How AWS Delivers Cybersecurity Assurances in the Cloud

Among cloud computing providers, Amazon has certainly been flexing its cybersecurity muscles in an ongoing concerted effort to bulk up on security tools and solutions for its Amazon Web Services (AWS) public cloud service to instill better data assurance, privacy and greater customer confidence.  

For example, in 2022 the company announced Amazon Security Lake, a security data management analytics service based on the Open Cybersecurity Schema Framework (OCSF) for threat hunting and detection. The service collects, stores and centralizes cloud security data from AWS and other enterprise security data sources, analyzes security data logs and alerts and gives customers a more complete understanding of their threat landscape.

Last July, Amazon revamped its Security Competency Partners program made up of specialists with demonstrated security success on AWS. The relaunch featured 42 partners and eight new categories of specializations, including: core security, perimeter protection, application security, compliance and privacy, data and infrastructure protection, threat detection and response, and identity and access management.

The AWS platform itself provides a wide range of security and cybersecurity solutions, including:

• AWS IAM (identity access management): A centralized security management function to specify who or what can access services and resources in AWS. For example, privileges can be granted to users for access to specific data or servers.
• AWS GuardDuty: An intelligent threat detection service that continuously monitors accounts and workloads for unusual activity.
• AWS Shield: A managed service that detects and identifies distributed denial of service (DDoS) attacks for organizations that utilize many web applications and servers.
• AWS Firewall Manager: Centrally configures protections once, then automatically applies these configurations across accounts and resources, even as these are added. 
• AWS Trusted Advisor: Inspects AWS environments, reports on service utilization, then advises when opportunities exist to save money, improve system availability and performance or help to close security gaps. When configured, it also reports on non-compliance with organizational services.  

“There are so many ways that AWS will secure your data and many security features,” Sema says.  

Organizations need to perform due diligence in evaluating a provider’s security measures, data-privacy policies and compliance with relevant security standards, Sema says. It’s essential for a cloud provider to offer strong multifactor authentication and role-based access controls to protect cloud-based systems and data from unauthorized access. A cloud customer should also be given assurance that data, both in transit and at rest, is always encrypted to prevent unauthorized access or theft of sensitive information.

Sema says customers should also ask whether a cloud provider regularly tests and updates its cybersecurity measures by performing penetration testing. Do they comply with regulations and standards to ensure the security of their cloud-based systems and data? Do they use security information and event management (SIEM) systems to identify security threats?

It’s also important for customers to understand the elements of security they need to own and to clearly understand what a cloud provider is responsible for. Sema explains that cloud providers are responsible for cloud data centres and physical infrastructure elements such as servers, while customers must be responsible for securing their networks and virtual private connections.

A cloud customer needs to always determine and manage who should have access to which computing resources in the cloud and how authentication should be configured. They also need to be aware of employees leaving the company or temporary contractors who may have been given access to resources. Permissions must be revoked when users exit the organization.

Amazon also looks to help organizations migrate from on-premises environment to the cloud.

“Sometimes when people think about cloud, they are afraid of the unknown,” Sema says. “Or they are used to working on-premises and are not sure how (these same) things will work in the cloud. But there’s not much usage difference between the two.

“Personally, I would advise people – if you’re not using legacy applications then move to the cloud,” she adds. “There are organizations with applications that can’t function in the cloud. So, Amazon is improving its cloud services to accommodate hybrid environments…and on-prem legacy applications.”

In addition to cybersecurity, AWS also offers cost optimization through intelligent data management. For example, through a data storage service called Amazon S3, customers can choose different types of storage services based on the data access, resiliency and cost requirements of workloads.

The highest priced Amazon S3 Standard storage offers high durability, availability and performance object storage for frequently accessed data. Conversely, the lower priced Amazon SE Glacial Deep Archive storage is a cheaper option for long-lived data that is rarely accessed. Each Amazon S3 storage option allows users to authorize who has access to data contained.

Sema says she believes Amazon S3 Intelligent Tiering is a particularly compelling storage option. Some organizations don’t know how often they access their data, so S3 Intelligent Tiering monitors how data is accessed across different storage classes. If data is recognized as not frequently accessed and is in a more expensive data-storage class, then S3 Intelligent Tiering will automatically move it to less expensive options.

“I really find it attractive for organizations that spend a lot of money and don’t understand their data-access patterns,” she says.