re:Invent Recap: Focus on Security

Amazon Web Services (AWS) have re:Invent 2013 presentations posted on their AWS YouTube channel. There were lots of good discussions on cloud security. If that’s a topic you’re interested in, here are three recommendations that are great examples of how shared security responsibility works in the AWS cloud.

  1. re:Invent Main Keynote (http://bit.ly/19lhb0h) Security was one of the first topics in Andy Jassy’s keynote. He started by discussing how security represents one of the five central tenants of the AWS cloud (along with performance, reliability, cost and scale), and talked about investments AWS has made to secure their physical datacenters and progress they’ve made on certifications. He also announced AWS CloudTrail, a new service that tracks user activity in an AWS account. Alert Logic Log Manager supports the AWS CloudTrail service. AWS CloudTrail logs are simply another data source, so Log Manager users can access CloudTrail, application and system logs together for full security and compliance visibility.
  2. Intrusion Detection in the Cloud (http://bit.ly/1aE1zcW) In this session, Don Bailey and Greg Roth from AWS discussed how intrusion detection is necessary in the cloud as in other IT environments but that intrusion detection systems (IDS) in the cloud will need to work differently and cloud IDS can be complemented with unique services available through the cloud.
    We know that running IDS in the cloud is different, and we’ve demonstrated success by making our Threat Manager (IDS and scanning) run natively in AWS. This required incorporating new ways of collecting information in the cloud and also adding functionality so Threat Manager can Auto Scale when the applications and systems it’s monitoring did so.
    One example that Don and Greg shared to augment intrusion detection in the cloud was to set alerts on your AWS billing. If your billing amount goes above what you think is your normal limit, especially early in the month, it could be a sign that something is wrong with your account and worth investigating. It’s a different take on identifying threats and it’s a free and simple way to add to your overall security plan.
  3. Navigating PCI Compliance in the Cloud I don’t see this session in the video list yet but hopefully it’ll be posted soon. Jesse Angel from Payment Spring spoke about developing a PCI-compliant gateway that their customers can use to accept credit card payments. Jesse explained how for PCI compliance, AWS automatically covers many requirements (e.g., physical security of the data center) but to achieve compliance, you’ll still need to have your internal security policy in place, follow it, and document that you’re following it. A couple of other best practice points:
    • Security benefits from automation. Eliminate manual updates, patches and configuration changes as anything done manually can introduce errors and vulnerabilities. If an instance needs to be reconfigured, it’s more secure to spin up a new server than manually patch or reconfigure an existing one. As a bonus, this is much easier to do in AWS than traditional IT environments.
    • Eliminate open source and shared libraries. Jesse’s point here was if you’re using code in your application that comes from open source or shared libraries, unless you code review everything you’ll never really know if it contains security vulnerabilities. That’s a valid viewpoint, though it seems in contradiction to other sessions at re:Invent that talked about the benefits of collaborating on open source projects (Netflix is one example).