Virtualization Technology News and Information
3 Tips for Cyber Hygiene in an AWS Environment

By Derek Brost, Director, Professional Services - Security & Compliance at InterVision

When you have a strong security foundation upon which all business operations can run with efficiency, the rest of your organization can stay nimble during times of uncertainty, such as this current COVID-19 crisis. It's especially important to shore up your cybersecurity posture for AWS environments, where many businesses are conducting their IT operations, since the wide accessibility and capabilities of cloud services represents a security risk if not well architected and monitored. That's why AWS has created an essential guide for best practices: Top 10 Security Items to Improve Your AWS Account

Beyond this guide, however, are a few steps you can take to additionally secure your IT operations. Despite many organizations leveraging the computing and performance power of AWS, we still live largely in a hybrid world, where organizations may be weighed down with legacy infrastructure or applications. Here are three tips to empower your security posture in AWS, especially when you have a hybrid architecture that must run in tangent with your AWS environment.

1.      Turn on Amazon GuardDuty and AWS Security Hub, then Evaluate Findings 

If you started in a born-in-the-cloud AWS environment it's important to leverage the cloud-native detective tools readily made available. However, if you've migrated detective controls to the cloud alongside an existing application environment, you should verify those security systems have visibility to cloud events and the analytical capability to determine unique cloud resource attack patterns.

An extremely quick and simple means to provide insight into threat-based events is by enabling the GuardDuty service to analyze CloudTrail management events, S3 data events, VPC flow logs, and DNS logs. Typically, this should be a relatively low volume of findings of varying severity which provide insight into activities across potentially sensitive management, data, network, and storage services.

Likewise, enabling the Security Hub service allows for centralized event ingestions from services such as GuardDuty. At its core, this permits aggregation of events and provides a basic capability to track finding confidence intervals, verification, criticality, and notification and remediation workflow status. Note, this is self-sufficient workflow, but may be significantly extended and integrated with a more full-featured operational Security Incident and Event Management (SIEM) system.

When enabling the Security Hub service, it's required to do so in tandem with Config. Both services together provide continuous risk-based compliance, hardening, and best practice evaluation capabilities. Admittedly, this may be a bit overwhelming at first to process and handle in comparison to the more straight-forward threat-based events from GuardDuty, but this can actually provide much more meaningful insight to uncover systemic security architecture issues. Config also provides foundational requirements for understanding all resources deployed in the environment, any time-varied configuration changes, and helps detect unintentional or unauthorized configuration drift.

The findings become a great starting point to understanding active threats and potential unintended weaknesses in your cloud deployment. In security, ignorance is not bliss, so you want to raise awareness and insight comprehensively. Once you've achieved a baseline level of risk and threat detection, it's important to prioritize and ingest this into your greater risk management efforts for remediation and mitigation controls. One of the most important dimensions you can incorporate to aid in this process is to deploy and cross-reference against a tagging strategy to help focus on high-impact resources and sensitive data foremost. Additionally, this can be used to reduce false-positives and programmatically adjust confidence, verification, and criticality scoring in your workflow.

2.      Review Connectivity Between On-Prem and AWS to Ensure Ongoing Security Posture

Since the majority of businesses aren't born in the cloud, instead functioning in a hybrid IT ecosystem, it's critical to approach your systems with an eye for what lives outside of AWS as well, so that you can address security from a holistic perspective. Beyond the foundations of restricted access and endpoint protection remain the essential governance aspects of preventing cybercriminals from gaining access through alternate attack vectors. Having a continually iterated governance policy that requires gated network connectivity to perform tasks is just one way to secure your business against new challenges as they pop up. Continue to leverage and evaluate all standard endpoint controls, removing software that isn't needed (even down to each person's role), you can reduce the surface area of attacks and exploitations.

Patch everything that may be unique and outside supported images; if you have a need for custom images, then consider using one or more security tests in your build pipeline, such as AWS Inspector. However, it's much easier to use a patch and release pipeline in one of AWS's virtualized solutions like WorkSpaces or AppStream 2.0 than rolling upgrades out in conventional desktop deployments to a workforce that may be distributed at their homes throughout the country. If you do not use a virtual desktop solution, then consider moving your remote workforce to a Secure Access Service Edge (SASE) that function as a distributed network security access mechanism. Ensuring connectivity through a supported VPN or SASE is one step to enforcing limited access, but it shouldn't stop there. Set up policy-based cloud controls for network isolation and segmentation such as VPC security groups, public and private networking, whitelisting of IPs, VPC endpoint policies, to name a few. Track, organize, and manage security with metadata and resource tagging-however, avoid storing confidential information in the tags themselves. Additionally, turn on flow logging: the system will feed into GuardDuty, which in turn should feed into Security Hub. Depending on the criticality of systems and applicable governance requirements, you may need to leverage more advanced analytics and detection algorithms for flow logging and may even need to use VPC traffic mirroring on the most critical links for deep packet inspection.

Once you have this foundation for networking in place, then your staff can begin innovating new solutions to further iterate the protection of your network and connectivity.

3.      Engage a Third Party to Share the Burdens of Management, Monitoring and Testing

A lot of companies will be tightening their belts going forward. Since you'll need to prepare to answer to executive leadership on productivity, budget or other investment-related topics as they arise, it's key to get a head start now, so that the tough questions don't put you in the hot seat. Maintaining a cybersecurity stance during this era of remote workforce demands keeping an eye on who has accessed what and why. Your IT team should use this time to ramp up change management activities, so that you can focus your talented staff on revenue-driving activities and not cumbersome tasks of yesteryear, such as phone systems, ticketing, etc. Automation will be the answer for many IT activities and change management is just one area for improvement, and the AWS cloud has a lot of native tools to assist with speedy deployments and performance optimization.

With IT staff no longer at a centralized location for in-person collaboration, it can be helpful to have a third-party vendor to handle some of the more cumbersome or less-strategic tasks, so that your limited IT team can focus on driving the business forward during this challenging time. An organization wants their IT department to be an innovation hub, not a cost center-not to mention, an innovation win for your team could easily translate to promotions in a post-COVID world. A strategic service provider (SSP) that specializes in AWS could be a great fit for such objectives.

The COVID-19 crisis has taught us a lot about flexibility and what it means for a company to be prepared. As cybersecurity professionals embrace new models of connectivity and office work, it's imperative to maintain due diligence to outfit business for the moment at hand, but also to remain prepared for the next challenge ahead.  


About the Author

Derek Brost 

Derek Brost, Director, Professional Services - Security & Compliance at InterVision, a company that, as a leading strategic services provider, has assisted IT leaders in solving the most crucial business challenges they face. For 25 years, the company has helped IT leaders transform their business by solving for the right technology, deployed on the right premise, and managed through the right model to fit their unique demands and long-term goals.

Published Thursday, August 27, 2020 12:35 PM by David Marshall
Filed under: ,
There are no comments for this post.
To post a comment, you must be a registered user. Registration is free and easy! Sign up now!
<August 2020>