Hannah Grace Holladay, Author at KirkpatrickPrice

Cloud platforms are popular, but they aren’t yet ubiquitous. Six out of ten businesses have conducted a cloud migration, but that implies four out of ten haven’t. If your business hasn’t made the leap to cloud infrastructure, you may be wondering what all the fuss is about. In this article, we explore five reasons you may want to reconsider moving some of your workloads to cloud platform like AWS or Microsoft Azure.

What is Cloud Migration?

Cloud migration is the process of moving data, applications, and computational workloads into the cloud. Because the cloud takes many forms, cloud migration takes many forms too. The classic cloud migration involves moving an application hosted on a physical server to a virtual server hosted in the cloud. But cloud migration may also involve breaking an application into components distributed across multiple cloud services, including database services, storage services, and Platform-as-a-Service (PaaS).

A business may also choose to migrate only part of an application or workload. For example, they may migrate data storage to a cloud platform while hosting the application’s code in their data center. Or they may use on-premises infrastructure as a primary site while leveraging the cloud as a disaster recovery or “cloudburst” location. The combination of on-premises hosting with cloud hosting is often called a hybrid cloud environment.

Three Cloud Migration Strategies

As we’ve seen, cloud migration isn’t a simple matter, but application cloud migration strategies can be broken down into three broad categories.

Lift and Shift

Lift-and-shift, also known as rehosting, is the simplest cloud migration strategy. An application is transferred in its current form from on-premises servers to virtual servers running in the cloud. Lift-and-shift migrations involve minimal changes to the application because Infrastructure-as-a-Service platforms such as AWS EC2 or Azure Virtual Machine provide server environments that are essentially identical to physical servers from the application’s perspective.

Lift-and-shift migrations are faster, simpler, and less expensive than other types of migration. However, they may not take full advantage of the cloud platform’s capabilities. Additionally, businesses should consider the security and compliance implications of even a simple rehosting project. Virtual servers appear similar to physical servers, but moving to an unfamiliar cloud environment may introduce security and privacy risks that a business is not well-equipped to predict or mitigate.

Rearchitect

Rearchitecting transforms an application’s design to take advantage of cloud platform features. A monolithic application might be rearchitected as microservices hosted on containers. Or the application might be modified to work with a managed database platform instead of a self-hosted database.

The extent and complexity of rearchitecting projects depend on the business’s objectives and often on cost considerations, but all rearchitecting projects must pay careful attention to the security and privacy implications of any changes.

Rebuild/Replace

In the most radical cloud migrations, an application is rebuilt or replaced in its entirety. Instead of moving code and data to the cloud, similar functionality tailored for the cloud is built from the ground. Businesses may take this route to leave behind a legacy application judged unsuitable for the cloud or to embrace new technologies and platforms. Rebuilding provides a cloud-native application, but it is the most complex and expensive cloud migration option.

5 Benefits of Cloud Migration

We’ve looked at what cloud migration is and the migration strategies businesses use to achieve their objectives, but why do they choose to migrate to the cloud in the first place.

Improved Infrastructure Security and Compliance

Cloud migration alleviates businesses’ need to manage some aspects of infrastructure security. For example, the cloud provider manages physical and some network security. It also provides tooling that helps businesses to monitor and secure their infrastructure.

However, it’s important to emphasize that cloud security is a shared concern. Although the provider is responsible for some aspects of infrastructure security, the user must ensure they configure and manage cloud services according to cloud security best practices. A significant percentage of cloud security incidents result from improper configuration, as we’ve discussed in previous articles.

Reduced Infrastructure Cost

Cloud platforms can be less expensive than on-premises or colocated infrastructure if managed correctly. Cloud environments grow and shrink in line with the user’s requirements. For example, AWS EC2 instances scale up and down, and businesses can choose from many different configurations depending on their need. Additionally, cloud infrastructure does not require significant up-front investment; users pay only for the infrastructure they use, as they use it.

As with the security benefits of cloud migration, businesses must follow cloud best practices to realize potential cost savings. Cloud users may spend more than they expect if they do not monitor and control their environment to avoid wasted resources.

Enhanced Scalability

Scaling on-premises infrastructure is often complex and expensive. Scaling in the cloud is more straightforward. As we have already mentioned, most cloud services grow and shrink in line with the users’ needs. For example, cloud block storage services provide an almost infinite amount of data storage, and businesses don’t have to manage physical storage devices.

Scalability is one reason businesses opt to rearchitect applications when migrating. Breaking an app into smaller services allows each component to be scaled and replicated independently, which may not be possible with a monolithic application.

Increase Business Agility

The flexibility of cloud platforms allows businesses to respond to evolving customer and market demands. They can deploy and scale infrastructure quickly. Larger cloud platforms provide an array of managed services that make it easier to deploy new features. Furthermore, cloud platforms encourage a DevOps approach to application development, allowing businesses to quickly develop and deploy new features.

Simplified IT Management

Cloud infrastructure can be managed in a web interface or scripted via an API. Modern cloud management interfaces provide a vast array of features that allow businesses to monitor, configure, and adapt every aspect of their environment.

As with the other benefits we’ve looked at here, there are potential drawbacks where cloud management is concerned. Cloud management is simpler if your business is familiar with the platform and its intricacies. If not, cloud management can be confusing, and, in the worst cases, a lack of expertise leads to cost, security, and compliance issues.

Verify Your Cloud Migration Security with KirkpatrickPrice

Cloud migration may create significant new security and compliance risks, especially for businesses unfamiliar with the platform. A cloud security audit verifies and tests the controls your company has in place on AWS, Azure, or GCP. Visit the KirkpatrickPrice AWS Security Scanner or contact a cloud security specialist to learn more about cloud security audits.

NorthStar Education Services, a student financial aid and payment company, today announced that it has completed its SOC 2 Type II audit, performed by KirkpatrickPrice. This attestation provides evidence that NorthStar Education Services has a strong commitment to security and to delivering high-quality services to its clients by demonstrating that they have the necessary internal controls and processes in place.

A SOC 2 audit provides an independent, third-party validation that a service organization’s information security practices meet industry standards stipulated by the AICPA. During the audit, a service organization’s non-financial reporting controls as they relate to security, availability, processing integrity, confidentiality, and privacy of a system are tested. The SOC 2 report delivered by KirkpatrickPrice verifies the suitability of the design and operating effectiveness of NorthStar Education Services’s controls to meet the standards for these criteria.

Taige Thornton, President of NorthStar Education Services, said, “All organizations should ask for SOC reporting from their outsourced service vendors. Whether a vendor can provide a SOC report is a serious risk component that companies need to consider during any vendor due diligence analysis.”

“The SOC 2 audit is based on the Trust Services Criteria,” said Joseph Kirkpatrick, President of KirkpatrickPrice. “NorthStar Education Services delivers trust-based services to their clients, and by communicating the results of this audit, their clients can be assured of their reliance on NorthStar Education Services’s controls.”

About NorthStar Education Services
NorthStar Education Services is an affiliate of Ascendium Education Group. For 50 years, our focus has been to deliver industry leading tools to support educational accessibility and success through student loan repayment, employee benefit/payment assistance, next generation financial wellness and education loan refinancing programs.

About KirkpatrickPrice

KirkpatrickPrice is a licensed CPA firm, PCI QSA, and a HITRUST CSF Assessor, registered with the PCAOB, providing assurance services to over a thousand clients in North America, South America, Asia, Europe, and Australia. The firm has more than a decade of experience in information security by performing assessments, audits, and tests that strengthen information security practices and internal controls. KirkpatrickPrice most commonly performs assessments on SOC 1, SOC 2, PCI DSS, HIPAA, HITRUST CSF, GDPR, ISO 27001, FISMA, and FERPA frameworks, as well as advanced-level penetration testing. For more information, visit https://kirkpatrickprice.com, follow KirkpatrickPrice on LinkedIn, or subscribe to our YouTube channel.

Independent Audit Verifies AdvicePay’s Internal Controls and Processes

Bozeman, MT – AdvicePay, the leading fee-payment-processing platform designed exclusively for financial advisors, today announced that it has completed its SOC 2 Type II audit, performed
by KirkpatrickPrice. This attestation provides evidence that AdvicePay has a strong commitment to security and to delivering high-quality services to its clients by demonstrating that they have
the necessary internal controls and processes in place.

A SOC 2 audit provides an independent, third-party validation that a service organization’s information security practices meet industry standards stipulated by the AICPA. During the audit,
a service organization’s non-financial reporting controls as they relate to security, availability, processing integrity, confidentiality, and privacy of a system are tested. The SOC 2 report
delivered by KirkpatrickPrice verifies the suitability of the design and operating effectiveness of AdvicePay’s controls to meet the standards for these criteria.

“We are proud to have completed the SOC 2 Type II examination and audit for the second time. Tens of thousands of clients place their trust in our system to deliver best-in-class solutions and
safeguards to protect and secure their data,” said Alan Moore, CEO & Co-Founder of AdvicePay. “The successful completion of the SOC 2 Type II examination and audit further proves our commitment to providing the most stringent safety measures to deliver enterprise-grade solutions.”

“The SOC 2 audit is based on the Trust Services Criteria,” said Joseph Kirkpatrick, President of KirkpatrickPrice. “AdvicePay delivers trust-based services to their clients, and by communicating
the results of this audit, their clients can be assured of their reliance on AdvicePay’s controls.”

About AdvicePay

Established by well-known financial advisors Michael Kitces and Alan Moore, AdvicePay is the only billing and payment processing platform created specifically for fee-for-service financial
planning. Financial advisors benefit from efficient invoicing and payment workflows designed exclusively to support their businesses, including up-to-date compliance and data security
management. Users can issue agreements for client e-signature, accept ACH and credit cards, bill hourly or one-time fees, or establish recurring retainer or subscription billing compliantly –
all through the AdvicePay system. To learn more about the AdvicePay platform, visit http://www.AdvicePay.com.

About KirkpatrickPrice

KirkpatrickPrice is a licensed CPA firm, PCI QSA, and a HITRUST CSF Assessor, registered with the PCAOB, providing assurance services to over a thousand clients in North America,
South America, Asia, Europe, and Australia. The firm has more than a decade of experience in information security by performing assessments, audits, and tests that strengthen information
security practices and internal controls. KirkpatrickPrice most commonly performs assessments on SOC 1, SOC 2, PCI DSS, HIPAA, HITRUST CSF, GDPR, ISO 27001, FISMA, and FERPA

frameworks, as well as advanced-level penetration testing. For more information, visit www.kirkpatrickprice.com, follow KirkpatrickPrice on LinkedIn, or subscribe to our YouTube
channel.

Businesses have many infrastructure hosting solutions to choose from, from physical servers hosted in owned data centers, to colocated servers in managed data centers, to many different cloud platforms. However, in 2021, Amazon Web Services (AWS) is by far the largest infrastructure hosting platform in the world.

Businesses choose AWS because it offers a diverse array of cloud services backed by the technical expertise of one of the most valuable companies in the world. AWS lowers infrastructure management costs while providing the reliability, scalability, and availability businesses expect.

Other cloud providers offer roughly equivalent services, including Microsoft Azure and Google Cloud Platform, but AWS had the first-mover advantage, and its growth has outpaced its competition.

Cloud security is another reason businesses adopt AWS. In the early days of the cloud, business leaders were skeptical that virtualized infrastructure platforms could offer adequate security and privacy. Today, the days of the cloud security naysayers are long past. No infrastructure platform is guaranteed free of vulnerabilities, but cloud platforms like AWS are trusted by businesses, governments, and even national security services.

This article looks at some of the ways AWS enhances cloud security and makes it easier for businesses to maintain secure and compliant infrastructure hosting. We’ll also explore cloud security limitations and how companies can ensure their cloud infrastructure complies with industry best practices and regulatory standards.

What is Cloud Security?

Cloud security is the resources, tools, and practices that allow businesses to store data and run code securely in the cloud. Cloud security’s primary concern is to limit data and infrastructure access to authorized users, whether that’s a business’s customers or internal users of the cloud platform.

If a business fails to secure its cloud infrastructure, it risks exposing sensitive data, having its resources hijacked by bad actors, and subjecting its users to malware and other threats.

Cloud infrastructure faces many different security threats, including:

- Human error. The majority of cloud security vulnerabilities are caused by configuration errors and poor understanding of cloud security best practices.

Social engineering. Bad actors use social engineering techniques such as phishing attacks and executive impersonation to gain access to sensitive cloud resources such as authentication credentials.

Endpoint security vulnerabilities. These include software vulnerabilities and poor security practices around the devices end-users use to access cloud resources.

Software vulnerabilities. Attackers target code hosted on cloud platforms. According to the Open Web Application Security Project (OWASP) Top Ten, the most common web application vulnerabilities include broken access controls, cryptographic failures, vulnerable and outdated components, and security logging and monitoring failures.

Cloud platforms such as AWS provide tools and services to help businesses overcome these risks. However, cloud security is only effective if businesses understand the risks and how to use the resources their platform provides to combat them.

Let’s explore five ways AWS helps its users maximize cloud security to protect their data and infrastructure assets.

1. Amazon-Managed Data Centers, Servers, and Networks

Building and maintaining secure IT infrastructure requires knowledge and experience many businesses lack. Infrastructure security is a specialized field, and without a deep understanding of the risks, it’s all too easy to deploy infrastructure that is vulnerable to attack.

AWS provides a secure baseline for infrastructure deployment. Its employees include some of the most experienced and knowledgeable cloud security professionals in the industry. They work to implement secure data centers, networks, and servers on which users can deploy their code.

Furthermore, AWS provides high-level PaaS and managed hosting solutions so users don’t have to worry about securing operating systems, library code, services such as web servers, and other aspects of server security. AWS doesn’t guarantee security, but it does provide a secure foundation.

2. Powerful Access Management Tools

The OWASP Top Ten includes two security risks related to access management: broken access controls and identification and authentication failures. Identity and access management are among the most challenging security and privacy management features to get right. Infrastructure is useless if the right people can’t use it, but opening the door to them often creates vulnerabilities that bad actors can exploit.

AWS integrates a range of powerful tools for verifying identity and controlling access. The Identity and Access Management (IAM) service provides tools for managing access to AWS services and resources. It allows businesses to attach fine-grained permissions to users, groups, and roles. It also offers extra security with multi-factor authentication, and it provides federated access for systems such as Microsoft Active Directory.

IAM is the centerpiece of AWS’s access management, but the platform incorporates several additional access management tools, including AWS Single Sign-On, AWS Resource Access Manager, and Amazon Cognito.

3. Vulnerability and Breach Protection

How does a business know when its cloud resources have been compromised? Sometimes it’s obvious: data becomes unavailable, and a ransom demand is delivered—there were over 300 million ransomware attacks in 2020. But businesses would ideally be aware of breaches before the worst happens.

AWS offers several tools for monitoring cloud resources for potential breaches. Amazon GuardDuty continuously analyzes logs, using machine learning and threat intelligence to identify breaches. Amazon Inspector assesses applications for vulnerabilities. AWS CloudTrail tracks user activity and API usage, helping businesses to identify and mitigate security breaches.

4. Encryption and Data Protection

Cryptographic failures are in second place on the OWASP Top Ten. Data should be encrypted in transit and at rest, and encryption keys should be managed to limit the risk of exposure. AWS has many data protection tools that help businesses to encrypt their data.

Data storage services such as Amazon S3 and Amazon EBS can encrypt data transparently. Data is automatically encrypted as it moves between components of an AWS environment. Amazon Macie helps businesses to identify and protect sensitive data. In addition to integrated encryption services, AWS also offers a range of key and certificate management services, including AWS Certificate Manager and AWS Key Management Services.

5. AWS Firewalls

Firewalls allow AWS users to analyze and filter incoming and outgoing network traffic. AWS incorporates a multitude of firewalls, including the stateful Security Groups and stateless Network Access Control Lists. We wrote more about both in Cloud Security: What are AWS Security Groups?

In addition to network firewalls, AWS also provides more specialized firewall services, such as the AWS Web Application Firewall (WAF), which analyzes web traffic to identify malicious requests. AWS WAF filters attacks before they reach web applications, including SQL injection and cross-site scripting, which appear on the OWASP Top Ten.

How AWS Audits Improve Cloud Security

We’ve looked at five ways AWS empowers businesses to enhance cloud security, but the existence of these tools and services is no guarantee they are used correctly. Misconfiguration is the most common cause of cloud security breaches and data leaks.

KirkpatrickPrice is a CPA firm specializing in information security, including cloud security. Our services help businesses to verify their AWS cloud environments are secure and compliant. They include:

Remote Cloud Security Assessments, which analyze AWS, Azure, and GCP configurations for misconfigurations and vulnerabilities.
Cloud Security Audits, which test your cloud controls against a framework based on the CIS Benchmarks for AWS and other cloud platforms.
Pen Testing Services, which leverage the expertise of skilled penetration testers to verify your network, web application, API, and wireless security.

To learn more, contact an AWS security auditor today or visit the KirkpatrickPrice AWS Cybersecurity Services, where you’ll find a wealth of actionable information focused on AWS security and our AWS Security Scanner.

AWS provides dozens of cloud services ranging from storage and compute to machine learning and security services. AWS is by far the biggest cloud platform, and thousands of businesses entrust it with their most sensitive data and critical workloads. Ensuring only authorized users can access these assets is the job of AWS Identity and Access Management (AWS IAM).

As you might imagine, improper use of AWS IAM can create serious security vulnerabilities. This article introduces AWS IAM and discusses five of the most critical AWS IAM security best practices.

What is AWS IAM?

AWS IAM is a cloud service for managing access to resources in the AWS cloud. As the name suggests, IAM has two main roles:

Identity management — verifying that a user is who they claim to be with authentication mechanisms such as passwords, multi-factor authentication, and federated identity management solutions such as Microsoft Active Directory.

Access management — controlling which resources users can access. Each user has a set of permissions that determine the actions they can take within a business’s AWS account.

These roles mean that IAM is the gatekeeper for AWS resources. If businesses fail to follow IAM best practices, they risk giving unauthorized users access to their data and infrastructure.

What Are Users, Groups, and Roles in AWS IAM?

When an AWS account is first created, it has a single user. This is the root user, which has complete access to all resources. As we’ll discuss in the next section, the root user should not be used for day-to-day operations. It should, however, be used to create other IAM identities with varying permissions.

IAM provides three primary types of identity: users, groups, and roles. Each has an associated set of permissions, but they serve different purposes.

Users — users represent people, and they are used to give individuals the ability to log in and manage AWS resources. Users are granted permissions, either by attaching a permissions policy or by adding them to a group. IAM users can also generate access keys, which can be used for programmatic access to AWS APIs.

Groups — a group is a collection of users. Groups also have configurable permissions, which all members inherit. Groups make it easy to grant permissions to a class of users. For example, a business might create a DevOps group with permissions to manage EC2 instances.

Roles — roles have many of the same properties as users. However, roles are not linked to a single individual, and they do not have log-in credentials. Instead, roles are temporarily assumed by users who need a specific set of permissions to complete a task.

5 Steps to Secure Your AWS IAM Account

1. Create IAM Users with Appropriate Permissions

We recommend using the root account to create users, groups, and roles with suitable permissions. Once that’s done, use those identities to manage day-to-day operations. To further improve IAM security, activate multi-factor authentication on user accounts. With MFA turned on, user accounts are safe even if their password is exposed.

2. Enforce AWS Least-Privilege Permissions

Create permissions policies that provide the lowest possible access. IAM identities cannot control resources unless they are given permission. Determine the minimum set of permissions to grant when creating users, groups, and roles. You can always add more later if they’re needed.

It may be tempting to give users broad permissions in case they need to carry out a particular task. But it is more secure to be restrictive at first, only granting additional privileges when a user finds they are required.

As your business and its AWS environment evolve, the permissions needed by IAM identities will change. Perhaps a user needed broad permissions to manage resources at one time, but no longer. In that case, their permissions should be restricted and unnecessary access removed. For the same reason, ensure that unused users, roles, and groups are deleted.

You may also want to use IAM Access Analyzer to refine permissions policies. IAM Analyzer helps businesses to maintain least-privilege access by generating permissions policies based on access activities. IAM Access Analyzer also provides last-accessed and last-used timestamps that can help you to identify unneeded permissions and unused identities.

3. Secure the AWS IAM Root Account

As we mentioned above, the root account has universal permissions. It can access and control all resources owned by an AWS account. With its access keys, developers can control those resources via AWS APIs. The root account is uniquely useful, but it is also uniquely dangerous. Attackers may gain complete control of your AWS account if its credentials or access keys are exposed.

Therefore, the AWS root account and its access keys should not be used to manage AWS resources. If your business is already using the root account in day-to-day operations, consider creating new users accounts with limited permissions. Use these instead of the root account. Change the root account’s password and delete its access keys. Use Amazon CloudTrail and CloudWatch to monitor API calls to ensure that you haven’t missed any use of the root account.

4. Ensure Account Information Is Accurate

AWS may send you security notifications, and it’s imperative they go to the correct email addresses. It’s not unusual for businesses to create AWS accounts with email addresses that aren’t monitored. We recommend designating one or several individuals responsible for checking and responding to notifications. Ensure that their contact details are correctly recorded in AWS and that they regularly check the email inboxes for notifications.

In addition to the primary email address associated with an account, AWS provides alternate contacts for billing, operations, and security notifications. Businesses can use these addresses to ensure notifications are sent to the right people.

5. Use AWS Security Hub, Amazon GuardDuty, and other AWS Security Tools

AWS provides several services to help businesses to monitor and improve security. Perhaps the most important is the AWS Security Hub. The Security Hub centralizes alerts from several other services, allowing companies to access high-priority security alerts quickly.

The services that send alerts to AWS Security Hub include:

Amazon GuardDuty, a threat detection service that monitors AWS accounts for malicious activity.
Amazon Inspector, an automated security assessment service.
AWS Firewall Manager, a centralized firewall management service.
Amazon Macie, a data security and privacy service that uses machine learning to help businesses to identify and protect sensitive information.

KirkpatrickPrice’s AWS Cybersecurity Services provide AWS audits and a wealth of actionable information to help businesses identify AWS security and compliance threats and protect their infrastructure and data. Contact a cloud information security specialist today for assistance with your AWS security and compliance challenges.