This week disappointing news came from service provider Code Spaces, a company that provided support for devops application management. Code Spaces, which was hosted in Amazon Web Service's cloud, ceased operations. after suffering a distributed denial-of-service attack by a perpetrator who demanded ransom and then began deleting data when company officials logged into their AWS account to stop the attack.
The episode raises the question: How can you prevent this from happening to your AWS cloud account?
Below are best practices to follow when using AWS's cloud, or really any IaaS cloud.
The biggest thing to remember is that when customers use the cloud, security is not inherently provided for all workloads. AWS stresses that it has what it calls a "shared security" model. This means that AWS will provide the security of its physical data centers (the virtual machines, storage and even security features), but it is up to customers to implement security services on top of their AWS infrastructure.
1. Enable two-factor authentication
A common method for making it hard for hackers to get into your account is by enabling two-factor authentication (2FA). This process requires users to present two forms of verification before logging into a system. For example, a password and a code that is generated and entered by the user. AWS offers a free multi-factor authentication service (click here for more information on it).
It's one thing to have two-factor authentication, but it's another to ensure that those private keys are protected. AWS has a variety of options to ensure this, including its HSM, which stands for Hardware Security Module. It's an appliance that helps organizations manage their keys, and it can sit behind a customer's firewall on its own premises. Learn more about HSM here.
2. Monitor your cloud for suspicious activity
Users can make it hard for hackers to get into the cloud, but you'll probably also want to make sure that no unauthorized users actually have gotten in. There are a variety of options to monitor AWS usage, including some free AWS tools, and many other services that you can buy in the AWS Marketplace.
One AWS tool is called CloudTrial, which the company released at its re:Invent Summit last year (the offering is still in beta). It creates an API-log that reports all of the activity in a user's account. This data can be dumped into monitoring solutions and analyzed. Read more about that from AWS here.
The idea is that you should look for abnormal behavior, like unknown users logging in at unusual times or from unusual IP addresses. There are a variety of tools in the market that perform these tasks as well. One, called Skyfence, is a proxy-based system that monitors AWS activity and alerts users when something out of the ordinary is happening.
3. Prevent unauthorised users from wreaking havoc
If you have a monitoring tool in place to identify unwanted activity, the next step is making sure that the unauthorized guest cannot cause damage. The Skyfence tool's proxy system can shut down AWS accounts, add authentication credentials to access the management console and require that any changes to the AWS cloud are approved by authorized users. In the Code Spaces case, this could have prevented the hackers from deleting data in the company's AWS cloud.
There are a variety of other ways to ensure that hackers can't cause damage, even if they do get into your AWS account. One is by encrypting the information stored in AWS's cloud. AWS's marketplace has many different encryption vendors, such as SafeNet and Vormetric, that provide various encryption services. Note that AWS provides some base-level encryption for its Simple Storage Service (S3) and some other services, but that is meant to protect mass attacks against the entire system. If a hacker gains access to a user's account, this encryption will not be effective to prevent intruders from modifying the data.
5. Web application firewalls
The Code Spaces incident started off as a DDoS attack, which then spiraled into a larger breach. One way to prevent DDoS attacks is to implement a Web Application Firewall. These are available in the AWS Marketplace from companies like Barracuda and Alert Logic. These offerings can be used to monitor the traffic coming in, recognize unusual behavior like a DDoS, and block it.
A best practice for security is to back data up, says Rob Ayoub of NSS Labs, who recently wrote a paper on AWS Security best practices. Backing up data may not prevent an attack, but it could help you quickly recover from one.
Many people have a misconception that if data is stored in the cloud it will automatically be backed up. That's true for some services, but not all. AWS Elastic Block Store (EBS) and S3, for example, are highly available, meaning that AWS promises with a high degree of certainty that the data will not be lost because it is backed up within the system (if a user gains access to the management console this data can be modified though, rendering the built-in backups useless). EC2 virtual machine instances are not automatically backed up. Know which services come with what guarantees by researching them before using.
The idea here is that if a hacker does gain access to an account and causes damage, the user has a backup copy of the data that it can revert to. Each user has to evaluate what data they want to back up. Some organizations back up everything; others only justify backing up mission critical data. Some backups are live, meaning that it is copied in real time. Others can be set to be done daily, weekly, monthly or in whatever interval the customer wants.
AWS has a variety of backup options, including its various storage and database offerings, like S3, EBS and DynamoDB. It also has Glacier, which is a "cold storage" service that provides very low cost, highly fault tolerant storage, but with relatively slow response times for retrieving the data. Other customers may be more comfortable with backing up the data to their on-premises environment rather than to the cloud.
7. Updating apps
Another misconception, Ayoub says, is that applications in the cloud will always be updated. That may be true in a SaaS environment, but in IaaS not so much. AWS provides the base-level infrastructure to host applications. It's up to the customer to control the applications that run on those virtual machines. Many vendors update their software frequently to patch bugs and update their security features. All those advancements are useless if you do not have the most up-to-date version of the software running on it.
Would these tips have prevented the Code Spaces situation? There is no way to know. Ayoub says the reality is that many organizations are not taking appropriate security precautions. Although using the cloud can come with economic benefits such as lower hardware costs, ease of management and ubiquitous access, you shouldn't just throw workloads into the cloud without thinking hard about security.