Data Security in the AWS Cloud
Key Keeper

© Lead Image © Kirill Makarov, 123rf, 123RF.com
As a cloud market leader, Amazon Web Services has had to put a great deal of thought into data security. Encryption options and key management play an important role.
You've probably seen T-shirts emblazoned with "There is no cloud; it's just someone else's computer." This skepticism results from the management policy of quickly outsourcing as many IT services as possible, with the sole focus on efficiency and cost savings. As a result, data security becomes a secondary feature that the shrinking IT department must somehow guarantee.
Admins who simply run their applications in the cloud run the financially significant risk of violating the General Data Protection Regulation (GDPR), for example, if they store unprotected personal data on servers outside the European Union. However, the online bank N26, which runs entirely in Amazon Web Services (AWS), has passed an audit by the German regulator BaFin (in this respect), showing that it is feasible to operate cloud services compliant with strict rules.
In addition to the choice of the run-time environment (configured as the "region" on AWS and other cloud providers), there are several options for encrypting data for cloud storage. At the last AWS Summit in Berlin, the CTO of AWS, Werner Vogels wore a T-shirt that advocated "Encrypt Everything." If encryption is the answer, then who has access to the keys and where are they kept?
Who Can Do What?
The first question for data security in the cloud concerns read and write permissions. This issue raises its head whenever you deploy any type of IT service and starts with user management. Weaving a complex structure of authorizations that define which user can access which data, servers, and other resources can be a Sisyphean task, with changes occurring constantly in IT operations.
The sheer number of possible permissions from which admins can assemble roles and services are far greater in a cloud like AWS. Finding the permissions you need for a particular cloud service to work without allowing too much is never going to be trivial. The complexity of the task can drive admins to distraction, prompting them to press Allow everything and thus release confidential customer data in an openly accessible Amazon Simple Storage Service (S3) bucket (Amazon's object store). Although this is inexcusable, it is something that you can at least empathize with from personal experience.
Data protection to and from the cloud, and on internal transfer paths between services, is another consideration. Many admins will suggest enabling TLS. But in practice, the success of the project often depends on where the certificates originate.
While a multitude of AWS services are affected by access controls, I have limited this article to two basic AWS services: the S3 object store and the Elastic Compute Cloud (EC2) virtual machine (VM) service. Additionally, I will look at AWS key management, as well as a few aspects of Identity and Access Management (IAM), which distributes users and their rights.
Trinity
The confidentiality, integrity, and availability (CIA) triad plays an important role in determining data security. Confidentiality (C) means that only authorized users see the data content. On a public web page, the group of permissions will often be All.
Integrity (I) means that only authorized users can modify the data. Where applicable, this means that some of the authorized users are only able to change a certain dataset within defined value ranges. A bank employee, for example, can only transfer money to accounts per customer request, instead of at will.
Availability (A) pertains to how data is maintained and stored. If all the important corporate data is on a single hard disk without a backup, and the disk bites the dust, then the data is no longer available.
Protection from Whom?
When it comes to protection against unauthorized read (C) and write (I) access to the data in the cloud, admins need to determine who has access to which data. There is public access via the Internet, plus a small group of users with different authorization levels (i.e., order processing does not need access to human resources' salary tables).
Since the whole thing runs on a third-party infrastructure, you also need to consider protection from the cloud provider's employees, as well as access controls for the in-house administrators who manage the systems. This is particularly relevant for personal data, such as salary tables.
Availability is something that AWS customers can typically assume to be a given. With S3, for example, the user would have to actively disable high availability to voluntarily suffer from data loss in the event of a crash. In addition, the object store supports versioning so that the customer can revert to older versions in the event of problems.
Buy this article as PDF
(incl. VAT)
Buy Linux Magazine
Direct Download
Read full article as PDF:
Price $2.95
News
-
Deepin 23 Preview Release is Available For Testing
The developers of Deepin have made a preview release of their latest offering available with three exciting new features.
-
The First Point Release For Ubuntu 22.04 is Now Available
Canonical has released the first point upgrade for Jammy Jellyfish which includes important new toolchains and fixes.
-
Kali Linux 2022.3 Released
From the creators of the most popular penetration testing distributions on the planet, comes a new release with some new tools and a community, real-time chat option.
-
The 14" Pinebook Pro Linux Laptop is Shipping
After a considerable delay, the 14" version of the Pinebook Pro laptop is, once again, available for purchase.
-
OpenMandriva Lx ROME Technical Preview Released
OpenMandriva’s rolling release distribution technical preview has been released for testing purposes and adds some of the latest/greatest software into the mix.
-
Linux Mint 21 is Now Available
The latest iteration of Linux Mint, codenamed Vanessa, has been released with a new upgrade tool and other fantastic features.
-
Firefox Adds Long-Anticipated Feature
Firefox 103 has arrived and it now includes a feature users have long awaited…sort of.
-
System76 Refreshes Their Popular Oryx Pro Laptop with a New CPU
The System76 Oryx Pro laptop has been relaunched with a 12th Gen CPU and more powerful graphics options.
-
Elive Has Released a New Beta
The Elive team is proud to announce the latest beta version (3.8.30) of its Enlightenment-centric Linux distribution.
-
Rocky Linux 9 Has Arrived
The latest iteration of Rocky Linux is now available and includes a host of new features and support for new architecture.