Analysis

Top 5 Q&A: Security in the Cloud: Do’s and Don’ts

Stroz Friedberg is a specialized risk management firm built to help clients solve the complex challenges prevalent in today’s digital, connected, and regulated business world

We have collected and summarized some of the top questions we received from our TECH Talk webinar, “Security in the Cloud: Do’s and Don’ts”.

For more information on this topic watch the full webinar here.

1) Are you more, or less secure, because of using the cloud?

At a high level, you can be less secure if you are taking an existing infrastructure and migrating this like-for-like to the cloud – i.e. “lift and shift”. However you can arguably be more secure if you are refactoring an environment you are migrating, or otherwise designing your cloud infrastructure to take advantage of the prevention, detection and response solutions available as part of the Cloud platform. 

2) What kind of AWS (Amazon Web Services) reviews should I be conducting?

Make sure to conduct holistic reviews of your environment, as opposed to looking at individual items. It is very important that whoever reviews your AWS accounts, checks not only for specific issues, but can also understand the system as a whole and can make recommendations that affect the overall security posture of the account and its associated deployed systems.

Running a checklist is not usually an adequate process to perform a review, hence beware of fully automated tools. A good starting point is to use AWS Inspector which runs an agent locally on servers against best practice rulesets. Supplement your AWS reviews with open source tools such as Scout2 and prowler.

3) What are best practices to manage AWS root accounts?

The AWS root account should only be used during the initial account setup. Upon setup, ensure to enable multi-factor authentication and rotate the root account password regularly. Account Access ID and Secret key pairs should be deleted as they have access to the entire AWS account with no restrictions.

Additionally, you should be aware of the advanced monitoring solutions AWS provides, such as Macie, Guard Duty and other open source projects such as StreamAlert by Airbnb.

4) Are there AWS standards and best practices my system administrators and/or security team should be aware of?

The CIS benchmarks contain a wealth of information for configuring Amazon Linux AMI images and your Amazon Web Services environment. Similar benchmarks are also available for Microsoft Azure cloud environments.

Additionally, you should be aware of the advanced monitoring solutions AWS provides, such as Macie, Guard Duty and other open source projects such as StreamAlert by Airbnb.

5) How can I comply with GDPR in the Cloud using AWS?

Amazon Web Services (AWS) has put a lot of effort into GDPR readiness of the underlying platforms, including CISPE Code of Conduct compliance for the main AWS services, security certifications and technologies that can be used to secure data in the environment. Several of these were mentioned in our TECH Talk, and agreements such as a GDPR ready Data Processing Agreement and Model Clauses for processing information outside of the EU.

Professionals

Subscribe

Commentary, new discoveries, and innovative ideas right to your inbox.

Stroz Friedberg

Sorry! You are using an older browser which is not supported by this website.

Please download one of these free browsers to enjoy all our website has to offer:
Firefox, Chrome or Internet Explorer.