Velocis System Pvt. Ltd.

Public Cloud Security

Secure Your Data & Business Responsibly!

Organizations around the world are focusing on shifting their workloads, applications, and services to Amazon Web Services (AWS®) and other popular cloud infrastructure-as-a-service (IaaS) providers. Gartner® predicts that out of the global enterprises already using cloud today, over half will have an all-in approach to the cloud by 2021.

Do you know the basics behind the top 5 biggest security concerns? Well, they are all based on operational error! If these errors are left exposed, it gives the attacker an opportunity to enter through the gaps. This is why continuous security monitoring of your AWS assets, configuration, and infrastructure must be your priority. On the contrary, the good news is that you can fix these, and we’ll tell you how!

 

Let’s talk about the top AWS security concerns first

Lack of asset visibility

Platform misconfiguration

Unauthorized access

Insecure interfaces

Vulnerable APIS

Risk Assessment on AWS

Analyzing security vulnerabilities has a lot to do with identifying and mitigating risk. In fact, there are even ways to score and quantify the severity of the risk. For example, the Common Vulnerability Scoring System (CVSS) provides a way to characterize vulnerabilities and quantify severity with a numerical score. Translating this quantitative score into qualitative representations of risk such as low, medium, and high can help assess and prioritize risk. To be able to understand the security risks at that level, you should select a risk assessment methodology based on input from groups in your organization around the following factors:

velocis-aws-cloud-security-requirements.png

For a fact, all cloud infrastructure operates differently from legacy environments and so, it is critical to set criteria for accepting risks and identifying the acceptable levels of risk (risk tolerances). We recommended starting with a risk assessment and leveraging automation as much as possible. AWS risk automation can narrow down the scope of resources required for risk management. There are several risk assessment methodologies, including OCTAVE (Operationally Critical Threat, Asset, and Vulnerability Evaluation), ISO 31000:2009 Risk Management, ENISA (European Network and Information Security Agency), IRAM (Information Risk Analysis Methodology), and NIST (National Institute of Standards & Technology) Special Publication (SP) 800 30 rev.1 Risk Management Guide. We suggest you  to create a risk register by mapping all of your assets to threats, and then, creating a new risk matrix for each AWS environment based on the vulnerability assessment and impact analysis results.

 

What are the Challenges?

On a High level when it comes to Public Cloud risk management requirement the top challenges are somewhat similar to the On-Prem only. Some of the challenges are,

  • Threat Attacks which can be Volumetric Based, Protocol Based & Application-based attack
  • Protocol Based -  Targeting resources like EC2, S3 with HTTPS, SSH, etc., 
  • Volumetric Based – DDoS attack 
  • Application Based – Which can be mapped to OWASP 10 list

There are so many bodies that offer proper guidance based on Cloud Security alliance simple Cloud Security process model, where the key is to identify requirements, design the architecture, and then identify the gaps based on the capabilities of the underlying cloud platform. That’s why customers need to know the cloud provider and architecture before you start translating security requirements into controls.

Why cloud security auditing is required?  Aren’t your data already secured?

velocis-aws-cloud-security.pngYes and no. You need to take control of your data security in your own hands. Compliance, audit, and assurance should be continuous as demanded by the current state. They should not be seen as merely point-in-time activities and many standards and regulations are moving more towards this model. This is especially true in cloud computing, where both the provider and customer tend to be in more-constant flux and are rarely ever in a static state.

Cloud Provider Should clearly communicate their audit results, certifications, and attestations with particular attention to: 

  • The scope of assessments. 
  • Which specific features/services are covered in which locations and jurisdictions. 
  • How customers can deploy compliant applications and services in the cloud. 
  • Cloud providers must maintain their certifications/attestations over time and proactively communicate any changes in status. 
  • Any additional customer responsibilities and limitations. 
  • Cloud providers should engage in continuous compliance initiatives to avoid creating any gaps, and thus exposures, for their customers. 
  • Provide customers commonly needed evidence and artifacts of compliance, such as logs of administrative activity the customer cannot otherwise collect on their own.

Being a cloud customer you must:

  • Understand the full compliance obligations before deploying, migrating to, or developing in the cloud. 
  • Evaluate a provider’s third-party attestations and certifications and align those to compliance needs. 
  • Understand the scope of assessments and certifications, including both the controls and the features/services covered. 
  • Create and collect your own artifacts when the provider’s artifacts are not sufficient. 
  • Attempt to select auditors with experience in cloud computing, especially if pass-through audits and certifications will be used to manage the customer’s audit scope. 
  • Ensure you understand what artifacts of compliance the provider offers, and effectively collect and manage those artifacts. 
  • Keep a register of cloud providers used, relevant compliance requirements, and current status.  

Why Velocis?

We give you the vision, the vision to detect the security alarms before the threat attack. And how do we do that? Velocis through AWS Cloud Security enables you to always own your data, including the ability to encrypt it, move it, manage retention and can build on the most secure global infrastructure.

Contact us