Cloud architects face several concerns regarding the ever-changing security requirements in a multi-server environment. Each layer of the cloud application architecture requires the implementation of a separate security policy. In addition to the physical security, managed by service providers, businesses also stress on maintaining network and application-level security, which requires specific tools, guidelines, and features to secure any cloud application in the Amazon Web Services environment.
This post discusses five of the best practices in maintaining security for cloud applications in an AWS-based architecture.
1. Protect Data in Transit
Any exchange of sensitive or confidential information, between a browser and a web server, requires configuration of SSL on the server instance, along with a certificate from an external certification authority such as VeriSign or Entrust. The certificate includes a public key, which authenticates the server to the browser and assists in creating the shared session key used for data encryption in both directions. Network architects must create a Virtual Private Cloud, using Amazon VPC, which enables the pre-owned, logically isolated resources within the AWS cloud to connect to resources directly to the data center using encrypted IPSec VPN connections. Additionally, they could setup an OpenVPN server on an Amazon EC2 server instance, and install the OpenVPN client on all user PCs.
2. Protect Data at Rest
Confidential and sensitive data must be encrypted (individual files), before uploading them to the cloud. Amazon EC2 offers file encryption based on the operating system. EC2 instances running with Windows use the in-built Encrypting File System (EFS) to handle the encryption and decryption of files and folders automatically, thus encrypting individual files instead of the entire file system. Open source products such as TrueCrypt are used herein to encrypt an entire volume. Linux- based Amazon EC2 instances mount EBS volumes using encrypted file systems using multiple approaches such as EncFS, Loop-AES, dm-crypt, and TrueCrypt. Likewise, OpenSolaris based EC2 instances use ZFS Encryption Support. Regardless of the chosen operating system or technology, along with accomplishing data encryption, it’s imperative to manage the keys used to encrypt the data, as well as disaster protection of the data. For the latter, it’s advisable to take periodic snapshots of Amazon EBS volumes. These snapshots are incremental in nature and are stored on Amazon S3 (at a separate geo-location) and can be easily restored.
3. Protect Your AWS Credentials
There are two types of security credentials associated with AWS: access keys and X.509 certificates. Furthermore, the AWS access key has two parts: personal access key ID and secret access key. One has to use the secret access key to calculate a signature to be included in the authentication request while using the REST or Query API. It is also advisable, not to embed the AWS credentials within the Amazon Machine Image (AMI), if the running processes, require communication with other AWS web services.Instead, credentials should be passed in as arguments during launch and encrypted before being sent over the connection, or the organization must incorporate a key rotation mechanism into the application architecture, to ensure that compromised keys can’t last forever. Alternately, X.509 certificates could be used for authentication to AWS services. The certificate file contains the public key ID in the body of a base64 encoded DER certificate, while a separate file contains the corresponding base64 encoded PKCS#8 private key.
4. Manage Multiple Users with Identity Access Management
Identity and Access Management (IAM) in the AWS, enable the administrators to create multiple users and manage the permissions for each user. Users have an identity with unique security credentials, to access AWS Services within the AWS Account. IAM negates the need for password sharing or access keys and makes the enabling or disabling a user’s access easy. IAM is integrated into most of the AWS Services as one of the native features. As a security policy, it’s advisable to minimize the usage of the AWS Account credentials during interactions with AWS services, and use IAM User credentials instead.
5. Protect Your Applications
Each Amazon EC2 instance is secured by one or multiple security groups, which are sets of rules specifying which incoming network traffic should be allowed onto your application instance. Network administrators can specify ICMP types and codes, TCP and UDP ports along with source addresses.While security groups provide base level firewall-like protection for running instances, incoming traffic could be restricted by configuring software-based firewalls on the application instances. Operating systems such as Windows instances could use the built-in firewall, while Linux instances could use netfilter and iptables.
Standard security practices such as robust coding practices and isolation of sensitive data need implementation in AWS-based architecture. Cloud architecture abstracts the complexity of the physical security and offers control through tools and features, to secure application instances. Not only this, errors need to be discovered and fixed through code patches, over time to ensure smooth functioning of the application. At i2k2 Networks, our high-quality consultants ensure that your business gets the most out of cloud computing through Amazon web hosting services. To learn more about our services, call us at +91-120-466 3000 or fill our contact form. We will get back to you to answer your questions.