Imagine hosting your application without securing it in any aspect; how long do you think your application would survive without any illegitimate access to it? It is vital to increase Security Cloud, Privacy, and Control Network Access when using any Cloud or increase AWS security while using AWS Cloud for hosting your applications. With specific sectors like banking and finance having more strict rules about data storage, data residency, and data sovereignty, everybody is concerned about their information and worried about its safety and security. At the same time, it is of the utmost importance to a public cloud provider like AWS to protect the confidentiality, integrity, and availability of your systems and data.
Table of contents
- Common Challenges in AWS security
- Security risks for Financial Institutions
- Top 10 AWS Security Best Practices
- AWS security Case Studies for top FSI customer
- Conclusion of AWS Security Best Practices
Common Challenges in AWS security
Security is the most critical aspect of the Cloud, which applies to AWS. It is also essential to understand that Security Cloud is a shared responsibility.
AWS takes a lot more security accountability. However, users have to take responsibility for access control, audit logging, monitoring, etc. This can ensure that the company can pinpoint the exact problem by analyzing the logs if something goes wrong within the AWS environment.
Even if AWS provides a certain level of protection, it simply cannot cover every aspect of security compliance. It is essential to research yourself to make sure you don’t leave yourself exposed to attackers.
If you have plaintext credentials in environmental variables, AWS can do nothing for you. You have to make sure that you are not using credentials in your applications in plaintext format.
The following are some of the challenges that Financial Service Industries face while using Cloud for application deployment.
- DDOS and DOS Attacks
Distributed Denial of Service(DDOS) or Denial of Service(DOS) attacks affect the functioning of applications by overwhelming the website servers so that they can not respond to legitimate or valid user requests. This can result in loss of reputation, brand, and revenue too.
- Data Breaches
While storing critical or business data on Cloud, there is a risk of data theft. A data breach can be intentional or unintentional and is attributed to hacking or malware attacks.
- Data Privacy or Data Confidentiality
It is one of the major concerns for Financial Service Industries while using Cloud to store their data. On the one hand, it has its advantages. On the other hand, there are concerns related to data breaches, data privacy violations, penalties by data protection regulations for data security failures.
- Sharing of Resources
Cloud is designed so that hardware resources like Memory, Storage, CPU can be shared. While this looks pretty easy, it also has its security issues. This makes it difficult for organizations to ensure that the data is accessed by authorized people only and is not available to others.
Security risks for Financial Institutions
Financial Institutions are usually targeted by Cyber Criminals and are at greater risk as compared to other businesses. Bank’s sensitive data could be at risk if the security is compromised and can cause heavy financial and reputational damage, leading to heavy losses and data theft.
In successful attacks, the unencrypted data stolen by attackers can be misused and can drag financial institutions into serious problems. This is not always the case; data may not be stolen but changed sometimes by attackers. This altered data can be challenging to identify and cause financial institutions to incur millions of dollars in damages.
In some cases, compromised end-user devices like Mobiles or Computers used to connect to Banks can transfer Malwares that could attack bank’s networks.
To safeguard Financial Institutions or any other organizations from such risks, Intrusion Detection or Intrusion Prevention systems are commonly used. Intrusion Detection systems play a vital role in identifying potential attacks on the systems. Intrusion Detection is a strategy that organizations must consider to protect network environments from hackers. It is an ability to monitor and react to application or system misuse.
Organizations must also have an automated process like Vulnerability scanning of proactively identifying networks. It is an essential step for Financial Organizations or any other organizations towards hardening security defenses.
Top 10 AWS Security Best Practices
In a Cloud Platform like AWS, there are services used for multiple purposes like storing data, accessing productivity tools, and deploying IT infrastructure. In all these use-cases, cloud services allow organizations to move faster. However, the use of any cloud service or AWS comes with challenges and risks of data security.
Cloud Security practices consist of some general best practices that organizations should follow to secure the application environment. These guidelines also show you how to successfully lift, shift and operate your business on the cloud.
A new term, “DevSecOps” has been coined to build a secure foundation for DevOps initiatives. DevSecOps is about built-in security. It integrates security at every phase of the software development lifecycle.
In the following steps, we’ve outlined a set of AWS security best practices to guide Financial Service Industries toward a secure AWS Cloud and address AWS Cloud Security issues.
AWS Security Best Practice 1: DevSecOps Adoption
DevSecOps is a relatively new term. It introduces security in the Software Development Life Cycle (SDLC). DevSecOps is a collaboration between Development and Operations teams in DevOps, including security teams. In short, DevSecOps is a shared responsibility, and everyone involved in Software Development has a role to play in building security into the DevOps workflow. To do Continuous Integration and Continuous Deployment securely, there are three basic steps in DevSecOps.
- Insert codified and automated security checks in the software development and operations.
- Implementing policy and practice to ensure code freshness as a fix for a vulnerability is available in the most recent software version.
- Identify flaws, and mitigate them as early or fast as possible.
Veracode helps to secure software development and testing before moving to production and provides dynamic and static code analysis to detect vulnerabilities and reduce risks. It is used to review the source code and carry out quick checks before a release.
Veracode covers web applications, mobile apps, and microservices, ensures the software applications are secure and can test thousands of applications simultaneously, and get accurate, reliable security feedback in the pipeline.
Veracode Static Analysis provides automated security feedback to developers in the IDE. The CI/CD pipeline conducts a Scan before deployment and gives clear guidance on finding, prioritizing, and fixing issues.
AWS Security Best Practice 2: Amazon Web application Firewall
AWS WAF is a Web Application Firewall that helps to protect applications hosted on AWS Cloud against the common web threats that can affect the applications’ availability, security, and can also consume infrastructure resources and lead to slowness and increased resource usage. WAF provides AWS security and protects applications or websites hosted on AWS and is one of the AWS security services provided by AWS Cloud.
One can also use WAF to automate security using AWS Lambda to analyze weblogs, identify malicious requests, and automatically update security rules. AWS WAF can protect against the attacks like Cross-site scripting attacks, SQL injection attacks, and Attacks from known wrong IP addresses.
In the above diagram, you can see that the valid requests are forwarded to your application deployed in the VPC, whereas requests from the Hacker that match the WAF rules are blocked. These rules can be a pre-configured template to quickly start with AWS WAF, a set of IPs that exceed request limits and can cause HTTP floods and IPs that can generate bad requests.
AWS Security Best Practice 3: Amazon Security Groups
Security Group acts as a virtual firewall for EC2 instances on AWS Cloud to control inbound and outbound traffic flow and provides Cloud Security. Security Groups operate at the instance level, and each instance can have up to five AWS security group attached to it. You can not block incoming traffic but only allow it on a particular port or a range of ports. Security Groups are stateful and you do not need to add rules for return i.e. a rule that allows traffic into EC2 Instance will automatically allow responses to pass back out from the EC2 instance. Using AWS security groups is considered one of the AWS security best practices.
If you allow connection on port 22 from a particular IP, that IP will be able to connect to the EC2 instance on port 22. The connection will also be automatically allowed to flow out from the EC2 instance via port 22 on that allowed IP.
AWS Security Best Practice 4: Threat detection systems like Amazon Guard Duty
This does not provide security but continuously monitors malicious activity and unauthorized behavior to detect threats and protect accounts, workloads, and data stored in Amazon S3 buckets. Guard Duty is an intelligent and cost-effective option for continuous threat detection on AWS Cloud. Guard Duty uses machine learning, anomaly detection, and integrated threat intelligence to identify and prioritize potential threats.
With a few clicks, one can enable Guard Duty in the AWS account to continuously analyze network, account, and data activity. Guard Duty analyzes DNS Logs, VPC Flow Logs, Cloudtrail S3 Data Events, Cloudtrail Management Events.
If you have your Banking Application deployed in AWS and S3, EC2, RDS and, a few of the services that you are using, then unusual Amazon S3 discovery API calls, unauthorized creation of new IAM users, roles, or access keys, resource hijacking of Amazon EC2 instances, generating Amazon RDS snapshots are a few of suspicious behavior the machine learning model of Guard Duty can now help you detect in your account.
AWS Security Best Practice 5: Amazon Inspector
AWS Inspector is an automated security assessment service. It helps to improve the compliance and security of the applications deployed on the AWS Cloud and achieve Cloud Security. It automatically assesses applications for vulnerabilities, exposure, and deviations and produces a detailed report of security findings prioritized by severity level. Amazon Inspector checks for unexpected network accessibility of EC2 instances and vulnerabilities on those EC2 instances.
Governments enact several regulations at a local and national level when it comes to the financial sector, which can be challenging to identify. In this case, Amazon Inspector can come to the rescue to enable scheduled vulnerability scan audits periodically. This can give confidence to the organization to say that they are adhering to the best practices and regulatory requirements.
AWS Security Best Practice 6: CloudTrail and CloudWatch to monitor AWS resources
CloudTrail simplifies compliance audits by automatically recording and storing event logs for actions made within the AWS account and increasing visibility into your resource and user activity. Cloud trail enables compliance, governance, operational auditing, and risk auditing of the AWS account. It simplifies functional analysis and troubleshooting.
If you have enabled Cloudtrail in your account, you can track account activity within an average of about 15 minutes of an API call. If you are not sure of the owner of the resources created in your account, you can check the trail, get to know about it, and take the appropriate action on the help.
The Cloudwatch service provided by AWS can achieve monitoring and observability. It provides data to monitor applications deployed in the AWS account. The same monitoring data can optimize resource utilization and get an insight into the application’s health. You can use Cloudwatch to set alarms, get alerted, visualize logs and metrics, take automated actions, and discover insights to keep your applications running smoothly.
You can get alerted when there are changes in your security Group, i.e., you can create an alarm triggered when configuration changes in AWS security groups. You can also monitor Console sign-in failures and get alerted when unsuccessful AWS Management Console sign-in attempts.
AWS Security Best Practice 7: Key management system for accessing API, Database, Application, Compute, etc. (Amazon KMS)
To perform any kind of encryption, a cryptographic key is needed. Managing this key is again a challenging task. AWS KMS(Key Management Service) makes it easy to create and manage these cryptographic keys. It also controls its use across various AWS security services and applications. AWS KMS is a fully managed, Centralized Key Management AWS Service. It is a single control point to manage cryptographic keys. One can easily create, import, delete, rotate, and execute permissions on keys using KMS. KMS helps to boost AWS Security.
AWS Security Best Practice 8: Cloud Security Frameworks
Till now, we have seen challenges, risks, and a few of the AWS Security Best Practices. However, there are specific policies, tools, rules, configurations needed to manage the security of a cloud platform. Cloud Security Frameworks outline these security standards and organizational guidelines. Cloud Security Frameworks list functions important to manage cybersecurity-related risks in a cloud-based environment. Cloud Security Frameworks provide a structure and methodology to help avoid damaging security incidents.
Speaking about AWS, AWS Cloud infrastructure and services have been validated against the NIST 800-53 Revision 4 controls, PCI DSS Level 1 Service Provider and have been awarded CIS Security Software Certification for CIS Benchmark(s).
Now, let’s see these frameworks one by one in short.
PCI-DSS(Payment Card Industry Data Security Standard)
PCI-DSS(Payment Card Industry Data Security Standard) aims to enhance global payment account data security by developing standards and supporting services that drive education, awareness, and practical implementation by stakeholders. It promotes standards to the Payment Card Industry for the safety of cardholder data across the globe. PCI-DSS guides maintaining payment security and set technical and operational requirements for organizations accepting or processing payment transactions.
NIST(National Institute of Standards and Technology)
NIST (National Institute of Standards and Technology)is part of the U.S. Department of Commerce and is committed to safeguarding personal privacy. It provides the set of standards and guidelines for security controls for information systems at federal agencies. NIST also provides a framework for Improving Critical Infrastructure Cybersecurity. To ensure sufficient protection of integrity, confidentiality, and availability of information, the Federal Information Systems typically must go through a formal assessment.
The NIST Cybersecurity Framework (CSF) is supported by governments and industries worldwide as a recommended baseline for any organization.
CIS(Center for Internet Security)
CIS (Center for Internet Security) is a non-profit organization working independently with a mission to make the cyber world a safer place for people, businesses, and governments. It provides best practices for securing IT systems and data on the Internet. It works on developing, validating, and promoting the best method to protect people, businesses, and governments against cyber threats on the Internet.
To secure organizations, CIS offers various programs, tools, memberships, and services. MS-ISAC, CIS Controls, CIS Benchmarks, and CIS CyberMarket are a few of the offerings that CIS provides.
AWS Security Best Practice 9: End-to-end encryption (TDE) 256-bit encryption
End-to-End encryption is a method to encrypt the communication and secure it from third parties. TDE, Transparent Data Encryption, encrypts stored data on DB instances and is supported by AWS RDS for SQL Server (SQL Server Enterprise Edition) and Oracle (Oracle Advanced Security option in Oracle Enterprise Edition). TDE encrypts data automatically before it is written to database or storage and decrypts when it is read from the database or storage. This kind of encryption is used in cases where it is very vital to encrypt sensitive data. TDE improves Cloud Security and helps store sensitive data in an encrypted form on AWS Cloud and is also one of the best practices to strengthen AWS Security.
AWS Security Best Practice 10: Penetration Testing on AWS
AWS permits its users to carry out Penetration Tests on certain services(8 Services as of June 21, 2021) in their accounts. The user must abide by the policies set by AWS for such tests. You can carry out pen-tests on your AWS account by following the policies and guidelines at Penetration Testing. You don’t need any approval from AWS to carry out pen-tests against your account. Also, contracted third parties can perform security assessments that do not violate the policy defined by AWS.
Permitted services for Penetration Testing:
- EC2 instances, NAT Gateways, and Elastic Load Balancers
- RDS, Aurora
- API Gateways
- Lambda and Lambda Edge functions
- Lightsail resources
- Elastic Beanstalk environments
Prohibited activities for Penetration Testing:
- Route 53
- Denial of Service
- Port flooding, Request flooding Protocol flooding
Customers can not perform Denial Of Services(DOS), and if they want to perform DDOS(Distributed Denial Of Services), they should review the DDoS Simulation Testing policy of AWS.
You can also take a look at our slideshow about top AWS services to learn more about AWS security.
AWS security Case Studies for top FSI customer
Coinbase is a secured platform used to buy and sell cryptocurrencies. It supports cryptocurrencies like Bitcoin, Ethereum, Bitcoin Cash, Litecoin, etc. It is headquartered in San Francisco and is the first regulated bitcoin exchange in the United States. The company’s core tenets are security, scalability, and availability.
According to Witoff, Director at Coinbase, Security is the most important of these tenets. Coinbase wanted to have their platform on something that will work for them with uncompromising security. After evaluating multiple cloud vendors, Coinbase was confident in Amazon Web Services (AWS) and started designing the new Coinbase Exchange using AWS IAM(Identity and Access Management ) and RDS, EC2, Lambda, S3, and a few other services.
The result is, Coinbase is now able to store its customers’ funds securely using AWS.
AWS Services used by Coinbase are:
- Amazon Elastic Compute Cloud (Amazon EC2)
- Amazon Simple Storage Service (Amazon S3)
- Amazon Relational Database Service (Amazon RDS)
- Amazon Kinesis
- Amazon Elastic MapReduce (Amazon EMR)
- AWS Lambda
- AWS Identity and Access Management (IAM)
- AWS CloudTrail
Starling Bank is a digital bank based in the United Kingdom. It is a regulated and fully licensed bank built to give people a fairer, more competent, secure, and strict humane alternative to the traditional banks. Making sure that customers’ data stays free from cyber-attacks and fraud was one of the goals of Starling for providing the best banking service in the world. Starling also had to remain compliant. AWS was an obvious choice for Starling as it was clear to the UK and EU industry regulators that all of the technology would be secure and compliant as standard.
The result is, Starling Bank has built a successful Mobile-Only Retail Bank on AWS.
AWS Services used by Starling Bank are:
- Amazon Elastic Kubernetes Service (Amazon EKS)
- AWS Lambda
- Amazon Relational Database Service (Amazon RDS)
- Amazon Simple Storage Service (Amazon S3)
Conclusion of AWS Security Best Practices
As per Gartner, “Through 2025, 99% of cloud security failures will be the customer’s fault.” Security is a shared responsibility between AWS and its customers. You can trust AWS as it has proven itself to be a strong Cloud partner. However, you should verify. Financial organizations can take advantage of AWS Services that maximize their agility by using the existing compliance measures and security standards. Also, by following AWS Security Best Practices and Cloud Security Standards, you can build a more secure environment to host your applications. Most of the time, misconfiguration and improper access practices are responsible for data breaches and illegitimate access.
Cloud Security is the practice of protecting the Cloud Environment, applications deployed, and data stored on the Cloud by following the set of best practices. It involves the procedure and services that secure the Cloud Environment from internal and external cyber-attacks on the Cloud Environment and its applications.
While making the transition to the Cloud, it is imperative to ensure that the data and applications deployed on the Cloud are not compromised. Cloud Environment provides excellent services, flexibility through remote working, scalability, fast data sharing, etc. Moreover, securing the data and applications, i.e., Cloud Security, is of utmost importance as sensitive business information and intellectual property may be exposed through accidental leaks.
Security Groups, Cloudtrail, WAF, GuardDuty, are a few of the top AWS Security features.
You can improve AWS Security in the following ways.
1.Enable limited and required network access using Security Groups.
2.Take action on actionable findings in your AWS accounts by GuardDuty.
3.Maintain Cloudtrail and Cloudwatch logs as logging and monitoring are essential parts of the security plan.
4.Additionally, enable Multi-factor Authentication(MFA) to protect accounts from illegitimate access.