Seven Ways to ensure data security in the AWS cloud

Seven Ways to ensure data security in the AWS cloud

Recently, the company Code Space that provides Devops Application Management Support Services suffered a Denial-of-Service attack. To prevent its continuous intrusion, Code Space logged on to the AWS cloud to retrieve and delete the database, and stop the data hosting service on the AWS cloud. This case also allows AWS cloud service users to think about how to ensure the security of AWS cloud users.

NetworkWorld's Brandon Butler published a blog post and made seven suggestions. The following is a blog Translation:

Next we will introduce how to ensure security when using the AWS cloud or even the IaaS cloud.

In the process of using cloud computing, we must have a profound understanding that security protection will not target all workloads. AWS emphasizes this model as "secure sharing ". "Security sharing" only provides security assurance for AWS's physical data centers (virtual machines, storage, and even security functions, whether or not security measures are implemented on AWS infrastructure depends on the customer's own.

1. enable two-factor verification or multi-factor verification (MFA)

Enabling two-factor authentication (2FA) is a common method to prevent hackers from intruding into your account. Two-factor verification provides two forms of verification when you log on to the system. For example, you need to enter the set password and Random verification code. AWS provides a free MFA service for free. It can provide additional protection in addition to the user name and password. After MFA is enabled, when a user logs on to the AWS website, the system will ask them to enter the user name and password (first security factor-known to the user ), and the authentication code from its aws mfa device (second security factor-the user already exists ). These factors work together to provide higher security protection for your AWS account settings and resources.

Two-factor authentication is only one way of security protection. to ensure security, it is more important to protect the confidentiality of key information of enterprises. AWS has many forms of critical information assurance, including HSM (hardware security mode) that can be installed on the user's premises firewall. Its purpose is to help manage key enterprise information.

2. monitor suspicious information

We must not only increase the barriers for hackers and unauthorized users to access the system, but also ensure the intrusion of unauthorized users. AWS Marketplace provides some free tools to help users prevent intrusions by hackers and unauthorized users.

At the AWS Summit in 2013, CloudTrail (the product is in the testing stage) was released to help users monitor suspicious information and analyze the situation. CloudTrail can help you create API-log and mainly report some usage status e of your account.

There are many tools to detect suspicious behaviors in the market. Skyfence is one of the Information proxy systems that primarily monitors AWS operations. When a user discovers unusual behaviors, such as logging on to a user at a suspicious time or an unusual IP address, Skyfence will issue a warning.

3. Prevent Unauthorized user intrusion

If you have a tool to detect suspicious behaviors, the next step is to detect unauthorized user intrusions. The commissioned system function of Skyfence allows you to close an AWS account when an unauthorized user invades and verify its identity before accessing the management console. When changing AWS cloud data, it must be authenticated by authorized users. In the Code Spaces case, this feature prevents hackers from deleting data on the AWS cloud.

4. Encryption

There are other ways to prevent hackers from damaging the system after they intrude into the AWS account. For example, encrypt data in the AWS cloud. AWS marketplace has many different encryption service providers, such as SafeNet and Vormetric, which can provide a variety of encryption services. AWS provides encryption and other services for simple storage service (S3), but these services can only prevent most intruders and cannot guarantee the protection of the entire system. At the same time, after successful hacker intrusion, encryption cannot prevent the hacker from modifying the data.

5. Firewall applications

DDoS intrusion puts the Code Space in a dangerous situation and swallowed up the Code Space cloud step by step. Firewall is used to prevent DDoS attacks

A favorable method for intrusion. For example, Barracuda and Alert Logic in Marketplace can provide monitoring to prevent hacker intrusion and identify and prevent suspicious behaviors.

 

6. Backup

Rob Ayoub of NSS Labs (the world's most well-known independent Security Research and Evaluation Institute, headquartered in the United States) wrote in AWS reports that data backup is the best way to ensure security. Although backup cannot prevent hacker intrusion, data backup can quickly restore the database.

If data is stored in the cloud, it will be automatically backed up, which is a misunderstanding of the cloud. This can be implemented in some services, but not in all services. For example, AWS elastic fast storage (EBS) and S3 have extremely high reliability. Because AWS's system backs up data to ensure that data is not lost (after you enter the console, you can change the data to make the built-in backup useless ). For example, EC2 Virtual Machine instances are not automatically backed up. Therefore, when using applications, you must be clear about the protection of various services.

If hackers intrude into your account and cause damage, you can back up and restore data. Users need to know what types of data they need to back up. Some enterprises will back up all the data, while others will only back up key data. Some backups are real-time data updates, while others can be backed up on a daily, weekly, monthly, or anytime basis based on your preferences.

AWS has many options for backup features, including different storage methods and diverse database types, such as S3, EBS, and DynamoDB. Glacier is a service called "Cold Storage" with very low costs. However, compared with backing up data in the cloud, some users prefer backing up data in the internal environment.

7. Application updates

Ayoub said there is another misunderstanding that applications in the cloud will be automatically updated. Applications in SaaS can be automatically updated, but applications in IaaS are not automatically updated. AWS provides basic application hosting services. This depends on the user's control over virtual devices. Many users use frequent software updates to fix the bugs and update security assurance. These features are only available in the latest version.

We do not know whether these measures can alleviate the situation of Code Space. Ayoub said that the problem is that many enterprises cannot use suitable methods to protect account security. Although the cloud has many economic and practical advantages, such as low cost, easy to manage and easy to access. However, no enterprise can use the cloud to manage its data without any prior confirmation of security issues.

Link: http://www.networkworld.com/Article/2365828/cloud-computing/7-tips-for-protecting-your-aws-cloud.html