Achieving AWS Compliance: Considerations for IT and Cloud Security Teams
Most every IT organization has wrestled with achieving regulatory compliance, meeting auditors requirements, and reporting to management and other stakeholders. Moving workloads to the cloud introduces new wrinkles to an already thorny set of problems.
For organizations moving to the Amazon cloud, it’s critical that they understand their new and changing issues and responsibilities associated with AWS compliance and AWS Security. This article highlights key concerns and considerations to help practitioners focus their time and effort.
While compliance standards and required controls vary, there are common themes. We will focus on the general, and where appropriate use examples from specific standards. Many people ask about achieving AWS PCI compliance, so we’ll draw from this standard in particular.
The biggest takeaway is this: Moving to AWS, or any public cloud provider, requires a shift in mindset. A big part of this is fully understanding what Amazon AWS does and doesn’t do with regard to compliance and security.
The Good News: Amazon Carries Some of the Burden for AWS Compliance
The good news is that Amazon takes responsibility for many cloud compliance controls. When you host your applications on-premise, you are responsible for controls related to physical security. In the cloud, Amazon handles all of this. They ensure that physical hardware and datacenters are safe, secure, and compliant. This helps meet compliance requirements for business continuity and disaster recovery.
At the software layer, Amazon protects compute, database, and storage and networking. They also provide configuration options and monitoring facilities for their customers to meet their AWS compliance requirements.
AWS Configuration Matters — Tremendously
All good so far. But this where things start to get hairy and the responsibility shifts to you, the customer. Just because Amazon provides a configuring facility, does not mean that your infrastructure will be properly configured to meet your AWS compliance requirements.
The most classic example of this relates to sensitive data stored in public S3 buckets. Amazon makes it very easy to share information with outside, which contributes to business agility and streamlines interactions between organizations. It also leads to real risk of data loss and compliance violations.
While S3 buckets can easily be locked down, there are numerous examples of misconfiguration which led to massive data loss. Look no further than Booz Allen to see how devastating this can be. In this instance of PCI-DSS, primary account numbers or other PII could easily be exposed given a simple misconfiguration.
S3 bucket misconfiguration is just one configuration vulnerability. There are myriad of other ways to misconfigure infrastructure and APIs that can lead to both cloud security and compliance risks. And infrastructure configuration is just one part of your responsibility for AWS compliance and AWS security.
Meet 99 Specific PCI Requirements with a Single Solution for On-premise, Cloud, or Hybrid Environments
The Cloud is a Bazaar, Not a Walled Garden
When considering AWS compliance and AWS security, it’s important to realize that the cloud is more like a bazaar than a walled garden. Like a merchant in a bazaar, enterprises in the cloud share common outer controls (Amazon infrastructure) but have full responsibility for protecting their individual stalls (your application or workload).
In the on-premise world, you could rely on firewalls and other access management techniques to restrict access to your applications. This walled garden approach would meet many system security requirements and satisfy auditors in most cases. In the cloud, this approach becomes incredibly complex, because infrastructure is highly dynamic, often short-lived, and easily changed. Attempting to use these legacy approaches can also lead to unexpected cloud consumption costs.
So without traditional network controls, any vulnerabilities or compliance risks that are inadvertently built into your applications can be deployed into production without any protections.
Cloud Workload Protection Platforms
In this scenario, applications must be protected in a different way to ensure compliance and security. All protections must be deployed and managed as part of the workload itself. Gartner has named this new approach to cloud security and compliance Cloud Workload Protection or CWPP. CWPP helps to insulate the enterprise from the risk of unprotected workloads, especially as workloads scale out.
Scaling also presents a unique set of challenges for AWS Security and compliance. Amazon makes it very easy for its customers to scale infrastructure and applications to meet business requirements. This is extremely convenient and enables agility and responsiveness. However, it also introduces risks that applications are released without appropriate controls and that an attack on one application can move “east-west” to compromise others, potentially exposing regulated data.
Scaling also means that if an attacker discovers a common misconfiguration or vulnerability, he can launch a massive attack against AWS and may succeed in compromising many applications. From a compliance perspective, this means that without the right tools and processes you have an unmitigated risk that did not exist on-prem.
Not everything in the cloud is different. Some controls, like file integrity monitoring (FIM), which are required by PCI-DSS, must also be used on the cloud. Enterprises may choose different solutions to meet this requirement in the cloud, but the requirement remains the same.
Summary: You Are Responsible for Security and Compliance In the Cloud
As Amazon succinctly explains here, they take responsibility for AWS security and AWS compliance of the cloud. You, the customer, must take responsibility for security and compliance in the cloud.
This requires a mindset change, proper employee training, the selection of the right tools for AWS security and AWS compliance. And unlike on-premise environments where infrastructure remains relatively stable, cloud environments scale up and down fluidly. Continuous compliance monitoring is necessary to satisfy audit and compliance reporting.
Cloud workload protection platforms (CWPP), like AtomicWP, are specifically designed to protect your workloads from attack and ensure continuous compliance. Combined with thoughtful processes and training for cloud and DevOps teams, can ensure that your organization reaps the benefits of cloud scale and flexibility while meeting compliance requirements.
As a final thought, compliance is often a primary driver for security investment. But ensuring AWS compliance will not ensure that your applications are truly secure and that your data is safe. A compliant workload can still be compromised. At Atomicorp, we believe in performance-based security. Our products are designed to ensure that your applications are truly protected from attack.