As cloud IT has proliferated, security concerns have diminished as a barrier to adoption. But that doesn't mean you can ignore security in the cloud, since a major attack can have expensive -- and potentially business-ending -- consequences.
More and more sensitive data is heading to the cloud. Genomic informatics company GenomeNext, for example, feeds raw genome sequencing data into high-speed computational algorithms running entirely on AWS. Pharmaceutical giant Bristol-Myers Squibb reduced the duration of its clinical trials by using AWS. Electronic exchange Nasdaq OMX developed FinQloud on AWS to provide clients with tools for storing and managing financial data.
Amazon, like most cloud providers, takes care of security for its physical data centers and the server hardware the virtual machines run on, but leaves it up to the individual customer to protect its own infrastructure. Amazon provides a plethora of security services and tools to secure practically any workloads, but the administrator has to actually implement the necessary defenses.
The following are expert tips that go beyond the basics for securing your AWS account and keep the business up and running.
Don’t let the developers run the show
Most developers want to be secure, but they don’t want to be slowed down. They are under tremendous pressure to build new features and ship code. The cloud is supposed to help them work faster, so they incorporate security in such a way that they can keep doing what they do best.
Cloud usage in most organizations tends to be primarily developer-driven, as developers spin up new instances whenever they need more storage or power. When developers lead cloud usage, it's easy to wind up with a sprawling environment with varying levels of security, said Rich Sutton, vice president of engineering at Nexgate, a division of security company Proofpoint. All the ports may be left open, or all the user accounts on a given server may have administrator rights. Another common mistake is to reuse the root password across instances.
Create cloud images with basic security policies already applied and security tools configured. Developers can deploy new instances off the secure images, making it easy to use self-service to get up and running without introducing friction.
A typical development scenario has developers working in different environments for development, testing, and production. The foolproof way to set up the cloud counterpart is to have completely separate AWS accounts for each environment. Thus, each environment is isolated from the other, so an attacker who gains access to a development server can’t easily hop onto a production system. It also prevents accidents, such as a developer or administrator dropping a database in production instead of in testing.
Sign up for CIO Asia eNewsletters.