As more organisations rapidly migrate their workloads to the AWS cloud, ensuring the security of the resources that drives value for our organisation becomes increasingly important. In this article, we will delve into essential capabilities that should be considered and included in our cloud architectures to better safeguard our AWS workloads. Additionally, we will examine some of the challenges that accompany the process of securing workloads and discuss various technologies that could be leveraged to alleviate these challenges.
Division of Responsibilities
To better secure our workloads on the AWS cloud, it is crucial to have a thorough understanding of the Shared Responsibility Model, and our specific responsibilities as customers for securing the services we utilise on the platform. Essentially, the model dictates that AWS bears the responsibility of maintaining the ‘Security of the Cloud’, which refers to the underlying infrastructure that supports all of the services available on AWS. As customers we are accountable for ‘Security in the Cloud’, which entails following best practises for the services adopted and securing our network, data, and applications.
As customers, our duties on the Shared Responsibility Model will depend on the services that we implement. Here are a few examples of AWS services and the associated customer responsibilities:
There are a few key criteria that we need to consider and include in our cloud architectures to better protect our workloads in the AWS cloud.
- Vulnerability detection and prevention
- Protect against threats and ransomware
- Ability to send security events generated from different sources to a centralised platform in a simplified framework.
- Misconfigurations and lack of visibility for our cloud resources
But odds are we have a few, to ensure the security of our workloads, the first essential capability we must have is the ability to detect and prevent vulnerabilities. This requires scanning for vulnerabilities in both the operating system and applications to identify potential security risks. Unfortunately, when a new vulnerability is discovered, the vendor may need some time to release a patch to address it, leaving our workloads exposed to exploitations. To mitigate this challenge, we can use Intrusion Prevention System (IPS) rules to virtually patch the vulnerabilities on our workloads until the vendor releases the patch for the fix. This allows us to protect against new vulnerabilities quickly and effectively.
While utilising native services like AWS Inspector can aid in the continuous identification of vulnerabilities within our EC2 workloads, safeguarding these workloads from exploitation is crucial. This can be achieved by utilising intrusion prevention solutions such as AWS Network Firewall, or by implementing a third-party security solution in our cloud environment.
The second critical capability is to safeguard against threats and ransomware, which is not without its challenges. While signature patterns are crucial and a basis for identifying and protecting against known security threats, we must also consider attacks that can bypass traditional malware scanning techniques. To address this challenge, we need to incorporate machine learning capabilities into our cloud security approach to protect against new and emerging threats. We would need to have security measures in place to extract file features from unknown and low-prevalence files and compare them against a threat model to determine if the file is an actual threat that should be blocked.
To ensure comprehensive protection, we must also have the capability to detect anomalies in processes, files, and software installed on our workloads. Amazon GuardDuty is an AWS service that could help us detect anomalous behaviours that could impact our workloads, and the service could also be paired with AWS Network Firewall to respond to GuardDuty detections. Malware creators use sophisticated methods to avoid detection, such as modifying system files or files related to known software. Therefore, it is essential to implement enhanced threat scanning techniques to detect and prevent compromised processes, files, and software.
Having a centralised platform to send security events from different sources is crucial as this enables us to have a holistic view of our security posture without the hassle of managing and switching back and forth between multiple interfaces. The telemetry collected by the centralised platform could then be analysed to help us understand our risk in the cloud, respond more effectively to security incidents, and help meet compliance requirements by providing a comprehensive view of security events and activities across the enterprise.
Amazon SecurityLake is an AWS service that supports the Open Cybersecurity Schema Framework (OCSF). The OCSF is an open-source project that allows Independent Software Vendors (ISV) to adopt and extend the schema for their own domains to a simplified format. This framework, developed in collaboration with prominent security vendors, facilitates the mapping of data from various sources into a uniform format, simplifying analytics and enhancing our security stance on a centralised platform. By leveraging OCSF, we can efficiently improve our security posture while managing the diverse data generated by various sources.
Misconfigurations remain amongst the top threats to organisations today and they account for 65–70% of all security related challenges in the cloud. Misconfigured workloads could expose vulnerabilities and sensitive data to bad actors.
To mitigate these risks, Cloud Security Posture Management (CSPM) tools can help monitor and continuously identify misconfigurations in our workloads and any other supporting services that we may be leveraging. CSPM tools can additionally serve as a training tool to help users avoid future misconfigurations. To further strengthen our security posture, it’s crucial that we introduce security as early as possible by leveraging CSPM tools in our development process. By scanning infrastructure-as-code templates for misconfigurations on our Integrated Development Environment (IDE) and in our pipelines before the infrastructure is deployed, we would be able to detect and remediate misconfigurations before they impact our production environment.
Source: Trend Micro
In conclusion, ensuring the security of our workloads on AWS is critical for protecting our organisation’s assets, data, and reputation. To secure your AWS environment, seek out a platform-based solution with broad cloud-native application protection platform (CNAPP) capabilities that delivers thoughtful security from commit to runtime and integrates with the DevOps tools your organisation already uses.
Trend Micro Cloud One™ - Conformity provides a holistic view of cloud resources and configurations, helping you quickly assess your infrastructure’s compliance posture against compliance standards and frameworks.
Trend Micro Cloud One™ - Workload Security offers comprehensive protection against threats and vulnerabilities with Advanced Threat Scanning Engine (ATSE) and IDS/IPS rules backed by Trend Micro Threat Research. Workload Security integrates seamlessly with many AWS services such as Amazon Security Lake, Amazon Inspector, Amazon Macie, and Amazon GuardDuty, for automating security deployment, policy management, health cheques, and compliance reporting. Workload Security’s broad APIs assess and automatically implement security protection based on security findings on AWS, providing specialised security without the cost and complexity of multiple point solutions.
Trend Micro Cloud One™ offers flexible pricing, like pay-as-you-go on AWS Marketplace, as well as always-free tier to get started. Learn more here.