The importance of security in the modern information technology landscape
In this day and age, the importance of security in Information Technology (IT) cannot be emphasized enough. It is crucial for organizations to protect their proprietary information, as well as the client’s information, from potential and existing threats. Security in IT is an all-encompassing concept for the protection of information and systems, as well as the hardware that is used to store and transmit said information.
The protection and security of physical assets have always been an inherent aspect of an organization’s structure and strategy. As the world moves towards a far more digital landscape, the area of security for information, software, and applications has become just as important.
Not a week goes by where we don’t hear or read something about a cyber threat or a digital security breach that costs hundreds, sometimes millions or billions of dollars to businesses worldwide. Unfortunately, hackers and cyber attackers know and understand the wealth opportunities that information provides.
As cybersecurity threats to IT systems grow and present themselves in new forms and methods, staying ahead of the game is crucial to safeguarding a company. Globally, the impact of security and data breaches to an organization is massive. According to this study sponsored by IBM, it is reported that the global average cost of a data breach was close to 3.9 million U.S. dollars in 2018.
In the age where personal information, sensitive documents, and other critical data is stored online, it is now more important than ever before to safeguard personal, corporate, and business information, software, and applications that are sensitive and/or confidential. It is through a robust and comprehensive security strategy that companies execute the safe operation of applications on any IT system, protect data that is collected and used, safeguard technology assets, and, overall, protect the company’s ability to function effectively.
Within this context, recognizing how incredibly necessary and valuable security is in today’s modern age of Information Technology, this article covers the topic of Amazon Web Services security (AWS security) to help readers understand the company’s strategies, best practices, and the attacks they have experienced.
Famous Amazon security breaches
As you probably already know, Amazon Web Services is a secure cloud service provider that is present in nearly every industry, company, and organization’s radar. It is considered one of the major infrastructure as a Service provider and has a massive following. AWS offers computing power, database storage, content delivery, and other functionalities that help businesses grow and scale successfully.
AWS has grown exponentially over the years, but with growth and exposure come threats and risks - which have not gone unnoticed by the tech giant. Let’s review some of the most famous Amazon security breaches that have taken place in the last couple of years:
- Just this February 2019, Dow Jones suffered exposure of critical data on the public cloud by misconfiguring AWS. At almost 4.4GB in size, the Dow Jones Watchlist dataset of 2.4 million high-risk individuals leaked into public access for anyone who knew where to look. The list contained extremely sensitive information such as global coverage of senior politically exposed persons (along with relatives, associates, and company information), national and international government sanction lists, information about people who were convicted or linked to high-profile crimes, and profile notes from Dow Jones, including federal agency citations and law enforcement sources. In favor of AWS, the leak came as the result of user error and not from a security issue with the cloud company but it was still bad press for Amazon.
- Code Spaces offered source code repositories and project management services via Git or Subversion - but not anymore. We write in the past tense because the company no longer exists thanks to an attacker who gained access to the company’s AWS control panel and requested money in exchange for releasing control back. Scary, right? Since Code Spaces decided not to oblige the attacker’s request, the attacker began to delete resources such as Elastic Block Store (EBS) instances, Simple Storage Service (S3) buckets, machine instances, and more. Effectively, these actions cyber-destroyed Code Spaces and ran them out of business.
- Back in 2017, Uber disclosed that its AWS account was hacked and the personal information of over 57 million users and drivers worldwide was compromised. This breach was reportedly performed by people outside the company who were able to access Uber’s private GitHub repository and steal AWS credentials. With the AWS credentials at hand, the attackers downloaded files with the personal data of millions of users and drivers such as names, email addresses, phone numbers, driver license numbers, and more. According to this Bloomberg report, Uber had to pay a reported $100,000 dollars to the attackers to keep quiet about the breach.
- Back in February 2018, FedEx revealed that it had left customer information exposed on an unsecured AWS S3 server. Security research professionals found the publicly accessible server with over 112,000 scanned documents with names, addresses, phone numbers, passports, and more. This breach involved an unsecured cloud bucket where hackers had no problem gaining access to this set of sensitive data. Again, AWS was not at fault as the breach was the result of insecure measures by the client, FedEx.
- In October 2017, Accenture, the global consulting and management firm, made headlines as it left four of its S3 storage areas completely open to public examination and download. Reportedly, this breach opened up 137GB of data for retrieval, including 40,000 unencrypted passwords. By accidentally misconfiguring an AWS S3 cloud server, Accenture was one of many companies that exposed client and company sensitive data.
- Spyfone, a company that markets surveillance software, misconfigured and left unprotected an Amazon S3 bucket which, in turn, left terabytes of photos, audio recordings, text messages, and web history completely unprotected. Again, the common denominator in these cases seems to be an insufficient approach to security.
Now that we know more about some of Amazon AWS security breaches, let’s take a look at the Amazon security aspects that are in place to safeguard its clients and their information.
Amazon security aspects
Amazon, and AWS for that matter have become staple names for a wide-ranging scope of features, reliability, and security - but the platform is not fault-free, specifically security, which is why Amazon has recently implemented numerous security measures to counteract and protect the system from threats.
Let’s review some of the key aspects of Amazon security:
- Network firewalls within Amazon’s Virtual Private Cloud (VPC) as well as web application firewall capabilities in AWS to create private networks and control access to instances and applications.
- Encryption via Transport Layer Security (TLS) across all services.
- Private and dedicated connections to multiple environments.
- Automatic responses to Distributed Denial of Service (DDoS) attacks to help minimize threats by leveraging AWS technologies such as autoscaling, Amazon CloudFront, or Amazon Route 53.
- Data encryption for storage and database services such as EBS, S3, Glacier, SQL Server RDS, and more.
- AWS Key Management Service to decide if AWS should manage the encryption keys or if the client company should have total control over the keys.
- Encrypted messaging queues to transfer sensitive data using server-side encryption (SSE).
- Hardware-based cryptographic key storage.
- The Amazon Inspector service to assess applications for vulnerabilities automatically.
- Deployment tools to create and decommission AWS resources in compliance with organization standards.
- AWS Config to identify AWS resources and manage/track changes to those resources over time.
- AWS CloudFormation for standard preconfigured environments by using templates and management tools.
- AWS CloudTrail for deep visibility into API calls.
- Log aggregation to streamline research and compliance reporting.
- Amazon CloudWatch alerts for specific events or exceeding thresholds.
- AWS Identity and Access Management to define individual user accounts across AWS resources.
- AWS multi-factor authentication for privileged accounts and hardware-based authentication.
- AWS Directory Service to integrate with corporate directories.
- Penetration testing for any AWS resource.
Next, let’s review one of the main hindrances associated with AWS Cloud Security.
The problem with AWS Cloud Security
As more and more sensitive data moves to the cloud, AWS Cloud Security is increasingly becoming of monumental importance. AWS Cloud Security is, in essence, a shared responsibility between the provider and the client.
A key challenge with AWS Cloud Security stems from the fact that frequently the client doesn’t fully commit to ensuring a secure environment, or they simply don’t know whose responsibility it is to fortify specific aspects of the cloud offering. In fact, AWS security operates on a Shared Security Responsibility mode where AWS operates, manages, and controls components from “the host operating system and virtualization layer down to the physical security of the facilities in which the service operates.” In this model, the client is responsible for the guest operating system which includes updates and security patches, as well as the configuration of the AWS-provided security group firewall.
In essence, AWS secures its infrastructure and the client has their own security controls for data and apps that are deployed in the cloud.
As we saw in the previous section about famous Amazon security breaches, a large number of cases are the responsibility of the user and not solely or partially of AWS. Regardless, AWS is committed to offering security tools and effective measures to further simplify and fortify security across all its repertoire of cloud services. These efforts include the AWS Security Hub and the AWS Secrets Manager, along with all the other Amazon security aspects we covered in a previous section.
Next, we are going to review some more efforts and AWS security best practices to safeguard data and software.
AWS security best practices
A great example of how AWS addresses security to help companies avoid data breaches is the rollout of new and updated security features to prevent accidental data exposures from misconfiguration of S3 data storage buckets. Back in November 2018, AWS deployed an update where AWS account owners have access to four new options inside their S3 dashboards under the “Public access setting for this account” section - these new options will allow the owner to set a default access setting for all of an account’s S3 buckets and override existing or newly-created bucket-level access control lists and policies. This example shows that AWS is constantly overseeing and executing new methods to prevent owners from accidentally opening S3 buckets and data to the public through errors in configuration at the app/bucket level. In essence, AWS is now offering a simple method to lock down data stored in S3 and a way to notify system administrators about storage buckets set to public access by using a label system in the file-browsing dashboard.
Next, we are going to review three additional AWS cloud security best practices and services from AWS to fortify their security offerings.
AWS Intrusion Detection System and Intrusion Protection System
AWS has in place services and third-party solutions for the Elastic Compute Cloud (EC2), including Intrusion Detection System (IDS) and Intrusion Protection System (IPS) solutions to help protect EC2 instances. These solutions alert administrators of malicious activity and policy violations on top of identifying and taking action against attacks. By leveraging these services and third-party solutions, clients can filter web traffic based on rules to secure inbound and outbound communications, scan and monitor network traffic, endpoints, and instances to detect poorly protected areas and assess threats to take proper measures.
AWS Firewall
AWS Web Application Firewall (WAF) is a service that protects web applications from web exploits that can affect the overall availability, security, and consumption of resources. Through AWS WAF, clients can allow or block web applications with customizable security rules that block common attack patterns such as SQL injection or cross-site scripting.
AWS WAF can filter traffic based on IP addresses, HTTP headers, HTTP body, URI strings, and more. It is easily configurable via the AWS Management console where clients can determine rules to increase security in the development chain.
Increased security stability by replication between regions
Amazon S3 offers a cross-region replication monitor (CRR Monitor) which is a “bucket-level feature that enables automatic, asynchronous copying of objects across buckets in different AWS Regions.” The CRR Monitor allows clients to monitor the replication status of S3 objects across different AWS regions, providing near real-time metrics to identify failures and troubleshoot them accordingly.
Compliance through regulatory and data placement requirements
Moving data to the cloud in a compliance-friendly way can be a challenging task for many industries and organizations that are hesitant about how cloud infrastructure providers, such as AWS, tackle this fundamental building block aspect of business strategy.
For this situation, AWS offers a comprehensive suite of services and resources to ensure regulatory compliance through its Compliance Resources portfolio, which we encourage you to review in detail.
And that’s not all. AWS is a solution robust enough to cover many aspects of compliance to put the collective minds of clients at ease. From data residency, data placement, and the GDPR, AWS has shown it is capable of addressing compliance in numerous ways.
Let’s clarify some concepts:
- Data residency: all customer content processed and stored in an IT system must be located within a country’s borders.
- Data placement: All data-movement related activities, from transferring, staging, replicating, allocating, de-allocating, registering/unregistering, locating, and retrieving data.
- GDPR: Europe’s General Data Protection Regulation (GDPR) protects the right for privacy and personal data of European Union subjects.
Now, how exactly does AWS help organizations ensure compliance of regulatory obligations? To begin, they have numerous certifications, programs, attestations, laws, regulations, alignments, and frameworks that they are compliant with to guarantee clients a safe environment for their business. You can learn more about the numerous compliance programs that AWS is a part of here.
On top of these certifications and accreditations, AWS provides numerous features and services that help clients be compliant. These features, which we covered in the previous section on security aspects, also include multi-factor authentication, API-Request authentication, geo-restrictions, compliance auditing, and more.
AWS maintains a high bar of security and compliance across their global operations by demonstrating compliance with stringent international and local security standards for cloud security and privacy. To name a few, AWS is ISO 27017 and ISO 27018 compliant. Additionally, they have compliance enablers such as the AWS Artifact, Amazon Data Centers, the AWS Compliance Center, and Amazon GuardDuty.
AWS Security: Final thoughts
For AWS, protecting the security of the platform from potential threats is a complex and oftentimes daunting task that requires specialized skills and resources - but it is necessary in order to provide an outstanding solution for its many clients.
As we mentioned before, companies are accelerating the pace at which they move sensitive data to AWS to gain the scale, cost savings, innovation, and speed advantages of moving to the cloud. With this much volume in transit, attackers find it attractive to target AWS, but the tech giant is certainly ready for battle with their many offerings in terms of tools and resources to help clients reduce security risks and enforce proper protocols to safeguard data and applications.
One of the main takeaways we want you to gain by reading this article is that even though AWS provides you with the tools, resources, and enablers to secure cloud environments, it is, in large part, up to the client to utilize them.