Winter is coming
In the ever-evolving landscape of cloud computing, ensuring robust security measures has never been more important. In the new ISO 27001:2022 standard, there is a new requirement for organisations to establish control of their Cloud services, which includes every flavor of cloud from Software as a Service (SaaS) to Platform as a Service (PaaS).
Amazon Web Services (AWS) is a leading cloud services provider. As you might expect, it has introduced the “AWS Well-Architected Framework”, which comprises six key pillars to help organisations build high-performing, resilient, efficient, and secure infrastructure.
The AWS 6 Pillars Architecture: A Brief Overview
The AWS Well-Architected Framework is a comprehensive set of best practices and guidelines designed to help organizations build and maintain secure, high-performing, and resilient cloud-based solutions. The framework encompasses six key pillars:
Operational Excellence – Focuses on delivering business value through operational processes, emphasizing automation, monitoring, and iterative improvement.
Security – Addresses the implementation of strong security measures to protect data, systems, and assets from unauthorized access, breaches, and other potential threats.
Reliability – Ensures that systems operate with minimal downtime, providing consistent performance even in the face of failures.
Performance Efficiency – Aims to optimize resource utilization to deliver maximum performance at the lowest cost.
Cost Optimization – Focuses on controlling costs and maximizing the return on investment (ROI) of resources deployed in the cloud.
Well-Architected Review (WAR) – Involves an in-depth evaluation of an architecture against the best practices outlined in the five pillars, providing recommendations for improvement.
For most of us reading this post, our eyes will be drawn to the Security Pillar, as it plays a pivotal role in safeguarding data, applications, and systems from potential threats. We will delve into the relevance of the AWS 6 Pillars architecture, with a special emphasis on the Security pillar, and explore how it extends its benefits beyond AWS environments.
However, I urge you to recognise and assess each of these pillars within your approach to Security because if we are to successfully protect a business, we need to understand it better. In order to do this, we need to sell the benefits of good security, and by focusing on the other pillars, we might just do that.
But first, let’s take a longer look at the significance of the Security Pillar.
Sleeping soundly; The 6th Pillow
Of the six pillars, the Security pillar is particularly crucial in the face of the increasing number of cyber threats. It encompasses seven best practices and strategies to protect data, systems, and applications. These include;
Identity and Access Management (IAM)
Implementing strict controls over user permissions and access rights ensures that only authorized personnel can interact with resources. This helps prevent unauthorized access and misuse of critical data. IAM actually falls into two distinct categories;
- Identity Management
- Permissions Management
How are you granting access to your environment? Are you sharing accounts and authentication details to cut costs? Knowing who is accessing your systems and what they can do when they are, there are possibly the most important steps you can take in securing your data. In fact, one could argue that it should be the second step in any strategy for protecting your organization. The first step is knowing where your data is.
Once you have identified who is accessing the data, you need to establish a process implementation of access control based on a “need-to-know” basis.
AWS refers to this as “Detection” and states that it consists of two parts: the detection of unexpected or unwanted configuration changes and the detection of unexpected behavior.
The question you need to ask is, how are you logging activity on your networks and systems? Going back to the IAM principle, who has the authority to make changes, and how will you know when this happens? This is why many organisations are looking closely at the principle of “Zero Trust”, where everything must be verified, verifiable, and therefore, ultimately traceable.
Apply security at all layers
Utilizing firewalls, Virtual Private Cloud (VPC) configurations, and other network-level controls helps create secure boundaries around resources, mitigating the risk of unauthorized access. This is simply “Secure by Design” or “Defense in Depth.”
Knowing and remembering that there is no such thing as “100% secure, “we increase our chances if we think about the different layers of our organisation and implement security at every level, thereby reducing the likelihood of a successful attack.
Automate security best practices:
Where possible, you should use well-defined and managed code, templates, policies, and automated tools. This reduces error rates and performance issues. Automated software-based security mechanisms also improve your ability to securely scale more rapidly and cost-effectively.
This is one of the reasons I believe that ISO27001:2022 introduced the new control around Configuration Management (Annex A – 8.9), which it states:
“Configurations, including security configurations, of hardware, software, services, and networks should be established, documented, implemented, monitored and reviewed.”
The idea behind the principle (and the control) is to remove the chances of human error.
Protect data in transit and at rest
Employing encryption tools to data is important, and relatively easy these days. But which data? Is it ALL data? Perhaps.
But it makes sense to develop a “Data classification scheme” so that you know how data should be handled, so that you can classify your data into sensitivity levels and use appropriate mechanisms, such as encryption, tokenization, and access control, to protect it.
Remember that not all controls need to be technical. For example, you might employ a simple “lock and key” to protect data behind a door, away from prying eyes. Your security strategy needs to think about data protection at every level and in every form.
Keep people away from data
This is an interesting principle, but it is about using mechanisms and tools to reduce or eliminate the need for direct access or manual processing of data. Think about how you can reduce the likelihood of the mishandling or modification of data or of human error. This again leans heavily on the idea of automation and access control so that you are not placing unnecessary burdens on your teams.
This is where quality management comes in. How knowledgeable are you in LEAN or Six Sigma principles? How about ISO9001, the quality management system? By improving processes, you are likely to reduce the likelihood of defects, errors and data breaches.
Incident Response and Disaster Recovery
Establishing robust incident response plans and disaster recovery mechanisms ensures a swift and effective response in the event of a security breach or system failure. This is something we’ve known for a long time, but while many of us focus on the disaster recovery aspect of security, not many focus on Incident Response.
Where we do focus on this, we tend to focus on OUR response, i.e., the Security Team’s response. But, what about the senior management team? Are they aware of their responsibilities? When was the last exercise where you involved the senior leadership team?
Get them involved in an exercise, see where they focus their attention, and see what assumptions are being made.
Conclusion: AWS and Beyond
While the AWS Well-Architected Framework is designed to optimize AWS environments, the principles outlined in the Security pillar can be applied beyond the AWS ecosystem.
Take away the “AWS” label, and what Amazon has provided is a well-thought-out set of principles that we can all learn from. But I am going to suggest that it is the over-arching six principles that AWS that we should all take seriously and pay close attention to.
You may have noticed that the Amazon logo has an image resembling a smile under it. In fact, this smile is an arrow highlighting the fact that they offer products from “A” to “Z.” If we apply the same philosophy here, they’re providing a framework that goes beyond AWS and covers all environments. With careful consideration, we can all achieve the same with our security.
Editor’s Note: The opinions expressed in this guest author article are solely those of the contributor, and do not necessarily reflect those of Tripwire.