Advantages of the AWS Security Maturity Model
In an era of constant web security threats, learn how the AWS Security Maturity Model can help you enhance your organization’s cloud security. This article outlines tips to apply the model according to your organization’s stage of security maturity.
As the IT industry evolves and more sensitive customer and organisational data flood the digital sphere, infrastructure security is a skyrocketing priority. Furthermore, the transition from on-premises to the cloud has substantially altered previous security models. Therefore, ensuring the security of your cloud environments requires a measured strategy that ranges from basic configurations and threat detection to a robust incident response plan.
However, you may find it difficult to determine where your current security measures fall in this range. To help their users assess such factors, Amazon Web Services introduced the AWS Security Maturity Model. This model provides a peer-reviewed matrix of areas to consider when evaluating and enhancing your cloud security. While not a rigid blueprint, the Security Maturity Model provides areas of focus and structure that enable you to understand and implement the most relevant and situationally effective components of enterprise security.
Moreover, once your systems live in the cloud, your security plan is no longer a one-sided endeavour. Traditionally owned by the enterprise, security has now become a mutual responsibility amongst vendors, clients, and users. In support of streamlining vendor risk assessments, AWS launched Marketplace Vendor Insights.
Cloud vendors are responsible for the security of the cloud. They provide security for their native infrastructure, including hardware, software, networking, and facilities.
As the cloud customer, you’re responsible for the security of your cloud-hosted systems. For example, if your company uses Amazon Elastic Kubernetes Services (EKS), you’re responsible for the associated controls, such as the rulesets that determine expansion and the authorisation for accessing these rulesets.
Some responsibilities are shared between the vendor and the customer. One example is patch control. The vendor is responsible for applying patches related to the infrastructure, while the customer is responsible for patching their guest operating system and applications. Shared responsibility also includes training, with both the customer and the vendor responsible for training their respective personnel.
Lastly, customers are responsible for any controls they deploy with an application. This activity includes the implementation of security zones or routing of access. To that end, Amazon also published the Shared Responsibility Model.
How to interpret and implement the AWS Security Maturity Model
The Security Maturity Model provides areas to consider to secure business-critical cloud applications against common attack vectors and vulnerabilities. However, it won’t be effective unless you interpret and apply it to best conform to your enterprise’s specific requirements.
Because its creators intended to apply the AWS Security Maturity Model as broadly as possible, it only provides a general starting point for the items included in the Cloud Adoption Framework (CAF). Remember that every organisation is unique and implementing any framework must accommodate specific business and security needs. The AWS Security Maturity Model is a foundation to build upon and customise, rather than a rigidly implemented dogma.
Since each organisation is likely at a different stage of its security maturity, the model provides a basis for evaluating where you are and developing a roadmap for continuous improvement. Every organisation wants good security. However, it’s important to balance security priorities with the velocity at which you deliver value to your customers and consider the trade-off between budget and risk. Incorporating the stages and areas of the security model into the service rollout plan ensures that security will be considered and implemented during the development, not just thrown in at the end.
Creating a roadmap for continuous improvement of cloud security is about more than accomplishing security-related tasks. It means incorporating security into your organisation's processes to continually secure business-critical cloud applications against current and future threats.
With a few exceptions, cloud vendors subscribe to a shared security model. While they implement security solutions designed to protect their infrastructure, the enterprise or business is responsible for maintaining the security of its applications, data, and integrations. Typically, this security must stretch far beyond what the vendor provides. This is because the business needs to be able to track and secure many items, including the following:
- Software supply chains
- Configurations of cloud services
- File storage
- Cloud-native applications such as containers and serverless
Because of the complexity of cloud security, automation is important not only to provide auditable consistency but also to create more efficient development environments. Automating repetitive processes allows your organisation to develop and release applications continuously without having to maintain an immediate awareness of each module’s security status. This enables you to spend more time on adding business value. However, you must still ensure the security of those modules.
Another area of automation is automated discovery, which provides a total inventory of your environment and alerts you to items that are not in compliance. Since missing a single patch can open the door for malicious actors, automating discovery is essential.
In addition, automating tasks is important to scale. It allows processes to scale by providing both the speed and resources to handle security with just a few experienced developers, without having to hire more people.
Tips for applying the Security Maturity Model
The Security Maturity Model has nine categories of focus. For each category, the model describes a security stage, as listed below:
- Quick wins
Since each organisation is at a different stage of its security journey, they may be at different stages for each level of the model. Outlined below are a few examples of how the model can be used to your advantage. These examples are just a sampling of where specific parts of the model may assist you. A full review of the model in the context of your organisation's situation should yield more.
Avoid using root unless strictly necessary. Root access provides the keys to the kingdom, so if its security is breached, the door is open to bad actors. Instead, you can create a quick win by moving to a central user repository, which allows you to control and modify access from a platform outside your root directory.
AWS CloudTrail provides you with logs of API calls. It can be set to retain those logs for a period you determine. If there’s a login irregularity, such as an access request denial due to improper credentials, the audit log provides the information you need to track and resolve the issue. This information can include the origin of the requests and whether the call came from a corporate workstation or the web. This information can help uncover a vulnerability. Use cases for CloudTrail include providing information for auditing compliance for regulations such as HIPPA, SOC, and other PCI information.
By recording user activity, CloudTrail can monitor user activity and events, and send data to be analysed and evaluated against security concerns. It can also capture and consolidate user activity and API calls across regions, providing you with an integrated data source for global analysis. AWS recommends setting up separate CloudTrail streams to capture events for each use case.
It’s worth noting, however, that an attacker with access to the root, your Amazon keys, and the console can delete all of this evidence from CloudTrail.
A key concept of access management is the principle of least privilege (PoLP), which provides the minimum necessary access to personnel or software to perform a given task. Security groups provide a way to apply the principle of least privilege to groups of people rather than to individuals, limiting the number of access profiles that you need to manage. It’s also important to update or remove security groups that become obsolete as well as employees who exit the company.
A key to security is prevention. Anticipating vulnerabilities and testing your endpoints against penetration (PenTesting) is a key to cloud security. PenTesting can help you uncover unapplied patches in software or human error in misconfiguring access. An automated PenTesting environment, such as the one provided by Trend Micro, should be integrated into your organisation’s security process to ensure the highest level of protection.
If you’re storing sensitive information as part of your cloud infrastructure, encrypting the data reduces or eliminates its usability by bad actors. While AWS provides data encryption services, you may want to use and manage your own encryption services. Trend Micro offers endpoint encryption services that allow data to be automatically encrypted when it’s moved from an endpoint, such as a laptop, to the cloud. This service provides end-to-end encryption and key management. For more information on this element of the maturity model, see Maturity Model Data Encryption.
The key to implementing any process is having people understand it. While the cloud may be familiar to some of your personnel, it’s still important for them to understand the security issues, potential vulnerabilities, and remediation processes relevant to your specific cloud infrastructure. You need to provide role-based education to train people on the effective security of the cloud.
Ensuring compliance with regulatory requirements can be a time-consuming task. First, a wide variety of compliance regulations require reporting. Second, the data for compliance reporting is often scattered across the cloud. To perform compliance auditing efficiently, you need a system that’s aware of the requirements and capable of integrating all the necessary data.
Important incident response measures are time to detection and time to resolution, and automation can improve both. Automating the processes for monitoring critical applications reduces time to detection by periodically monitoring application activities and sending alerts to the appropriate responders. Time to resolution is enhanced by creating processes that send information to help remediate the situation rather than just informing you that an abnormality has occurred.
To ensure an optimal level of security, your organisation needs to stay one step ahead of bad actors. While this can be a difficult task, one way to accomplish this is to form a red team of individuals with expertise in various security disciplines. The idea of a red team is to examine DevOps from the point of view of the attacker. Are there areas, such as the use of open-source products, or access methods that are vulnerable to attack? Recommendations from your red team can provide you with the breadth of knowledge to strengthen security. This expertise, coupled with knowledge of the application and infrastructure, gives you an advantage over the attacker.
The AWS Security Maturity Model provides a security framework divided into stages of maturity and areas of focus. It links practical actions to establish and maintain all aspects of cloud security. The model provides various entry points depending on your organisation’s maturity.
Cloud vendors provide a variety of cloud-native tools that you can integrate into your processes. Independent software vendors (ISVs) such as Trend Micro provide processes and tools that integrate easily with cloud-native tools and allow you to fulfil your part of the cloud security shared responsibility model, providing a complete security solution for your cloud infrastructure. To see how Trend Micro and cloud-native tools work better together, stop by today.