20 Security Pros Reveal the One Thing They’d Change About AWS Security
AWS is one of the most popular cloud platforms among enterprises and even SMBs, and for good reason: The service is robust, with a variety of features and functionality to make management seamless. But managing an AWS environment still requires a good deal of technical expertise. What’s more, while AWS provides a multitude of options for securing your cloud environment, it’s not perfect, nor does it (or any cloud provider) promise complete, end-to-end security for your infrastructure, applications, and data — and users are responsible for filling in the gaps.
That is, of course, where Threat Stack comes into play, enabling you to secure your cloud infrastructure, as well as your cloud workloads, both at speed and at scale. To gain some insight into where AWS falls short and what users need to know to fully secure their cloud environment, we reached out to a panel of security pros and asked them to answer this question:
“If you could wave a magic wand and change one thing about AWS security what would it be?”
Meet Our Panel of Security Pros:
Read on to learn what our experts had to say about what they wish they could change about AWS security.
Pete Cheslock is VP Technical Operations at Threat Stack.
NOTE: The following information is excerpted from The Top 7 AWS Security Issues: What You Need to Know via Threat Stack.
“Concerns about compliance in the cloud echo loudly from both large and small companies alike in highly regulated industries…”
While cloud providers like AWS do provide companies with a certain level of protection, they simply can’t cover every aspect of compliance.
AWS can (and does) offer protections such as encryption of PII, both at rest and in flight, but it doesn’t continuously monitor data for anomalous behavior, provide host-level insights that can get to the root of the problem, and so on. Yet it’s not an easy task to figure out where AWS’s compliance features end and where another solution needs to come into play to fill in the gaps. Facing a lack of time and patience to piece the puzzle together, some companies opt for the status quo by sticking with their on-premise (yet outdated) solution.
That’s too bad, because there’s no need to throw the baby out with the bathwater. Moving to the cloud is the smart choice for companies that want to stay competitive in today’s world, and there are plenty of cloud security providers like Threat Stack that can help you meet your compliance obligations.
Lindsey Havens is the Senior Marketing Manager at PhishLabs with over 10 years’ of experience in Marketing, Communications, Public Relations, Lead Nurturing/Generation, and Analytics. With a unique blend of marketing and communications experience coupled with a background in behavioral and situational analysis, she bring metrics-driven results and the ability to focus sales and marketing efforts in a direction that offers the highest potential for long-term, sustainable growth.
“One way to get more out of AWS Security is to…”
Familiarize yourself with AWS’s shared responsibility security model. Amazon, like many other cloud providers, operates under a shared responsibility model. That means that they make platform security within their infrastructure a priority in order to protect customers’ critical information and applications. Amazon detects fraud and abuse, and then notifies customers with the information. However, the customer still needs to ensure that their AWS environment is configured securely, and that the data is not shared with the wrong people.
Gregory Morawietz is the VP of Operations at Single Point of Contact. He is a IT Security Specialist with over twenty years’ of network and security experience. He has worked with hundreds of firms on improving IT environments, consulting, and integrating technology for the enterprise network.
“If a magic wand can be waved and a security issue can be addressed…”
I would want there to be some kind of collaboration or correlation between attackers and the reason they attack and the security provided by AWS. There is not a granular or obvious attack scheme or type that you can see. Who is attacking, from where, and what are they preying on? Did a bot from China scan your network? Did a Russian script get run against your website? So, I’d like to see more visibility into the background of what threats there are and where they are coming from.
Jamie Shields is the CTO at Flaunt Digital. He’s a full stack web developer, Zend and Oracle certified, with over 7 years’ experience working within technology startups and award-winning digital marketing agencies.
“The one thing I would change about AWS security would be to…”
Provide a cost incentive to enabling two-factor authentication (2FA) on your root account. MailChimp does this (10% savings!), and it’s great to see a business value being put directly against a security measure like this. It’s so easy to enable this added layer of security and it hardens your account a lot more than a password ever can.
In my opinion, any online accounts you can log into which can spend money on your behalf should have 2FA. In the case of AWS, there is also a huge data privacy concern with not securing your account properly, as any authorized user could gain access to any of your cloud resources. Promoting 2FA will also help prevent account sharing, which is very important for compliance in terms of building an identifiable user audit trail using AWS’s fantastic CloudTrail service.
Tyler Riddell is Vice President of Marketing at eSUB Construction Software with over 15 years’ of experience in Marketing, Product Management, Advertising, and Public Relations. He has a proven track record for successful go-to-market and corporate communication programs in multiple vertical tech markets.
“One area of AWS Security that needs to be taken into consideration is configuration…”
That’s why it’s important to fully understand and examine configuration states and adherence to policy representations. This will aid in conforming to the intellectual core of most forms of regulatory compliance in regard to security risks.
Sherry Wei quit her job at Huawei in 2013 to bootstrap Aviatrix Systems. The company’s hybrid cloud solution extends the enterprise datacenter to AWS without touching the underlying network infrastructure. Prior to Huawei, Sherry worked at Cisco for 13 years. She holds a Ph.D. in EECS from Purdue University.
“It’s important to appreciate that…”
While Amazon says it has a shared security model, your Amazon EC2 instance may not meet your security requirements “by default.”
I’d love to be able to wave a magic wand to fix that, but it’s still up to you to choose judiciously among the many native and third-party options.
If Meltdown and Spectre have taught us anything, it is that using shared resources can be potentially unsecure.
Think about this: The cable is encrypted and protected from physical access, but what about logical protection from one customer to the next? If your business is subject to data-privacy regulations, transmitting data along with other customers’ data might not be the best approach. Granted, the outer layer is encrypted from external third parties, but the logical layers are not encrypted from fellow tenants.
If communication intra-region should be secured between your own VPCs to prevent any malicious co-tenant from going snooping on your data, then inter-region peering security concerns are no different. Furthermore, you are no longer sharing that link with the few co-tenants of your same compute infrastructure, but with everyone that needs multi-region communications — arguably a bigger number of players. Also, remember that the intra-region service is also open to other countries, so if you are subject to sovereign regulations, then you might want to dig deeper at how your data is being transported and what that means from a regulatory standpoint.
Sheng Wang is the CTO at AutoGravity. An experienced product-development executive and tech-industry veteran, Sheng Wang leads product and engineering to deliver a trustworthy and innovative car-buying experience that empowers the consumer. Recognized for building premier customer UX, world-class teams and software platforms, Wang is dedicated to creating high-impact products that people love.
“The biggest challenge is…”
How to secure PII data in the cloud today. AutoGravity takes customer information security as its #1 priority and did a lot research to build multi-layer data encryption technology from the ground up. I would love to see AWS providing a similar solution to allow businesses like us to create a solid framework for data security.
John Baker is the Business Development Manager at DeployBot. He is an experienced DevOps Engineer who understands the melding of operations and development to quickly deliver code to customers, paired with a deep knowledge of the cloud and monitoring processes as well as DevOps development in Linux and Mac.
“While AWS offers a wide range of services and options…”
Setup/login is where I’d wave a magic wand and improve the experience. For certain users, it’s clear that AWS requires IT staffers with sysadmin experience rather than just power-user experience, creating a headache before you’ve even accessed your information.
Mihai Corbuleac is the Senior IT Consultant at Bigstep.com, a Chicago-based IT company providing a reliable and scalable cloud-based platform purpose-built for big data.
“The biggest security risk with AWS…”
Especially for small companies, is the lack of understanding where security duties begin and end with the public cloud provider. Amazon Web Services handles security and management for its services and platform, but sometimes the security responsibilities are unclear, especially to small organizations. So, if I would have the ability to change something, it would be the lack of security configuration within the areas that an AWS consumer is responsible for. Everything concerning security should be more visible. Infrequent or insufficient patching of systems, or poor firewall or network security implementation could lead to serious security incidents.
Justin Davis is the founder of CrowdSync, a platform to help automate work with people.
“I’d drastically reduce the complexity involved with…”
Setting up and maintaining security groups and access. AWS is notorious for the degree of complexity in its interface, and the security settings are no different. Because of this, it’s difficult to set up and maintain, which means many people are likely to leave permissions far less secure than they probably need to be.
Jianqing Wu, Ph.D.
Jianqing Wu, Ph.D. (John Wu), Ph.D., is a registered patent attorney and an independent inventor having 8 U.S. patents in legal process, file storage security, open public computing systems, and online databases for the consumer market. His research interests touch sciences, engineering, law, and medicine. He earned a B.S. in China, and received an M.S. and Ph.D. (in Physical Chemistry) from North Carolina State University. He did postdoctoral research in Medicinal Chemistry at the University of Illinois at Chicago and the National Institutes of Health. He learned methods and knowledge for characterizing whole complex systems. After he acquired his J.D., he systematically studied the performance of the common law model and its adverse impacts on productivity. Being able to access multiple cultures, he conveniently used first-hand data in evaluating trade performance for different production cultures. Recently, he has developed a new interest in preventive medicine, focusing on methods for preventing heart diseases, stroke, and cancer. He was a member of four honorary societies: Phi Lambda Upsilon, Sigma Xi, Phi Tau Sigma, and Gamma Sigma Delta.
“I would be concerned with data storage security…”
When a client uses a web service, the data is a dead duck. As long as there is any means to get the key for encryption, the data is not safe. Most data leaks were caused by access to stored data.
Randy Battat is the Founder, President and CEO of PreVeil. Before PreVeil, Randy was President and CEO of Airvana from 2000–2014, growing the company from a two-month old startup to a 400-person global corporation. Randy spent the first thirteen years of his career at Apple, including five years as Vice President of Worldwide Product Marketing and three years as Vice President of the PowerBook Division.
“Really, the best thing to change about AWS’ security is…”
Their vision of how to handle security in the first place. Traditional AWS thinking has us believe in the mantra that protections around servers will successfully keep out malicious third parties. However, the problem with that notion is that the bad guys will always be able to access servers, no matter how heavily they are guarded. What if we could think about security in a radically different way which didn’t focus on the servers’ defense? Instead, in this next-generation security model, users would employ end-to-end encryption where they would encrypt their information on their devices before putting it on the cloud. In this view, decryption could only occur on the users’ personal devices. That would mean that even if the data on the servers fell into the hands of unwanted actors, the data would be completely unreadable because those individuals lacked the correct decryption key. After all, the bad guys can’t steal what they can’t see.
Jonathan G. LeRoux is the co-founder and CEO of TurtlePie Solutions, a web development and SEO firm in Tulsa, OK.
“If I had a magic wand that could change anything about AWS’s security…”
I would change their documentation and default deployment settings surrounding their EC2 service.
As a security-oriented development firm, we’re often called into situations where a client has had an in-house developer quickly set up an EC2 server, loaded it with their content, and then publicly deployed it using only the default server settings. Suddenly, they’ve found themselves in a situation where their website is hacked or their mail server is flagged as a source of spam, grinding their company’s email communications to a halt.
Though responsibility ultimately lies with the end-user, which in most cases, is a programmer to some degree, the AWS team is presenting more and more of their services as set-it-and-forget-it solutions. This mentality is especially present on the AWS Marketplace, where customers can purchase pre-built solutions that are built to fit common use cases, such as deploying a website or setting up an e-commerce hub.
Unfortunately, these pre-built AWS packages are seldom secure — with more than 30% of instances, on average, being horribly vulnerable. Sadly, we’ve seen vulnerabilities that have cost clients upwards of six figures.
Where AWS drops the ball hardest, in my opinion, is its lack of detailed documentation for thoroughly securing a standard EC2 server. Currently, they only offer an extremely high-level overview of only some of the complex tasks that are involved in properly securing a modern, customer-facing web server.
While these detailed instructions wouldn’t apply to the layman looking to set up, say, a WordPress website on AWS, it would give developers who are unfamiliar with the custom Amazon Linux architecture a leg up when looking to secure a server environment for their clients or employers.
Marcus Bastian is the CEO/President of Clouductivity.
“If I could have any security feature added to AWS that I wanted…”
I would love it if they built in mechanisms to automatically analyze the nature of the traffic in a development environment and suggested IAM policies, security groups, and network ACLs that followed the principle of least privilege. This would help folks secure their applications and give them a better understanding into which systems talk to others. When it comes to debugging an application issue, understanding the interactions between internal/external systems is very valuable, especially if those interaction points aren’t well documented.
Philip Thomas is the Co-founder at Moonlight.
“Cloud computing is increasingly being defined by…”
The Kubernetes project from Google, with all major providers from Azure to AWS to Digital Ocean offering it. I think that AWS security should move towards being Kubernetes-native. Currently, security for accessing AWS services from Kubernetes requires managing first Kubernetes security, then the AWS security. These two layers make it confusing and difficult to manage. If AWS can merge the two into one layer, then they become the most easy-to-use and secure implementation of Kubernetes on the market.
Evan Roberts is the owner of Dependable Homebuyers in Baltimore, MD.
“The one thing I would change about AWS security is to…”
Have them expand their scope to provide regular application vulnerability reports. We’re frequently pushing new application code to our lead generation sites and rarely have time to keep up with potential vulnerabilities in our hosted web applications. Luckily there are companies like Threat Stack that take this concern off our plate with auditing services and vulnerability assessment monitoring.
Eryk founded successful startups both in Montreal and in the Valley. An early hire at Tellme, he worked there before and after Microsoft acquired it. He was an early technical hire and director of software development at Outbox. Finally, his technical processes helped create Unito as co-founder and CTO.
“The most annoying thing I grapple with on AWS security is pretty simple…”
AWS EC2 has no tool to manage the SSH keys. There are third-party solutions, but they are super hard to use (Netflix’s BLESS, for example, but it’s so hairy that Lyft has released a separate wrapper around it to try to make using it a little bit easier).
Knight is founder & CEO of SimpleWan, an award-winning Arizona-based provider of cloud-managed networking for multi-location businesses.
“I would change how multi-user access is handled…”
Right now, it’s a nightmare. When you have multiple employees in different places of the app, it’s very difficult to see where to go, who has access, and where to shut them down if things go wrong. I’d love to see this streamlined where all your users are in one simple interface.
Mark Runyon is a senior consultant for Innovative Architects in Atlanta, Georgia. He specializes in the architecture and development of web and mobile applications. He is also an AWS-certified developer.
“If I could have one wish to improve AWS security…”
It would be to add support for FIDO Universal 2nd Factor (U2F) Authentication. Google, Github, Facebook, Saleforce, and other tech heavyweights already support this more secure form of two factor authentication. Amazon normally leads the pack when it comes to innovation, so I can’t think of any reason why AWS hasn’t implemented support for U2F yet. This is a no-brainer to help clients keep their AWS console locked down and secure.
Sue Marquette Poremba
Sue Poremba is a writer specializing in security and technology. She contributes to Tom’s IT Pro, Security Boulevard, and other publications.
NOTE: The following information is excerpted from Biggest AWS Security Risks and What You Can Do via Tom’s IT Pro.
“AWS handles all security and management for its platform and software services…”
But security responsibilities are often unclear to organizations that don’t have experience designing or working with the different AWS cloud solutions. That’s why company decision makers need to ask how security in cloud solutions will be handled before migrating any data.
Another risk with AWS is lack of security configuration within the areas that an AWS consumer is responsible to manage.
Compliance issues create a different type of security risk. For companies that use AWS to run e-commerce sites, for example, they must follow PCI compliance regulations, but there may be misunderstandings of who is responsible to cover these regulations.
Many data breaches come through accounts that should have been deleted or deactivated long before the breach instance.