As businesses consider migrating their on-premises applications to the Cloud, data security is a critical concern. Can a cloud provider offer the same or better level of data security as a business provides in its own data center? What services are available to defend against the financial and reputational damage of a data breach?
In answer to these questions, cloud providers like Amazon offer a full range of services to manage data security in the Cloud. From infrastructure hardening to threat detection, AWS provides comprehensive services to maximize data security in cloud computing environments. An overview of several major services can help to understand the AWS approach and build confidence in migrating data and applications to AWS.
AWS addresses data security in cloud computing at four levels—encryption, infrastructure, access, and monitoring—to ensure your data is secure, grant access only to authorized people, and monitor for security threats.
Encryption
Encryption is the foundation for data security at-rest and in-transit. AWS supports encryption across the storage and database services it offers and supports, including Simple Storage Service (S3), DynamoDB, DocumentDB, Elastic File System (EFS), Elastic Map Reduce (EMR), Elastic Block Store (EBS), Glacier, Oracle RDS, SQL Server RDS, and Redshift.
AWS provides two options to manage the encryption keys that secure data. AWS Key Management Service (KMS) supports the full encryption key lifecycle, giving you the option of having AWS manage the encryption keys or letting you have complete control over your keys. An alternative, AWS CloudHSM provides the widely-used dedicated hardware security module option for cryptographic key management for businesses that require FIPS 140-2 Level 3 certification to meet compliance requirements.
Infrastructure
Network infrastructure is the foundation for secure data transmission in the Cloud. AWS protects data with network firewalls built into Amazon Virtual Private Cloud (VPC), as well as Web Application Firewall (AWS WAF) capabilities which help mitigate common attack vectors, denial of service attacks and known bad actors aimed at your publicly exposed resources for an added level of security.
AWS also offers private dedicated connections between AWS VPC and on-premises resources to bypass less secure Internet routing. Data traffic is automatically encrypted across the AWS global and regional networks that link AWS data centers.
Access
Authorized access to data and applications is an equally critical factor in establishing and maintaining data security in cloud environments. AWS provides capabilities that make it easy to centrally establish and maintain access rights across many of the AWS services with the following capabilities:
- Simplify the creation and management of accounts and access rights using AWS Directory Service to integrate and federate with existing corporate directories.
- Define individual user accounts, services roles and their specific permissions across AWS resources with Identity and Access Management (IAM).
- Extensive API integration to support access rights for existing customer applications or services.
- Multi-factor authentication for user accounts, including support for hardware-based authenticators.
AWS eases the process of data migration to the Cloud by allowing an enterprise to use existing corporate directories, providing a means to centrally manage individual access and enabling developers to integrate existing applications with AWS features and services.
Monitoring
Even with data securely encrypted and traffic protected by robust network architectures enterprises face continuing threats of data breaches, DDOS threats, and a multitude of attempts to disrupt operations and access confidential data. AWS provides visibility into your workload with Amazon CloudWatch to monitor infrastructure and applications, alert when specific events occur or thresholds are exceeded, and take automated actions. CloudWatch gathers logs, performance metrics, and event data and presents a unified view of AWS resources and the applications and services running on AWS as well as on-premises servers.
AWS CloudTrail provides insight into who is taking actions and how an AWS account is being used. Specifically, AWS CloudTrail maintains an event history of account activity for all AWS services and actions. This record can be used for security analysis in support of compliance, risk, and governance requirements.
Amazon GuardDuty applies machine learning, anomaly detection, and threat recognition to analyze billions of events across AWS data sources, including DNS logs, AWS VPC flow logs, and AWS CloudTrail. It continuously looks for malicious or unauthorized activities to protect AWS accounts and workloads against security threats
An Enterprise’s Next Step in Ensuring Data Security in Cloud Computing
Although Amazon provides a wide range of services to ensure your data’s security at the levels of encryption, infrastructure, access, and monitoring, enterprises making their move into cloud computing can benefit greatly from the guidance of an AWS Consulting Partner who has already helped hundreds of companies make the transition. An AWS consulting partner can:
- Apply the AWS Well-Architected Framework to help you create a secure, high-performance infrastructure for your data and applications.
- Determine which AWS storage and database services best meet your data needs and select the appropriate encryption key management services for each.
- With the expertise of AWS Certified engineers, design and implement a data migration plan to compress your timeline, reduce downtime, and ensure data security in the AWS Cloud.
- Use existing directory services to accelerate your migration to the Cloud and minimize administrative overhead.
- Implement the right architecture, databases, encryption key method, and access authorizations in support of compliance requirements such as HIPAA, GDPR, and PCI DSS. An AWS Consulting Partner can provide services that further enhance the security provided by AWS. A Security Information and Event Management (SIEM) solution combines host-based intrusion detection, log monitoring, and security incident management to provide immediate alerts, a dashboard view of events, and advanced analytics to obtain deeper insight into security threats and develop appropriate responses. With the combination of AWS security services and expert guidance from an AWS Consulting Partner, a business can confidently plan and implement a migration to the Cloud and be confident of data security in cloud computing.
