Data Security In AWS Cloud

Data Security In AWS Cloud

Data is a crucial element to all organizations, so processes to provision and secure the systems that store, process, and transmit that data are essential. The challenge is to keep the data secured and protected. Since more and more businesses are migrating to the cloud, it is vital to have a model for understanding how data is created, stored, and used in the cloud. This article describes protecting the data in different phases — data in transit, data in use, and data at rest, using AWS Cloud managed services.

Data Life Cycle

The cloud strategy for most organizations will include a variety of personnel in different roles, from the top executives all the way to operational personnel responsible for day-to-day functions such as data input and processing. Data is constantly being created, used, stored, transmitted, and, once it is no longer valuable, destroyed. In such a dynamic environment, it can be useful to model the phases that data passes through. This model provides a generic way of identifying the broad categories of risks facing the data. The secure cloud data lifecycle is roughly linear, though some data may not go through all phases, and data may exist in multiple phases simultaneously.

The Challenge

The challenge is how the data should be protected in each phase by controls commensurate with its value. There are universal threats to data regardless of its location. These affect all three elements of the confidentiality, integrity, and availability (CIA) triad. Data being stored also may need protection in transit, where the data must cross public networks to reach the organization’s cloud apps. Data in use will also need protection so that the confidentiality of the data is intact.

In nutshell, data must be protected at rest, in transit, and in use.

Our Approach

Data is created when it is first entered into a system or whenever it is modified. Data classification is a foundational security control, as it allows the organization to identify data’s value and implement appropriate controls.

Protecting Data At Rest

• Encryption: It is a way of transforming content in a manner that makes it unreadable without a secret key necessary to decrypt the content back into plaintext.
• Enforce encryption at rest: AWS KMS integrates seamlessly with many AWS services to make it easier to encrypt all data at rest. You can use AWS Managed Config Rules to check automatically that you are using encryption, for example, for EBS volumes, RDS instances, and S3 buckets
• Enforce access control: Different controls including access (using least privilege), backups, isolation, and versioning can all help protect your data at rest. Access to your data should be audited using detective mechanisms such as CloudTrail, and service level logs.
• Automate data-at-rest protection: You can automate validation that all EBS volumes are encrypted using AWS Config Rules. AWS Security Hub can also verify different controls through automated checks against security standards
• Masking: Data masking involves hiding specific elements of data for certain use cases, primarily when there is a need for data to be retrievable for some but not all users or processes.
• Tokenization: It is a process whereby a non-sensitive representation of sensitive data, otherwise known as a token, is created and used. The token is a substitute to be used in place of more sensitive data like a credit card number, often called a primary account number (PAN). Rather than storing and using PANs, which is risky due to the value of a PAN, tokens can be used instead.

Protecting Data In Transit

• AWS Certificate Manager (ACM) lets you easily provision, manage, and deploy public and private Transport Layer Security (TLS) certificates for use with AWS services and your internal connected resources. TLS certificates are used to secure network communications and establish the identity of websites over the internet as well as resources on private networks. ACM integrates with AWS resources, such as Elastic Load Balancers, AWS distributions, and APIs on API Gateway, also handling automatic certificate renewals.
• AWS services provide HTTPS endpoints using TLS for communication, thus providing encryption in transit when communicating with the AWS APIs. Insecure protocols, such as HTTP, can be audited and blocked in a VPC through the use of security groups. HTTP requests can also be automatically redirected to HTTPS in Amazon CloudFront or on an Application Load Balancer.
• Automate detection of unintended data access: Use tools such as Amazon GuardDuty to automatically detect suspicious activity or attempts to move data outside of defined boundaries. For example, GuardDuty can detect S3 read activity that is unusual. In addition to Amazon GuardDuty, Amazon VPC Flow Logs, which capture network traffic information, can be used with Amazon EventBridge to trigger the detection of abnormal connections–both successful and denied. S3 Access Analyzer can help assess what data is accessible to who in your S3 buckets. Also, AWS WAF, AWS Shield, and other AWS Security services can help protect your sensitive data and applications from unintended access.

Protecting Data In Use

The use phase is when data is actively being worked upon (accessed) or handled. Data being actively “used” by a company may be stored on a computer hard disc (data at rest) or be sent to an application for processing (data in transit). Accountability controls are also crucial in this phase, which requires adequate logging and monitoring of access.

• AWS CloudTrail enables auditing, security monitoring, and operational troubleshooting by tracking user activity and API usage. CloudTrail logs, continuously monitor, and retains account activity related to actions across your AWS infrastructure, giving you control over storage, analysis, and remediation actions.
• Amazon EventBridge is a service that provides real-time access to changes in data in AWS services, your own applications, and software as a service (SaaS) applications without writing code.

The number of controls is commensurate, such as managing data flow with data loss prevention (DLP), information rights management (IRM), system access controls such as authorization and access reviews, network monitoring tools, and the like.

Conclusion

Earning customer trust is at the heart of any business. At Global Clouds, we are helping customers protect their data in a constantly changing world. We would never expect our customers to do it all alone. Cloud services offer many benefits for accessing, managing, and handling the data that are crucial to modern business operations, but they are not free from risk. The cloud data lifecycle provides a convenient framework for identifying the types of activities, risks, and appropriate security controls required to ensure data remains secure. Proper cloud data security requires organizations to know what kind of data they handle and where it is stored, and to deploy adequate policies, procedures, and controls to ensure the business benefits of cloud environments!

“Digital freedom stops where that of users begins… Nowadays, digital evolution must no longer be offered to a customer in the trade-off between privacy and security. Privacy is not for sale, it’s a valuable asset to protect.”

― Stephane Nappo