Services portfolio includes the use of ArcusTM, our indigenous Cloud Management  SaaS platform. ArcusTM is built to enable Cloud Engineers and Technology Managers to Migrate, Operate, 

Monitor, Manage and Optimize Cloud Infrastructure Assets. Our Managed Services team keeps a close  eye on the security posture of the Customer’s account via the Compliance audits which can be enabled  via ArcusTM following the recommended best policies. These audits run automatically across the platform,  the relevant Policy Audit reports are automated and can be scheduled to be received by our Team and  the Customer’s stakeholders as well. While our team conducts manual weekly audits for all our Customer’s  accounts as a part of the regular process flow, this effort has been reduced considerably due to the  automation and security measures brought around by ArcusTM

As a final word, while implementing security at each layer is important, CK’s Managed Support Services  ensures that the overall environment also remains complaint. The usage of ArcusTM (coupled with the  AWS Security Services setup in place) gives us an advantage and Continuous Compliance is achieved  accordingly.

Follow us on LinkedIn for updates on Continuous Compliance and more.

Contact us to learn about Continuous Compliance.

Service Delivery Manager with over 10 years of experience working in the IT industry. Passionate about Project & Team Management, Yashwanth is always looking at opportunities to expand his horizons and bring about new process improvement initiatives to the organization.

Want to achieve similar results?

Talk to our Cloud Experts today!

Recent Posts

How TVSE Tackled Tough Tasks with CK’s Help

How TVSE Tackled Tough Tasks with CK’s Help

The issues began as unrelated nuisance factors. The enterprise resource planning (ERP) application was bloated and lagged, offsite backups were unreliable, and a failover data centre for business continuity/disaster recovery (BC/DR) was expensive to maintain. It was...

read more
Use Zero-Trust to Secure Access to Cloud Workloads

Use Zero-Trust to Secure Access to Cloud Workloads

The migration to cloud means teams and organizations are rethinking how to secure their applications and infrastructure. Security in the cloud is being recast from static and IP-based - defined by a perimeter - to dynamic and identity-based - with no clear perimeter....

read more