How do you envision security? Everyone wants to feel this comfort, but it looks different in every part of life. Today we will talk about security in cloud computing. The topic is causing much controversy and argument. Not only in face-to-face conversations, but also in social media. The division of opinion stems from ignorance about who should bear full responsibility and whether cloud providers are sure to follow all security rules.
As part of the fact that we are an Amazon Web Services partner, we will focus on how the said cloud service provider defines the term security.
In order to ensure the highest possible level of security, AWS follows many rules. In his materials, he stresses that maintaining security is not just on the service provider’s side, but also on the customer’s side, which he calls the shared responsibility model. What does this term mean? The cloud provider is responsible for cloud security, and users are responsible for cloud security. On the surface, the two terms are similar and most people don’t see the difference. However, it turns out that there are many differences, which you can learn about in one of our previous articles. (link)
The AWS cloud provider’s responsibility is to maintain security in the physical server rooms, keep the infrastructure at a high level, and maintain separation between users at the virtualization level. It also bears responsibility for the quality of services including updating database servers stored in the cloud and proper configuration of file security in all its services such as: Redshift, DynamoBD and Elastic MapReduce.
AWS users are responsible for the safe use of services. This means first and foremost proper service configurations. Building servers with full awareness, thus protecting confidential information from unwanted data flow. There is a reason why there are three types – public clouds, private clouds and hybrid clouds. Each of them performs different functions, which should be categorically observed by users.
Data processing in cloud infrastructure raises many questions. Mainly, they refer to questions such as, isn’t it safer to have a local server room close to the company’s headquarters than to use virtual machines and locate data in regions that are hundreds of kilometers away? Before answering this question, it is important to consider why the Amazon Web Services provider has scattered its data centers all over the world, and there are a minimum of 2 so-called “data centers” in each region. Availability Zones. Let us help you answer this question.
Regions as well as zones are distributed at such distances that each data center has a different Internet provider and is vulnerable to other natural disaster factors in case of unforeseen events. At the same time, distances between zones are no obstacles to ensure data synchronization in moments of emergency, providing uninterrupted access to services. Such a deployment not only provides us with a very high durability of the database, but also a high resistance to uncontrollable factors resulting from human behavior. Data protection is a priority for any cloud service provider. The map below shows the distribution of the regions. Orange markings are already existing regions, green markings are under development. The circles show numbers – this is the number of Availability Zones where our data will be stored in the region.
The choice of region depends solely on the preference of the cloud user. As a prospective cloud owner, you can be guided by various selection factors – price, the distance between your company and the region, or available services.
For some, an obstacle not to be jumped is the inability to see the servers. Having a company, your own server room, you can quietly see the huge devices that are created to hold resources. When migrating files to the cloud, we can’t see it visually. However, they are not “lost in space.” Everything is moved to a place depending on your choice. Can you imagine that every customer who decides on the cloud wants to go to the server room of their choice and see it? This would introduce chaos, and your security would be extremely compromised.
AWS server rooms are protected not only by numerous burglar, fire or flood protection systems. It is also numerous trained security protection services. Not even employees have access to the server room itself. However, if entry is necessary then each entry must be properly documented, and employees are brought into the building with a security escort. Are your company’s server rooms also protected this way? Does no one really have access to them at the data center, with a staff of security guards watching 24 hours a day, all year round?
Not so long ago, every entrepreneur got chills at the word “RODO.” Complicated procedures through which many entrepreneurs gave up on their ideas. Is it the same for the cloud? Should we give up the ability to use the cloud because RODO has objections to it? Fortunately, none of these questions has an affirmative answer.
Amazon Web Services ensures that cloud storage is fully compliant with the European regulation. The company applies effective technical and organizational measures for data processors to protect personal data in accordance with the RODO. Data processing is encrypted, monitored, controlled with full data privacy. In addition, AWS offers services and features that help meet the requirements of RODO.
Even the location of the data center outside the European Union will not be a problem. AWS is certified under the EU-US Privacy Shield. The rules govern the system for the flow of commercial information between the European Union and the United States. They point out how companies protect and process our personal data.
Storing data in the cloud, as well as on a hosted, VPS or dedicated server, involves some risk. DDoS attack. Along with the great development of technological activities come hacking skills. Despite many safeguards, our resources may always be under the shadow of a threat.
How does AWS protect its users from malware?
Each account is protected by the AWS Shield service , which protects all applications running in the cloud. To take advantage of DDoS protection, there is no need for active support from the AWS team. The service has automatic built-in restrictions that minimize delays and downtime for your files. There are two models of the service – Standard and Advanced.
At no extra charge, customers can take advantage of AWS Shield Standard’s automatic security features. It protects against network DDoS attacks that attack a website or application. When you combine AWS Shield Standard with Amazon Route 53 and Amazon CloudFront, you get composite protection against all known infrastructure attacks.
The second option, Advanced, is available for applications running on Amazon Elastic Compute Cloud (EC2), Elastic Load Balancing (ELB), Amazon CloudFront, AWS Global Accelerator and Amazon Route 53. Additional benefits of the Advanced service include additional detection and mitigation of large DDoS attacks and real-time monitoring of the attack. A perk of the paid service is 24/7 access to a DDoS response team.
As we described above, AWS is a place from which data has no right to “die.” However, there are additional safeguards with which you can protect your privacy even further. One of them, which was prepared by Amazon, is AWS Security Hub. The service gives us the ability to create a dashboard where we can check all alerts and problems that have occurred on all AWS accounts. There are security tools such as firewalls, endpoint protection to vulnerability scanners and compliance scanners. The complexity of the service provides us with the highest level of security, even when a dozen employees use an AWS account. It makes work easier, because any problem that occurs, regardless of the account will occur in one panel, which is given the appropriate priority. According to the AWS leader, there are three major benefits of using this solution. First of all, it saves time. Second, we have an overview of what is happening in our account and can react quickly. A third advantage is the ability to run automatic configuration checks.
Despite many warnings, Internet users are not always careful. They often downplay security and believe that the provider of the chosen service is responsible for everything. As we mentioned earlier, AWS stressed that “responsibility is shared.” As a result, if the error is on your side, if you didn’t have a backup, you can’t expect that the lost data will be restored, won’t get into the wrong hands or you will be compensated for your losses. It is worth knowing what elements to keep an eye on in order to keep cloud security at a very high level. Here are some tips prepared especially for you:
And what’s your opinion on cloud security?