Securing public clouds such as Amazon Web Services (AWS) poses unique challenges for cloud network security, as the physical infrastructure is controlled by AWS, sitting in their data centers, and not the customer’s data center.
Security in Amazon Web Services, like most public cloud security, operates using a shared-responsibility model. According to AWS, “When you move computer systems and data to the cloud, security responsibilities become shared between you and your cloud service provider. In this case, AWS is responsible for securing the underlying infrastructure that supports the cloud, and you’re responsible for anything you put on the cloud or connect to the cloud.”
AWS is responsible for protecting the global infrastructure that runs all of the services in the AWS cloud, as well as the security configuration of its products that are considered managed services. Examples of managed services include Amazon DynamoDB, Amazon RDS, Amazon Redshift.
AWS customers, however, are responsible to manage their credentials and user accounts. According to AWS, it is the responsibility of the customers and not AWS to manage the infrastructure under their control – those that fall under Infrastructure-as-a-Service (IaaS) – such as Amazon EC2, Amazon VPC, and Amazon S3.
Securing Your Workloads and Firewalls in AWS
According to AWS, the IT infrastructure that AWS provides is managed in alignment with security standards including SOC 1, SOC 2, and SOC 3, FISMA and FedRAMP, PCI DSS, ISO 27001, and as well as many other regulations and standards. This helps ensure cloud compliance and data security.
However, security is about more than just compliance. Amazon VPC “supports a complete firewall solution enabling filtering on both ingress and egress traffic from an instance. The default group enables inbound communication from other members of the same group and outbound communication to any destination. Traffic can be restricted by any IP protocol, by service port, as well as source/destination IP address (individual IP or Classless Inter-Domain Routing (CIDR) block).”
Cloud providers’ built-in configurations, such as security groups and network ACLs, impact security posture. The need to protect cloud assets, such as virtual machines, RDS instances, and Lambda functions, lead to network complexity. This increases the likelihood for misconfigurations. Misconfigurations can introduce security risks. AWS allows integration with next-generation firewalls and intrusion protection systems offered by third-party security vendors, such as Check Point, Palo Alto Networks, and Fortinet, which are an important part of your network security but, when using multi-vendor firewalls as part of your AWS or hybrid environment, managing them using your vendor’s standalone management tools creates a fractured and risky environment.
Organizations have multiple AWS cloud accounts spread across their network, including “rogue IT” – accounts created without the approval of the IT and security teams. This creates numerous challenges that organizations need to face (check out how one customer was able to use AlgoSec’s Security Management Solution to gain control of unauthorized AWS accounts while supporting business agility.)
Each vendor’s security policy management system also does not adequately provide holistic management or change automation for multi-vendor and multi-cloud deployments. Each firewall vendor may have its own security control, but how are each firewall controls integrated with your multi-vendor hybrid estate?
Managing Security in the Cloud and On-Premises Estate
To manage hybrid networks – multi-vendor, public and private cloud, and on-premises – a centralized security policy management automation solution that provides visibility and change automation into the entire network ensure clarity over the entire network, maintaining the same security model over the entire hybrid network environment.
This is where AlgoSec can help maintain a strong security posture in Amazon Web Services, other public clouds, and across your entire security estate.
How AlgoSec helps with AWS Security
With the AlgoSec Security Management Suite, including AlgoSec CloudFlow, users get visibility of their entire network estate – on-premises, in public clouds such as AWS, and in private clouds, such as Cisco ACI and VMWare NSX.
AlgoSec addresses AWS security concerns by delivering business-driven security management across on-premise, hybrid and multi-cloud environments. With AlgoSec, enterprises fend off AWS and other public cloud security threats by maintaining a uniform security policy across their entire network and cloud estates. From a single console, security teams can see across their on-premises and virtual networks and into all of their clouds. They obtain accurate policy change automation across their physical and virtual firewalls as well as into their public cloud deployments via cloud-vendor and third-party controls. Within AWS, AlgoSec’s CloudFlow lets AWS users manage network security controls, such as security groups in one system across multiple clouds, accounts, regions and VPCs.
The AlgoSec approach offers numerous AWS security benefits for the enterprise
- Central management of the complexity of the multiple layers of multi-cloud, including public and private cloud, and on-premise security controls. Manage network security controls, such as security groups, in one system across multiple clouds, accounts, regions and VPCs. Leverage a uniform network model and change-management framework that covers the hybrid and multi-cloud environment.
- AlgoSec automatically discovers, maps and migrates application connectivity to Amazon Web Services Security Group rules through easy-to-use workflows. Get a holistic view of all your cloud accounts, assets and security controls – in a single platform. As part of the AlgoSec Security Management Solution, get a full network map of your entire network estate – both on-premises and public and private clouds.
- Minimizes the attack surface by, prior to making any changes, assessing all proposed network security policy changes for risk to ensure secure network access and to avoid application outages. Proactively detect misconfigurations in access and other configurations to protect cloud assets, including cloud instances, databases, and serverless functions. Identify risky rules and their last usage date to. Gain the comfort to remove them so that you can avoid data breaches and improve your overall security posture.
AlgoSec delivers unified security policy management across traditional and next-generation firewalls deployed on-premise as well as cloud security controls to ensure that the entire enterprise environment is always secure and compliant.
Achieving Visibility and Security in AWS and across the Hybrid Network | AWS & AlgoSec Joint Webinar
As enterprises rapidly migrate data and applications to public clouds such as Amazon Web Services (AWS), they achieve many benefits, including advanced security capabilities, but also face new security challenges. AWS lets organizations operate applications in a hybrid deployment mode by providing multiple networking capabilities. To maintain an effective security posture while deploying applications across complex hybrid network environments, security professionals need a holistic view and control from a single source. Yet, security isn’t just the responsibility of the cloud providers alone. Organizations need to understand the shared responsibility model and their role in maintaining a secure deployment. While AWS’s cloud framework is secured by AWS, the challenge of using the cloud securely is the responsibility of your organization’s IT and CISOs. As multiple DevOps and IT personnel make frequent configuration changes, the shared responsibility model helps achieve visibility and maintain cloud security. In this webinar, Yonatan Klein, AlgoSec’s Director of Product, and Ram Dileepan, Amazon Web Service’s Partner Solutions Architect, will share best practices for network security governance in AWS and hybrid network environments.
CSA Study: Security Challenges in Cloud Environments
Cloud computing provides improved security, agility, and flexibility. However, integrating this new service into legacy IT environments comes with great concern.