As many organizations are leveraging cloud-based technologies and migrating their critical data onto the cloud, it becomes even more imperative to have a holistic view of data security on the cloud. Though the major cloud providers offer multiple ways of securing data, using them to your advantage is a big challenge.

Cloud security is a set of policies, strategies, controls, procedures, and practices which are designed to safeguard the data, resources, and applications hosted on the cloud.

Talking of security from the perspective of Amazon Web Services, below are the best practices to be followed in securing VPC in AWS:

• Subnets to be created in multiple Availability Zones

An availability zone is one or more discrete data centres with redundant power, networking, and connectivity in an AWS region. Using multiple availability zones makes applications highly available, fault-tolerant, and scalable. 

• Use of security groups to control the traffic to EC2 instances in your subnets

It provides control over the traffic that is allowed to reach and leave the resources that it is associated with. Every VPC comes with a default security group, though it has a facility to create additional ones, creating minimum helps reduce the risk of error.

• Inbound access rules to have only specific IP address ranges and protocols

Do not open large port ranges.

• Consider creating network ACLs with rules like your security groups to add an additional layer of security to your VPC.

Network ACL operates at the subnet level, whereas the security group operates at the instance level. 

• Administrator can securely control the access to AWS resources by using AWS Identity and Access Management (IAM) Service
• Creating policies and attaching them to AWS identities or resources can further provide control over access
• Using VPC flow logs to monitor the IP traffic going to and from a VPC, subnet, or network interface to get insight and perform tasks like diagnosing the restrictive security group rules, identifying traffic reaching your instance, and the direction of the same on the network interface
• Identify unintended network access to resources in our VPCs using Network Access Analyzer and further understand, verify, and improve network security posture and compliance
• Verify that your production environment VPCs and development environment VPCs are isolated from one another. And have logical separation for systems that handles and process credit card information
• Internet accessibility – Identify resources in your environment that can be accessed from internet gateways and verify that they are limited to only those with a legitimate need to be accessible from the internet
• Use AWS Network Firewall to monitor and perform deep packet inspection on traffic entering or leaving your VPC and protect your VPC by filtering inbound and outbound traffic at the perimeter, including Internet Gateway, NAT Gateway, over VPN, and AWS Direct Connect

 

This article was contributed by our expert Ninad Manapure
 

Frequently Asked Questions Answered by Ninad Manapure

Q1. How do you secure data for cloud transport?

Following are the ways in which data can be secured.

Data Encryption Encryption protects your sensitive data from hackers; only the computer you send it to should have the key to decode the data. On the internet, the primary protection mechanism is encryption. Cloud providers use encryption, such as Advanced Encryption Standards (AES) and Triple Data Encryption Standards (3DES), to ensure a standard of security in their environments.

• Remote access encryption - SSH provides a secure communications channel for remote access to your Linux instances
• Encryption at the physical layer - All data flowing across AWS regions over the AWS global network is automatically encrypted at the physical layer before it leaves AWS-secured facilities. All traffic between AZs is encrypted
• Encryption provided by Amazon VPC and Transit Gateway cross-Region peering. All cross-Region traffic that uses Amazon VPC and transit gateway peering are automatically bulk-encrypted when it exits a region
• Encryption between instances - AWS provides secure and private connectivity between EC2 instances of all types. VPN (Virtual Private Network)
• A virtual private network (VPN) is one way to secure data while it is being transported in a cloud. Firewall
• A firewall will act as a barrier between the public and private networks

Q2. What are the technologies for data security in cloud computing?

Protecting data in the cloud is similar to safeguarding data within a traditional data center. Authentication and identity, access control, encryption, secure deletion, integrity checking, and data masking are all data protection methods applicable in cloud computing.

Data access

Security teams control data access through identity and access management (IAM), which helps safeguard data assets through authentication and authorization processes.

Firewalls

A firewall is the initial security layer in a system. It is designed to keep unauthorized sources from accessing enterprise data. A firewall serves as an intermediary between a personal or enterprise network and the public internet.

Data encryption

A standard security feature cloud service providers offer, data encryption uses mathematical encoding to prevent unauthorized access to information. While data encryption is ubiquitous, not all providers offer the same level of encryption services.

Data deletion

An integral part of data security is properly disposing of sensitive — but no longer essential data. Data of this nature can pose a substantial organizational risk if allowed to persist indefinitely within cloud data stores, creating unnecessary liability.

Data recovery

Robust data recovery processes are yet another pillar of data security in the cloud. Data loss can occur for any unforeseen reasons, making it essential to continuously perform backups of every system that relies on cloud-based applications. 

Q3. What is the security associated with VPC?

Infrastructure security in VPC

• Use of separate VPCs to isolate infrastructure by workload or organizational entity
• A subnet is a range of IP addresses in a VPC. Use subnets to isolate the tiers of application (for example, web, application, and database) within a single VPC. Use private subnets for your instances if they should not be accessed directly from the internet
• Restrict access to subnets using control traffic to resources using security groups
• Configure VPC subnet route tables with the minimal required network routes
• Virtual Private Network or AWS Direct Connect to establish private connections from your remote networks to your VPCs.

Identity and access management for Amazon VPC

• AWS Identity and Access Management (IAM) is an AWS service that helps administrators securely control access to AWS resources
• Control traffic to resources using security groups
• A security group controls the traffic that is allowed to reach and leave the resources that it is associated with VPC

Resilience in Amazon Virtual Private Cloud

• AWS Regions provide multiple physically separated and isolated Availability Zones connected with low-latency, high-throughput, and highly redundant networking. With availability zones, you can design and operate applications and databases that automatically failover between zones without interruption. Compliance validation for Amazon Virtual Private Cloud
• Third-party auditors assess the security and compliance of AWS services as part of multiple compliance programs, such as SOC, PCI, FedRAMP, and HIPAA.

Configuration and vulnerability analysis in Virtual Private Cloud

• Patching client applications with the relevant client-side dependencies
• Conducting penetration testing for NAT gateways and EC2 instances