Tools: A Defense in Depth Approach to Cloud Security

Introduction ## Principles of DiD ## DiD in Cloud ## Physical Layer ## Perimeter Layer ## Network Layer ## Host and Application Layers ## Data Layer In an era marked by pervasive digital connectivity and evolving cyber threats, ensuring the security of sensitive information and critical infrastructure has become paramount. Traditional security approaches centered around perimeter defenses alone are no longer sufficient to withstand sophisticated attacks and safeguard against data breaches. Instead, organizations must adopt a multi-layered security strategy known as defense in depth. Defense in Depth (DiD) is a proactive and comprehensive security framework that employs multiple layers of defense mechanisms to protect against a wide range of threats. By diversifying security controls across networks, systems, applications, and data, defense in depth aims to create overlapping layers of protection that collectively strengthen the security posture of an organization. “It is not just multiple layers of controls to collectively mitigate one or more risks, but rather multiple layers of interlocking or inter-linked controls.” — Phil Venables Controls at different points should be complementary, i.e., every preventative control should have a detective control at the same level and/or one level downstream in the architecture. Controls need to be continuously assessed to validate their correct deployment and operation. DiD leverages security measures across 7 key domains as follows: What: Physical security measures applied at AWS data centers e.g. biometrics, surveillance, etc. How: AWS Responsibility. What: Perimeter security is your first line of defense as a customer. It allows you to define who has access to your environment, how they access the environment, and what level of access to assign them. For example, an administrator will need full access to the environment, a project/team lead may need full access to the resources that pertain to their project as well as the ability to assign and revoke access for their team. On the other hand, a contractor may need temporary read/write access to only specific services, while an auditor would only require temporary read-only access for the period of the assessment. How: 1. Preventative Controls 1.1. Who has Access? 1.1.1. Internal staff, e.g., engineers, system administrators, and security team who build, manage, and govern the environment. 1.1.2. Business stakeholders: review performance metrics, monitor resource usage, and make data-driven decisions related to business operations and strategy. 1.1.3. Clients: consume services/applications deployed in the environment. 1.1.4. Third-party contractors/vendors/partners: temporary access for project-related tasks. 1.1.5. Legal consultants/advisors/auditors 1.2. How do they access the environment? 1.2.1. IAM Users Accounts: long-term access for internal users/staff, e.g., engineers who are responsible for managing, configuring, deploying, and monitoring AWS infrastructure, applications, and services. 1.2.2. Federation: for users with identities managed in an external IdP, e.g., AD, Facebook, Amazon, Google 1.2.3. IAM Roles: short-term, temporary access credentials that can be assumed by any identity. 1.2.4. Restricted Access Channels: 1.3. What is their level of access? 1.3.1. RBAC and Least Privilege: restrict access based on the identity’s roles/responsibilities within an organization. 1.3.2. Policy-Based Access Control: assign access controls to resources based on IAM policies for user, groups, and roles. 2. Detective Controls 2.1. AWS CloudTrail: capture API activity and logs pertaining to access activity. 2.2. MFA: restrict access to services to only users with MFA enabled. 2.3. AWS Config: enforce compliance with IAM best practices e.g. such as ensuring MFA is enabled or restricting the use of insecure IAM policies. What: The network layer focuses on safeguarding the communication and data exchange between devices, systems, and services within the organization’s network, as well as controlling the flow of traffic entering and leaving the network. How: 1. Preventative Controls 1.1. Network Access Control: who has access to network resources and how they access these resources. 1.1.1. IAM: access management 1.1.2. VPNs/Direct Connect: private encrypted connectivity between on-premised environments and VPC resources. 1.1.3. PrivateLink: private connectivity between VPCs and AWS services or endpoints without traversing the public internet. 1.2. Network Segmentation and Isolation: partition the network into distinct zones based on security requirements, workloads, trust levels, and data sensitivity. 1.2.1. VPCs, Subnets & AZs: 1.2.2. NACLs, Security Groups, Route Tables: control ho traffic is routed between various network segments. 1.2.3. VPC Peering and Transit Gateway: 1.3. Traffic Filtering 1.3.1. Network Firewall: stateful, managed, network firewall and intrusion detection and prevention service for your VPC. 1.3.2. Web Application Firewall: a firewall that protects web applications hosted on AWS against common web-based attacks. 1.3.3. Virtual Security Appliances, i.e., firewalls, IDS/IPS/DPI systems, i.e., Cisco, Palo Alto,o etc. 2. Detective Controls 2.1. VPC Flow Logs: monitor the IP traffic going to and from a VPC, subnet, or network interface. 2.2. Network Access Analyzer: Improve your network security posture by identifying unintended network access. What: The host layer focuses on security measures implemented on individual compute resources e.g. EC2, ECS, EKS, RDS. How: 1. Preventative Controls 1.1. Vulnerability Management: 1.1.1. Regularly scan and patch compute resources e.g. EC2, ECS, EKS. 1.1.2. Configure maintenance windows for AWS-managed resources, e.g., RDS. 1.2. Reduced Attack Surface: 1.2.1. Hardened Operating Systems, e.g., using CIS images for workload instances. 1.2.2. EC2 Image Builder: ease creation of custom patched AMIs. When software updates become available, Image Builder automatically produces a new image without requiring users to manually initiate image builds. 1.2.3. ECR Image scanning for identifying software vulnerabilities in your container images. 2. Detective Controls 2.1. Config: monitor changes to application configurations, code deployments, etc., to detect unauthorized modifications or unusual application behavior. 2.2. CloudWatch Logs to monitor system-level logs generated by EC2 instances, including authentication logs, application logs, and system logs to detect security incidents, anomalous behavior, and operational issues. 2.3. CloudTrail: detailed records of actions taken by users, roles, and services, including caller identity, the time of request, and the actions performed. You can track user activity, identify unauthorized access attempts, and investigate security incidents. 2.4. GuardDuty: threat detection service that continuously monitors for malicious activity and unauthorized behavior across your environment. GuardDuty generates findings and alerts for suspicious activity, enabling you to investigate and remediate security incidents promptly. 2.5. Inspector: analyzes the network, operating system, and application configurations to identify potential security issues. 2.6. Third-party Security Solutions: third-party security solutions available on Marketplace that offer advanced threat detection, vulnerability management, and security analytics capabilities for environments. What: The data layer encompasses all aspects of data security, including data storage, transmission, access, and usage. It focuses on safeguarding sensitive information, such as customer data, intellectual property, financial records, and other confidential or regulated data, from unauthorized access, disclosure, alteration, or loss. How: 1. Preventative Controls 1.1. Data Confidentiality: protecting data against unintentional, unlawful, or unauthorized access, disclosure, or theft. 1.1.1. Data access: Define authorized principals in access policies, follow least privilege principles. 1.2. Data Integrity: ensuring the accuracy, completeness, consistency, and validity of data. 1.2.1. Regular Backups: 1.2.2. Immutable Storage: services such as S3 Object Lock prevents objects from being deleted or modified for a specified retention period, protecting data integrity from accidental or malicious changes. 1.2.3. Data Validation and verification: checksums, digital signatures, and cryptographic hashes to verify the integrity of data during transmission and storage. 1.3. Data Availability: a measure of how often your data is available for use. 1.3.1. Highly available and fault-tolerant architectures. 1.3.2. Backups and DR 2. Detective Controls 2.1. CloudWatch: Policies and Procedures Security objectives and standards: define the organization’s security best practices for cloud environments and best practices for cloud environments i.e., data protection, access control, network security, incident response, and compliance requirements. Risk Management: define roles and responsibilities for identifying, assessing, and mitigating security risks associated with cloud deployments. Access Control: define user roles, permissions, and authentication mechanisms, such as multi-factor authentication (MFA) and identity federation, to prevent unauthorized access. Incident Response and DR: define escalation paths, communication protocols, and remediation steps for containing and mitigating security incidents, restoring services, and minimizing the impact on business operations. User Training: Educate identities about cloud security risks, best practices, and compliance requirements to help raise awareness of security policies, reinforce security behaviors, and empower personnel to recognize and report security incidents effectively. Templates let you quickly answer FAQs or store snippets for re-use. Are you sure you want to hide this comment? It will become hidden in your post, but will still be visible via the comment's permalink. Hide child comments as well For further actions, you may consider blocking this person and/or reporting abuse - “It is not just multiple layers of controls to collectively mitigate one or more risks, but rather multiple layers of interlocking or inter-linked controls.” — Phil Venables - Controls at different points should be complementary, i.e., every preventative control should have a detective control at the same level and/or one level downstream in the architecture. - Controls need to be continuously assessed to validate their correct deployment and operation. - Using IAM Identity Center/SSO: consistent, synchronized access to multiple AWS accounts and applications. - Cognito Identity Pools: identify federation for authenticated and unauthenticated users. - VPNs: secure, encrypted communications channels between on-premises networks and AWS - PrivateLink: private connectivity between VPCs, supported AWS services, and your on-premises networks without exposing your traffic to the public internet. - Dedicated Audit Accounts: give security and compliance teams read and write access to all accounts for audits and security remediations. - Each VPC is a logically isolated container for network resources. - Subnets provide segmentation at the network level and allow you to isolate resources based on their function, security requirements, or access control policies. - AZs provide redundant power, networking, and connectivity in an AWS Region and allow high availability, fault tolerance, and scalability for applications. - Peering allows you to route traffic between VPCs privately using private IP addresses. - TGW enables central management and connectivity scaling across multiple VPCs, accounts, and networks. - Pass traffic only from known AWS service domains or IP address endpoints. - Perform deep packet inspection on traffic entering or leaving your VPC. - Use stateful protocol detection to filter protocols like HTTPS. - Verify that your production environment VPCs and development environment VPCs are isolated from one another. - Verify that network paths are secured e.g. controls such as network firewalls and NAT gateways have been set up where necessary. - Verify that your resources have network access only from a trusted IP address range, over specific ports, and protocols. - Inspector: Automatically discovers workloads, such as Amazon EC2 instances, containers, and Lambda functions, and scans them for software vulnerabilities and unintended network exposure. - Systems Manager: patch management for your compute resources - Security Hub: collects security data across AWS accounts, AWS services, and supported third-party products and helps you analyze your security trends and identify the highest priority security issues. - Code Guru: Scans code libraries and dependencies for issues and defects that are difficult for developers to find and offers suggestions for improving your Java and Python code. - Encryption at rest using KMS/SSE - Encryption in transit using SSL/TLS - AWS Backup: a fully managed backup service that makes it easy to centralize and automate the backing up of data across AWS services. - S3 Versioning: preserve historical versions of objects, enabling you to recover from accidental deletions, modifications, or data corruption. - Cross-region replication: ensuring data availability in multiple geographic regions and protecting against regional outages. - Automated/Manual Snapshots: available for EBS, RDS, to allow for PIT recovery. - Alarms and health checks to monitor the health and availability of AWS resources hosting critical data. - Automated alerts for performance degradation, service disruptions, or availability issues affecting data access. - Trails to deliver log files to Amazon S3 and set up S3 event notifications or CloudWatch Events to trigger alerts for specific API activity or security events. - Visibility into user activity and API calls, allowing you to detect and investigate unauthorized access attempts or security incidents affecting data confidentiality. - Continuously monitor malicious activity and unauthorized behavior within your environment. - Detects anomalies and security threats targeting data confidentiality, e.g., unauthorized access attempts, data exfiltration, or communication with known malicious IP addresses. - Config rules to assess compliance with security best practices and detect misconfigurations affecting data integrity. - Config rules to detect deviations from security best practices. - Security objectives and standards: define the organization’s security best practices for cloud environments and best practices for cloud environments i.e., data protection, access control, network security, incident response, and compliance requirements. - Risk Management: define roles and responsibilities for identifying, assessing, and mitigating security risks associated with cloud deployments. - Access Control: define user roles, permissions, and authentication mechanisms, such as multi-factor authentication (MFA) and identity federation, to prevent unauthorized access. - Incident Response and DR: define escalation paths, communication protocols, and remediation steps for containing and mitigating security incidents, restoring services, and minimizing the impact on business operations. - User Training: Educate identities about cloud security risks, best practices, and compliance requirements to help raise awareness of security policies, reinforce security behaviors, and empower personnel to recognize and report security incidents effectively.