For any business to operate efficiently, it is essential to ensure that application uptime and performance are optimized. However, along the way to achieving these goals, organizations tend to neglect security. Even when companies are using managed services for their computing infrastructure, they tend to focus on SLAs for the incidents, service requests, and application uptime.
Security is a mindset which should be inculcated at every level across an organization; mandatory procedures should be laid out and followed diligently. Security enforcement begins at your office campus perimeter and should extend to application development. While writing your application or running any environment, security procedures should be implemented from development stage through testing and production stages. A small security lapse can result in loss of revenue, customers, and reputation for any organization. There are numerous examples of small but fatal breaches: failure to enable MFA for a root user account led to the shutdown of Code Spaces; and a public S3 bucket led to a public leak of billions of files with confidential Personal Identifiable Information (PII). Working with a Managed Security Service Provider is a solution that can help avoid such disasters while achieving a business’s security goals.
Multilayered Security from AWS to the Application
Any company running an application on AWS needs to harden the security posture of the environment and application at several key layers. These include the AWS level, the operating system level, the application level and the application infrastructure level.
AWS offers a wide range of services and features for an organization to secure its AWS accounts. In addition, AWS distributes security advisories, white papers and emails to customers reminding them to fix gaps in their accounts. Organizations should always use the following essential services to reduce risk to AWS accounts and applications:
- AWS CloudTrail to maintain the audit trail for an AWS account.
- AWS Config to maintain the configuration history; to assess, audit and evaluate the configuration of your resources.
- AWS Identity and Access Management to provide fine-grained permissions to users and enable password management policies.
- AWS Security Groups to whitelist inbound traffic to an EC2 instance from only specific IP ranges or to particular ports. The service can do the same for outbound traffic.
- AWS Network Access Control Lists to serve as a firewall for inbound and outbound traffic in subnets.
The AWS Shared Responsibility Model posits that “Security of the Cloud” is an AWS responsibility, while “Security on the Cloud” is the responsibility of the customer. However, many companies typically fail to harden security at the operating system level. This occurs because of a failure to adopt a DevOps model; or lacking sufficient processes to execute quarterly or half-yearly patching cycles. It is crucial for organizations to understand their industry compliance guidelines and ensure operating systems are hardened in accordance with regulatory standards such as NIST, HIPAA, and PCI-DSS. As a best practice, hardened custom AMIs should be created and used across entire infrastructure to ensure standardization and industry compliance.
After hardening the server, organizations must ensure coverage for a range of vulnerabilities and for the potential to exploit zero-day vulnerabilities. Apart from zero-day fixes, there should be a regular cycle to apply system and security patches. A DevOps approach to building infrastructure helps businesses by steadily rolling out these patches. Lastly, essential anti-malware, host-based intrusion prevention, and integrity monitoring systems should be in place to monitor any malicious and unauthorized activity occurring across the environment.
In addition to the operating system, organizations must harden web servers and application servers. The small mistake of exposing an apache version, or an OS detail can lead to numerous attacks on your application. Another example could be accidentally leaving a directory listing enabled on your web server. These seemingly minor security breaches can prove fatal if left exposed to intruders.
For improved security controls, organizations can consider enabling a web application firewall (WAF) for their application. This protects sites from SQL injection, cross-site scripting, cookie signing, and various attacks. Moreover, WAF has the ability to limit the traffic received from specific IP addresses protecting your site from DDoS attack. However, this DDoS protection can work only up to a certain level. For enhanced security coverage, AWS offers additional services such as Shield. Organizations can also use third-party services like Reblaze and Incapsula that integrate with AWS.
Application-level security depends entirely on how well architects and developers have planned, designed, and written code. Application code should have proper security test coverage and should comply with coding best practices. This is one of the most significant challenges for an organization because it must effectively disseminate and inculcate its security culture to everyone involved in development. Exposing or storing unencrypted data outside the business can lead to a significant compliance breach and be fatal for the organization.
Just like build and deploy, the entire development lifecycle of a product or application should undergo a security-testing phase in which the build is advanced to the next stage only if it passes the tests. In addition, application security should be regularly measured against compliance standards. Amazon has introduced AWS Inspector, a service which allows you to perform periodic security scans of your application to highlight vulnerabilities or gaps with compliance standards.
Beyond that, it is vital to ensure that databases are properly secured and accessible only by the application. Confidential information across your database should undergo hashing so, in the event of the breach, the blast radius is small while the organization takes corrective action.
By default, the combination of AWS Network Access Control Lists (NACLs) and AWS Security Groups provide some network-level controls, allowing for the management of incoming and outgoing traffic. However, for more in-depth insights and capabilities, an organization can rely on a network-based intrusion prevention system to analyze requests against common threat patterns and rulesets. If there are any pattern matches, the system can either warn managers or drop the packet altogether. A recently discovered vulnerability with Apache Struts, the popular open-source web application development framework, offers an example of a scenario in which IPS rules can immediately block traffic and protect a company from disaster.
Above all of the security layers, logs at every level play a crucial role. Forwarding the logs to a SIEM tool like Alienvault can help correlate between different actions and nail down the exact threats associated with your organization.
How Can a MSSP Help?
Enforcing security for a computing environment at multiple levels can be a difficult task for any company. To comply with the security standards mentioned above, organizations need the following elements:
- A dedicated security team consisting of security engineers, infrastructure architects and application architects.
- A 24/7 monitoring team
- A well-defined and drafted security process document which includes security incidents, vulnerability management, etc.
- The deployment of security tools to enable, scan and remediate security gaps.
- Ongoing maintenance and upgrades of the security tools.
Establishing such a team for an organization can be a time and cost-intensive effort. Though larger enterprise can consider setting up such a team on their own, for startups and SMBs, this is a more formidable challenge because of a lack of expertise, time and budget.
This is where a Managed Security Service Provider (MSSP) can help. An MSSP removes all these worries from organizations and allows them to focus on their business. Even for larger enterprise, effective management, cost-efficiency, seamless operations and peace of mind are reasons to transfer security management tasks to a certified MSSP.
With rich expertise, MSSPs implement security best practices and deploy the appropriate tools to maintain a healthy cloud environment. MSSPs offer a dedicated 24/7 security team whose primary responsibility is to manage security threats for customers and provide quick Mean Time to Resolution (MTTR) for any incidents. Moreover, MSSPs also have the advantage of possessing a wide knowledge base and familiarity with potential security threats encountered by other customers. Having built up experience with customers who have diverse compliance requirements, MSSPs are responsible for ensuring any change in a computing environment complies with industry standards. These proactive security policies can significantly improve the overall security standards for a business.
As cyberattacks become more sophisticated, companies must invest considerable time and energy to ensure that their environment is secure from new attack vectors. The value-added of an MSSP is its ability to combat different security threats across a diversity of customer environments while continuing to refine offerings to prevent evolving threats. Still, outsourcing security management to an MSSP doesn’t mean that organization cedes responsibility. The responsibility remains in the hands of the organization, which must set the operational goals together with an MSSP and hold it accountable for service implementation.