Data breaches are very expensive affairs. To be more precise, Rs 12.8 crore was the average cost that data breaches caused for Indian organizations during the time frame of July 2018 to April 2019 (Cost of a Data Breach Report, conducted by the Ponemon Institute and IBM). Close to 70 percent of Indian organizations are at risk of a data breach, according to another report from Frost & Sullivan.
Considering these facts in combination with the growing adoption of cloud model becomes an even more complicated scenario. Security is the pillar of cloud architecture and is critical for the success of any cloud workload. As the cloud market leader, AWS has always been at the forefront of ensuring its customers meet the core security and compliance requirements. At the same time, security on cloud is one of the most misinterpreted concepts.
In the initial years, security stood in the way of organizations embracing cloud. But it lasted until IT pros figured out that cloud security is better. Nevertheless, some recent high-profile cloud breach incidents have brought cloud security back into focus and raised a very important question—who is responsible for cloud security?
That’s when we started hearing about “shared responsibility” models. It essentially talked about the fine line from where the responsibility of security shifts to the customer. AWS has been championing the shared responsibility model for quite some time now.
In simple terms, AWS defines it as ‘security of the cloud’ and ‘security in the cloud.’ AWS takes full responsibility for the security of the cloud— protecting the infrastructure that runs all of the services offered in the AWS Cloud. Security in the cloud is, however, the customer’s responsibility and will be determined by the cloud services that a customer selects. The diagram below brings more clarity:
Demystifying security on AWS Cloud : Image Source – AWS
The ‘Security OF The Cloud’ part is fairly straightforward, and AWS provides some of the best-in-class security features in the industry. But the customer will finally define the ‘security IN the cloud.’ How do you get that right?
AWS recommends approaching security from a data perspective rather than compartmentalizing it into on-premise and off-premise security. Organizations need to focus on three broad categories, and the cloud provider advises to achieve this. This includes:
Data classification and security-zone modeling: How you classify data can not only decide your security posture but can be critical in bringing the much-touted cloud benefits like agility and flexibility into the environment. It’s important to add the right level of fidelity to your data classification model, and the data security control models must be designed to match the varying degree of sensitivity the data comes with. The data classification model can then be combined with a ‘security zone,’ providing a well-specified network perimeter that protects all the critical assets.
Defense in depth: This model focuses on a layered security control environment to ensure one control works if the other fails. In today’s dynamic technology and business landscapes, it’s critical to have preventive and detective security measures, which AWS emphasizes in its Cloud Adoption Framework. Preventive control looks at aspects like IAM, Infrastructure security, and encryption/tokenization.
On the detective control side, organizations should prioritize detecting unauthorized traffic, configuration drift, and fine-grained audits.
Swim-lane isolation: Swim-lane isolation looks at security from a business domain-driven design and recommends approaching the security of the data stores attached to each microservices from the context of a business domain. This helps ensure that sensitive data from one microservice domain does not leak out through another.
Summary
Cloud service providers like AWS have been investing heavily in public cloud security. But ultimately, the customers are equally responsible for the security of their data. In today’s cloud-driven world, look beyond the traditional tools and methods of securing data, and reassess your security postures and strategies.
[Recommened Reading: AWS Security – What Makes Misconfiguration Critical? ]
