Securing Amazon It s a Jungle Out There

Transcription

1 ANALYST BRIEF Securing Amazon It s a Jungle Out There PART 1 CONTROLS AND OPTIONS OFFERED BY AMAZON Author Rob Ayoub Overview Infrastructure as a service (IaaS) is a foundational component of modern cloud computing, and one that is just now beginning to gain traction in the enterprise. The deployment of IaaS is straightforward customers purchase access to virtual machines directly in the cloud. However, this simple act opens up a host of opportunities for outsourcing, allowing organizations the ability to practice true utility computing adding or subtracting servers, storage, and other services on demand. IaaS vendors range from household names such as Amazon, Microsoft, and Google to growing players such as Rackspace and GoGrid. All IaaS vendors have differentiation around their offerings, including physical locations of data centers, virtual machine offerings, and billing options. The ultimate goal of IaaS providers is to allow organizations to implement a data center in the cloud at a much lower price point than if they had built it themselves. Amazon has built functionality into AWS in order to create a platform that appeals to organizations of all sizes. As enterprises shift applications, data, and infrastructure to AWS, they must consider how best to secure these components in a public cloud environment. Amazon has simplified security for its customers through various free and fee- based mechanisms. Security vendors are permitted to port their devices into the Amazon environment, and Amazon provides a wide range of technology assistance to these vendors through its partner programs. While end users must consider carefully the security features offered by any cloud provider under consideration, Amazon has provided resources and tools that enable end users to integrate security into its cloud infrastructures. The first in a two- part series on security in the AWS environment, this analyst brief examines the advantages of AWS as well as some of the challenges organizations face when moving to an infrastructure- as- a- service (IaaS) environment. The final brief in the series will investigate the third- party vendor approach to securing AWS and the options available to customers through the Amazon Marketplace and vendor community.

2 NSS Labs Findings Amazon is gaining traction from enterprise users and security vendors due to a number of key baseline security attributes, controls, and available security options from Amazon and the vendor community. Various basic security controls are offered as part of AWS, for example, firewall groups and virtual private cloud infrastructures. Many end users do not fully understand the security implications of moving to an IaaS provider such as Amazon and thus may be implementing insecure practices. It is not enough for organizations to simply port applications and data to the cloud and assume that compliance will be addressed. Amazon does not yet offer a complete suite of security tools. NSS Labs Recommendations Assess the security controls offered by AWS, and evaluate controls offered by third- party technology partners in order to ensure the enterprise security policy will remain consistent as data is moved to the cloud. Evaluate and understand the gaps in security between on- premise systems and IaaS. Incorporate any AWS instances into the life cycle management process that is required for other systems. Implement procedures to ensure end users are not creating AWS instances without approval from the information technology (IT) department. Ensure compliance mandates are not being violated by the move of regulated data to AWS. 2

3 Table of Contents Overview... 1 NSS Labs Findings... 2 NSS Labs Recommendations... 2 Analysis... 4 Security Considerations for Any Public Cloud... 4 Enforcement of Service Level Agreements... 4 Measuring and Tracking Computing Use... 4 Identity and Access Management... 5 Securing the Operating System... 5 Network and Internet Connectivity... 5 Virtual Machines... 5 AWS... 5 Security Controls Offered by AWS... 6 Secure Access... 6 Built- in Firewalls... 6 AWS Identity and Access Management (IAM) Tool... 6 Encrypted Data Storage... 6 AWS Direct Connect... 6 AWS CloudHSM... 7 Trusted Advisor... 7 Satisfying Compliance Mandates with AWS... 7 Reading List Contact Information

4 Analysis Take- up of infrastructure as a service (IaaS) has been steady, and industry sources cite solid growth rates and market potential for the foreseeable future. 1 As enterprises shift applications, data, and infrastructure to AWS, they must consider the security implications of using this platform. Amazon has simplified security for its customers through various built- in and optional mechanisms. Security vendors are allowed to port their devices into the Amazon environment, thus enabling organizations to extend their existing security infrastructures onto the Amazon platform. Security Considerations for Any Public Cloud There are many benefits on which organizations look to capitalize when moving information technology (IT) components to the cloud, but the core issue that organizations seek to address is cost. Of equal concern are the potentially hidden or obscured costs that are not necessarily factored into an IaaS provider s pricing, as discussed in the analyst brief, They Call It Stormy Monday. 2 Each perceived benefit of utilizing IaaS as the basis for IT components is accompanied by security challenges, which should be considered carefully as organizations evaluate different providers. Some of these challenges may seem trivial, but failing to evaluate each one could result in an organization exposing its data and applications to an attacker. Enforcement of Service Level Agreements Given the global nature of business today, it is critical that companies have as close to 100 percent uptime as possible. It is, however, challenging and expensive for any single organization to maintain the equipment and staff that is required to run a 24x7x365 environment. A key attribute of cloud providers is the ability to provide robust service level agreements (SLAs) to clients. Cloud providers are technology specialists and theoretically have the expertise and equipment to maintain failover systems. Organizations that rely on IaaS providers must fully understand the cloud provider SLAs and ensure that quality of service (QoS) of traffic is adhered to. As more applications that deliver voice and video services move to the cloud, the sensitivity of the traffic and the end user experience become important, but having a third- party provider in the middle can make it difficult to determine the true cause of delays and outages. Measuring and Tracking Computing Use Another key driver for IaaS is the elasticity of the cloud, whereby an organization can, at any point, quickly add or remove resources such as storage, servers, databases, or other applications in order for its infrastructure to match the organization s current needs. Used correctly, this elasticity can make IT more strategic and more flexible for the organization. Unfortunately, this same scalability and elasticity can prove problematic when tracking data and assets in the organization, leading to increased costs and even data exposure. 1 provider/service- provider- infrastructure- as- a- service/iaas_bdm_wp.pdf 2 See Reading List 4

5 A key challenge for many IT departments today is tracking shadow IT or services that are set up by departments or individuals in the organization outside the formal IT department. While public cloud providers will provide billing metrics, it can be difficult for organizations to track the exact usage of machines and determine whether they have instances that are sitting idle. Additionally, an organization may not have the visibility to piece together the expenses from IT and individual departments that are using their own public cloud instances. Further, without effective tracking of data moving to and from the cloud, it is difficult to ensure that personally identifiable information (PII) and other sensitive data is not moving outside the organization to a third- party provider. Identity and Access Management One of the most challenging aspects of any IT deployment is the configuration and enforcement of identity and access management. Without proper controls, users can easily gain access to resources they are not permitted to access, and hackers or disgruntled insiders can obtain sensitive intellectual property. Although IaaS providers do allow for the creation of groups and access controls, these controls often lack the granularity required by an enterprise. Combined with the complexity of elastic computing, this leads to a constantly changing infrastructure that lacks adequate identity and access controls. Securing the Operating System Part of the appeal of moving to the cloud is the convenience of accessing prepackaged instances of an operating system. However, as with any software build, vulnerabilities will be discovered over time. Organizations must carefully evaluate preloaded software in any prebuilt image to ensure that the software is up to date. Almost all IaaS providers recommend that users run an immediate software update on any image they download. However, once deployed, the organization remains responsible for keeping the software up to date, as is the case with on- premise deployments. Network and Internet Connectivity An organization that relies on a third party for hosting is exposed to increased risk of external factors causing an outage for the organization. For example, any externally facing web presence is at risk from attacks such as distributed denial- of- service (DDoS). IaaS providers should be better prepared for such attacks, but the breadth of clients that are served by an IaaS provider creates a larger attack surface, and should an attack be successful, an organization s website or applications may be affected even if it was not the target of the attack. Virtual Machines The cloud is built on virtual machines, and many of these virtual machines may be running on geographically dispersed physical servers. Although virtual machines provide the flexibility that allows services such as AWS to exist, they bring with them their own challenges. Virtual machines can easily be moved from server to server, and changes can rapidly permeate through an infrastructure; thus, an accidental change in permissions could quickly cause widespread damage. Virtual machine software is subject to its own vulnerabilities, and there have been cases of hackers crossing virtual machine boundaries on a given server. AWS AWS began offering IT infrastructure services to businesses in 2006, in the form of web services today known as cloud computing. Originally, these web services were provided to enable organizations to replace up- front capital 5

6 infrastructure expenses with lower cost alternatives that could scale with their businesses. By using cloud services, a business gains flexibility in planning its IT infrastructure. Instead of having to plan for unknown IT needs months or years in advance, cloud services allow an organization to deploy infrastructure and service components as needed and on demand. Security Controls Offered by AWS No cloud provider can eliminate all of the security risks associated with moving to the cloud; there will always be challenges to address. AWS has provided controls out of the box that organizations can leverage in order to address some of the most common security issues (discussed below). Additionally, AWS has a technology partner program in place to assist vendors placing virtual appliances in the Amazon Marketplace. Together these components have made AWS a top- of- mind provider of IaaS. Secure Access From the start, customers are encouraged to be more secure when authenticating to AWS. By default, AWS instances rely on public- private key pairs for access. This is a stronger alternative to the traditional username/password combination on which many services rely for access today. Additionally, Amazon exposes customer access points, also known as API endpoints, which allow secure HTTP access (HTTPS) so that secure communication sessions can be established with any AWS services that use Secure Sockets Layer (SSL) protocol. By requiring secure, geographically specific access to virtual machines and services, Amazon allows organizations to build a virtual infrastructure with inherently strong controls. Built- in Firewalls AWS allows organizations to control accessibility of instances by configuring built- in firewall rules from public to private, or somewhere in between. AWS also provides the option for organizations to create virtual private cloud (VPC) subnets, which allow for the control of egress as well as ingress. AWS Identity and Access Management (IAM) Tool AWS allows organizations to control the level of access that users have to AWS infrastructure services. With the AWS Identity and Access Management (IAM) tool, each user can have unique security credentials, eliminating the need for shared passwords or keys and allowing the security best practices of role separation and least privilege. Encrypted Data Storage Customers can choose to store their data and objects within different Amazon storage containers: Amazon S3, Glacier, Redshift, and Oracle RDS. These containers can be encrypted automatically using Advanced Encryption Standard (AES) 256 (a secure symmetric- key encryption standard using 256- bit encryption keys), thereby addressing compliance concerns and increasing the security of the data by default. AWS Direct Connect The AWS Direct Connect service allows an organization to establish a dedicated network connection from its premise to AWS. Using standard VLAN connections, dedicated connections can be partitioned into multiple logical connections to enable access to both public and private IP environments within the AWS cloud. 6

7 AWS CloudHSM Amazon also provides for a dedicated, hardware- based cryptographic key storage option. Again, Amazon defaults to using public/private key pairs for authentication. Managing and securing these keys can be a significant security challenge for customers; weak key management could compromise access for an entire organization. To address this challenge, Amazon offers hardware security module (HSM) appliances that provide a secure and convenient way to store and manage keys. Trusted Advisor Provided automatically with premium support, the Trusted Advisor service provides customers with a snapshot of their Amazon environments. The service monitors AWS resources and alerts administrators to security configuration gaps, such as overly permissive access to certain EC2 instance ports and S3 storage buckets; minimal use of role segregation using IAM; and weak password policies. Satisfying Compliance Mandates with AWS Having the ability to satisfy compliance mandates is a key challenge for organizations seeking to move data and applications to the cloud. Compliance traditionally has been a restraint to cloud adoption, but in recent years, more and more compliance authorities are viewing the cloud as a viable option and have begun to release guidance regarding the securing of sensitive data in the cloud. Given its leadership position as an IaaS provider, AWS strives to demonstrate compliance with a range of regulatory requirements. Although Amazon is careful to indicate that compliance is a shared responsibility with its customers, it does provide a solid baseline of materials and expertise designed to help customers migrate data and applications that have a regulatory component. From an enterprise perspective, these initial discussions of compliance mandates are important, but they do not solve the challenge of compliance. It is not enough for organizations to simply port applications and data to the cloud and assume that compliance will be addressed. While Amazon has taken a commendable first step toward addressing regulatory requirements, more due diligence is required before organizations move applications or data to AWS. Customers who must adhere to specific compliance mandates should consult the following table to understand the controls that are in place on the AWS platform. 7

8 The following is a list of the various compliance mandates supported by the Amazon infrastructure: Compliance Mandate How AWS Addresses the Mandate FedRAMP FIPS FISMA and DIACAP AWS is a Federal Risk and Authorization Management Program (FedRAMP) Compliant Cloud Service Provider. AWS has completed the testing performed by a FedRAMP- accredited third- party assessment organization (3PAO) and has been granted two agency authority- to- operates (ATOs) by the US Department of Health and Human Services (HHS) after demonstrating compliance with FedRAMP requirements at the moderate impact level. The Federal Information Processing Standard (FIPS) Publication is a US government security standard that specifies the security requirements for cryptographic modules protecting sensitive information. To support customers with FIPS requirements, the Amazon VPC Virtual Private Network (VPN) endpoints and SSL- terminating load balancers in AWS GovCloud (US) operate using FIPS validated hardware. Amazon also offers a CloudHSM service that provides compliant HSMs, hardened key management devices, in the cloud. AWS enables US government agencies to achieve and sustain compliance with the Federal Information Security Management Act (FISMA). The AWS infrastructure has been evaluated by independent assessors for a variety of government systems as part of their system owners approval process. Numerous Federal Civilian and Department of Defense (DoD) organizations have successfully achieved security authorizations for systems hosted on AWS in accordance with the Risk Management Framework (RMF) process defined in NIST and DoD Information Assurance Certification and Accreditation Process (DIACAP). HIPAA AWS enables covered entities and their business associates subject to the US Health Insurance Portability and Accountability Act (HIPAA) to leverage the secure AWS environment to process, maintain, and store protected health information, and AWS will be signing business associate agreements with such customers. 8

9 ISO27001 ITAR PCI DSS Level 1 SOC 1/SSAE 16/ISAE 3402 SOC 2 SOC 3 AWS has achieved ISO certification of the Information Security Management System (ISMS) covering AWS infrastructure, data centers, and services, including: Amazon Elastic Compute Cloud (EC2), Amazon Simple Storage Service (S3), Amazon Virtual Private Cloud (VPC), Amazon Elastic Block Store (EBS), Amazon Relational Database Service (RDS), Amazon DynamoDB, Amazon SimpleDB, Amazon Direct Connect, Amazon VM Import/Export, Amazon Glacier, and Amazon Storage Gateway. The AWS GovCloud (US) region supports US International Traffic in Arms Regulations (ITAR) compliance. As a part of managing a comprehensive ITAR compliance program, companies subject to ITAR export regulations must control unintended exports by restricting access to protected data to US persons and restricting physical location of that data to the US. AWS GovCloud (US) provides an environment physically located in the US with access by AWS Personnel limited to US persons, thereby allowing qualified companies to transmit, process, and store protected articles and data subject to ITAR restrictions. AWS is Level 1 compliant under the Payment Card Industry (PCI) Data Security Standard (DSS). Customers can run applications on its PCI- compliant technology infrastructure for storing, processing, and transmitting credit card information in the cloud. AWS publishes a Service Organization Controls 1 (SOC 1), Type II report. The audit for this report is conducted in accordance with the Statement on Standards for Attestation Engagements No. 16 (SSAE 16) and the International Standards for Assurance Engagements No (ISAE 3402) professional standards. In addition to the SOC 1 report, AWS publishes a Service Organization Controls 2 (SOC 2), Type II report. Similar to the SOC 1 in the evaluation of controls, the SOC 2 report is an attestation report that expands the evaluation of controls to the criteria set forth by the American Institute of Certified Public Accountants (AICPA) Trust Services Principles. AWS publishes a Service Organization Controls 3 (SOC 3) report. The SOC 3 report is a publically available summary of the AWS SOC 2 report and provides the AICPA SysTrust Security Seal. 9

10 CSA MPAA AWS has completed the Cloud Security Alliance (CSA) Consensus Assessments Initiative Questionnaire (CAIQ). This questionnaire provides a way to reference and document the security controls within the AWS IaaS offerings. The questionnaire provides over 140 questions that a cloud consumer and cloud auditor may wish to ask of a cloud provider. The Motion Picture Association of America (MPAA) has established a set of best practices for securely storing, processing, and delivering protected media and content. ( security- program.html) Despite the numerous controls and guidance that Amazon provides in order to assure enterprises that the platform is secure, many large organizations are still reluctant to use the public cloud. Instead, security vendors indicate that it is the smaller organizations that are taking the lead in adopting cloud services and driving the initiatives to solve the challenges of compliance in cloud environments, which are the key limiters of widespread public cloud adoption. 10

11 Reading List They Call It Stormy Monday. NSS Labs call- it- stormy- monday 11

12 Contact Information NSS Labs, Inc. 206 Wild Basin Rd Building A, Suite 200 Austin, TX USA +1 (512) This analyst brief was produced as part of NSS Labs independent testing information services. Leading products were tested at no cost to the vendor, and NSS Labs received no vendor funding to produce this analyst brief NSS Labs, Inc. All rights reserved. No part of this publication may be reproduced, photocopied, stored on a retrieval system, or transmitted without the express written consent of the authors. Please note that access to or use of this report is conditioned on the following: 1. The information in this report is subject to change by NSS Labs without notice. 2. The information in this report is believed by NSS Labs to be accurate and reliable at the time of publication, but is not guaranteed. All use of and reliance on this report are at the reader s sole risk. NSS Labs is not liable or responsible for any damages, losses, or expenses arising from any error or omission in this report. 3. NO WARRANTIES, EXPRESS OR IMPLIED ARE GIVEN BY NSS LABS. ALL IMPLIED WARRANTIES, INCLUDING IMPLIED WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, AND NON- INFRINGEMENT ARE DISCLAIMED AND EXCLUDED BY NSS LABS. IN NO EVENT SHALL NSS LABS BE LIABLE FOR ANY CONSEQUENTIAL, INCIDENTAL OR INDIRECT DAMAGES, OR FOR ANY LOSS OF PROFIT, REVENUE, DATA, COMPUTER PROGRAMS, OR OTHER ASSETS, EVEN IF ADVISED OF THE POSSIBILITY THEREOF. 4. This report does not constitute an endorsement, recommendation, or guarantee of any of the products (hardware or software) tested or the hardware and software used in testing the products. The testing does not guarantee that there are no errors or defects in the products or that the products will meet the reader s expectations, requirements, needs, or specifications, or that they will operate without interruption. 5. This report does not imply any endorsement, sponsorship, affiliation, or verification by or with any organizations mentioned in this report. 6. All trademarks, service marks, and trade names used in this report are the trademarks, service marks, and trade names of their respective owners. 12