There have been numerous articles, blogs, and whitepapers about the security of the Cloud as a business solution. Amazon Web Services has a site devoted to extolling their security virtues and there are several sites that devote themselves entirely to the ins and outs of AWS security. So rather than try to tell you about each and every security feature of AWS and try to convince you how secure the environment can be, my goal is to share a real world example of security that can be improved by moving from on premise datacenters to AWS.
Many AWS implementations are used for hosting web applications, most of which are Internet accessible. Obviously, if your environment is for internal use only you can lock down security even further, but for the interest of this exercise, we’re assuming Internet facing web applications. The inherent risk, of course, with any Internet accessible application is that accessibility to the Internet provides hackers and malicious users access to your environment as well as honest yet malware/virus/Trojan infected users.
As with on premise and colocation based web farms, AWS offers the standard security practices of isolating customers from one another so that if one customer experiences a security breach, all other customers remain secure. And of course, AWS Security Groups function like traditional firewalls, allowing traffic only through allowed ports to/from specific destinations/sources. AWS moves ahead of traditional datacenters starting with Security Groups and Network ACL’s by offering more flexibility to respond to attacks. Consider the case of a web farm that has components suspected of being compromised; AWS Security Groups can be created in seconds to isolate the suspected components from the rest of the network. In a traditional datacenter environment, those components may require making complex network changes to move them to isolated networks in order to prevent infection to spread over the network, something AWS blocks by default.
AWS often talks about scalability – able to grow and shrink the environment to meet demands. That capability also extends to security features as well! Need another firewall, just add another Security Group, no need to install another device. Adding another subnet, VPN, firewall, all of these things are done in minutes with no action from on premise staff required. No more waiting while network cables are moved, hardware is installed or devices are physically reconfigured when you need security updates.
Finally, no matter how secure an environment, no security plan is complete without a remediation plan. AWS has tools that provide remediation with little to no downtime. Part of standard practices for AWS environments is to take regular snapshots of EC2 instances (servers). These snapshots can be used to re-create a compromised or non-functional component in minutes rather than the lengthy restore process for a traditional server. Additionally, 2nd Watch recommends taking an initial image of each component so that in the event of a failure, there is a fall back point to a known good configuration.
So how secure is secure? With the ability to respond faster, scale as necessary, and recover in minutes – the Amazon Cloud is pretty darn secure! And of course, this is only the tip of the iceberg for AWS Cloud Security, more to follow the rest of December here on our blog and please check out the official link above for Amazon’s Security Center and Whitepapers.
-Keith Homewood, Cloud Architect