The cloud has made it dead simple to quickly spin up a new server without waiting for IT. But the ease of deploying new servers -- and the democratic nature of cloud management -- can be a security nightmare, as a simple configuration error or administrative mistake can compromise the security of your organization's entire cloud environment.
With sensitive data increasingly heading to the cloud, how your organization secures its instances and overall cloud infrastructure is of paramount importance. Cloud providers, like Amazon, secure the server hardware your instances run on, but the security of the cloud infrastructure your organization sets up on that infrastructure is all on you. A broad array of built-in security services and third-party tools are available to secure practically any workload, but you have to know how to use them. And it all starts with proper configuration.
Analysis of real-world Amazon Web Services usage doesn’t paint a pretty picture. Cloud security company Saviynt recently found among its customers an average of 1,150 misconfigurations in Elastic Compute Cloud (EC2) instances per AWS account. It’s clear that the ease of spinning up EC2 instances for development and testing is coming at the expense of security controls that would otherwise be in place to protect on-premises servers. AWS admins need to use available tools properly to ensure the security of their environments.
Here we survey some of the most common configuration mistakes administrators make with AWS.
Mistake 1: Not knowing who is in charge of security
When working with a cloud provider, security is a shared responsibility. Unfortunately, many admins don’t always know what AWS takes care of and which security controls they themselves have to apply. When working with AWS, you can’t assume that default configurations are appropriate for your workloads, so you have to actively check and manage those settings.
“It’s a straightforward concept, but nuanced in execution,” says Mark Nunnikhoven, vice president of cloud research at Trend Micro. “The trick is figuring out which responsibility is which.”
More important, AWS offers a variety of services, each of which requires distinct levels of responsibility; know the differences when picking your service. For example, EC2 puts the onus of security on you, leaving you responsible for configuring the operating system, managing applications, and protecting data. “It’s quite a lot,” Nunnikhoven says. In contrast, with AWS Simple Storage Service (S3) customers focus only on protecting data going in and out, as Amazon retains control of the operating system and application.
“If you don't understand how this model works, you're leaving yourself open to unnecessary risks,” Nunnikhoven says.
Mistake 2: Forgetting about logs
Too many admins create AWS instances without turning on AWS CloudTrail, a web service that records API calls from AWS Management Console, AWS SDKs, command-line tools, and higher-level services such as AWS CloudFormation.
Sign up for CIO Asia eNewsletters.