Amazon Web Services (AWS) offers small businesses a number of benefits. There are plenty of Amazon Machine Instances that are preconfigured so a small IT team can quickly spin up a virtual appliance, server, or other computing resource. Like any other cloud service, AWS offers scalability to allow business IT resources to grow on demand and it helps control costs by offering a number of different pricing plans. There are, of course, other benefits that entice small businesses to turn to AWS for a number of their computing needs. However, like any other resource, there are security considerations that you need to make.
The following list outlines five of the most important best practices any small business needs to consider when using AWS in their environment.
1 - Don’t Assume the Provider Will Handle All of Your Security Needs
One of the most common misunderstandings when it comes to any cloud service is that the provider will handle all of your security needs. This assumption can lead to serious problems.
Amazon is responsible for securing things on its side. Protecting its computing, storage, networking, and database services against intrusions falls on Amazon. The customer is responsible for the secure use of resources hosted on AWS. That means you need to properly manage and configure the resources you and your users have access to. Your team needs to know what to secure and how to go about securing it.
2 - Careful When Setting Up Identity and Access Management
Identity and Access Management (IAM) gives you the capability to provision users and groups and control what resources they have access to. It also gives you control over the level of access your AWS users have.
In AWS, this is done through custom master keys (CMKs) and key policies. Key policies include both identity-based policies that control users, groups, and roles, and resource-based policies that are attached to resources outside of IAM. The key policy attached to the CMK defines permissions for the use and management of the key to secure against unauthorized access.
The steps for setting up master keys and key policies is available in the AWS documentation, but it takes a good deal of experience with identity and access management to configure them in the most secure manner possible. This includes setting policies to meet the principle of least privilege, configuring multi-factor authentication, and auditing the use of CMKs.
3 - Know What You Are Using and What You Have
Although the ease of spinning up resources is a benefit of AWS, it can also be a concern. Anyone with an account can set up an AWS resource to use, and if they have the right privileges, they can do this within your environment. Shadow IT is a serious problem for businesses, because anything set up outside the constraints of IT might not adhere to the security requirements your organization has in place. Therefore, it is important to know exactly what you are running in AWS and why it is there. Anything that is not approved or not being used should be shut down to prevent unauthorized access.
While you are auditing the services you are using, you should also audit the data that each of your resources stores and uses. Doing this helps you ensure that you are adhering to compliance requirements for that data and it allows you to ascertain which data may be a more enticing target for attackers.
4 - Be Sure to Encrypt Your Data
Sensitive data stored in plain text is just a bad idea. Most laws and regulations require certain data to be encrypted, so not only do you need to understand what data is governed by those, but you also need to know how to best encrypt it. Remember: Although it is important to encrypt data, you need to do so in a way that the right people have access to it when they need it.
Amazon has services that prohibit the storage of unencrypted data and also provide you with a mechanism to alert the right people when buckets are created that store unencrypted data. If a bucket does not follow encryption policies, you can delete it altogether. However, deleting a bucket can cause problems if not configured correctly. Make sure your staff knows how to set this up and is familiar with the various data protection laws.
5 - Make Use of AWS Incident Response Tools
If you are using any type of technology, you are a target for malicious hackers. At some point in time, the bad guys are going to try to get into your resources. When using AWS, you have the ability to monitor CMKs for unauthorized access and usage. You can also delete or disable CMKs if there is suspicious activity. One of the advantages of AWS is that you have the ability to automate all of this.
Again, taking this step can be dangerous if not configured and managed properly. If a legitimate user triggers an event and access is cut off, there can be serious implications for your business operations.
With AWS, there are a host of tools to help you better secure your resources. The key is to not only follow the best practices when it comes to AWS security, but also to have the right people in place to deal with any incidents. If your IT staff does not possess the skills, knowledge, or experience required to properly secure your AWS environment, turn to a trusted partner for assistance. The right partner can not only help you configure and manage your environment, but also provide you guidance to help your organization treat AWS security in a proactive manner.