Businesses have many infrastructure hosting solutions to choose from, from physical servers hosted in owned data centers, to colocated servers in managed data centers, to many different cloud platforms. However, in 2021, Amazon Web Services (AWS) is by far the largest infrastructure hosting platform in the world. 

Businesses choose AWS because it offers a diverse array of cloud services backed by the technical expertise of one of the most valuable companies in the world. AWS lowers infrastructure management costs while providing the reliability, scalability, and availability businesses expect. 

Other cloud providers offer roughly equivalent services, including Microsoft Azure and Google Cloud Platform, but AWS had the first-mover advantage, and its growth has outpaced its competition. 

Cloud security is another reason businesses adopt AWS. In the early days of the cloud, business leaders were skeptical that virtualized infrastructure platforms could offer adequate security and privacy. Today, the days of the cloud security naysayers are long past. No infrastructure platform is guaranteed free of vulnerabilities, but cloud platforms like AWS are trusted by businesses, governments, and even national security services.

This article looks at some of the ways AWS enhances cloud security and makes it easier for businesses to maintain secure and compliant infrastructure hosting. We’ll also explore cloud security limitations and how companies can ensure their cloud infrastructure complies with industry best practices and regulatory standards. 

What is Cloud Security?

Cloud security is the resources, tools, and practices that allow businesses to store data and run code securely in the cloud. Cloud security’s primary concern is to limit data and infrastructure access to authorized users, whether that’s a business’s customers or internal users of the cloud platform. 

If a business fails to secure its cloud infrastructure, it risks exposing sensitive data, having its resources hijacked by bad actors, and subjecting its users to malware and other threats. 

Cloud infrastructure faces many different security threats, including:

    • Human error. The majority of cloud security vulnerabilities are caused by configuration errors and poor understanding of cloud security best practices. 
  • Social engineering. Bad actors use social engineering techniques such as phishing attacks and executive impersonation to gain access to sensitive cloud resources such as authentication credentials. 
  • Endpoint security vulnerabilities. These include software vulnerabilities and poor security practices around the devices end-users use to access cloud resources. 
  • Software vulnerabilities. Attackers target code hosted on cloud platforms. According to the Open Web Application Security Project (OWASP) Top Ten, the most common web application vulnerabilities include broken access controls, cryptographic failures, vulnerable and outdated components, and security logging and monitoring failures. 

Cloud platforms such as AWS provide tools and services to help businesses overcome these risks. However, cloud security is only effective if businesses understand the risks and how to use the resources their platform provides to combat them. 

Let’s explore five ways AWS helps its users maximize cloud security to protect their data and infrastructure assets. 

1. Amazon-Managed Data Centers, Servers, and Networks

Building and maintaining secure IT infrastructure requires knowledge and experience many businesses lack. Infrastructure security is a specialized field, and without a deep understanding of the risks, it’s all too easy to deploy infrastructure that is vulnerable to attack. 

AWS provides a secure baseline for infrastructure deployment. Its employees include some of the most experienced and knowledgeable cloud security professionals in the industry. They work to implement secure data centers, networks, and servers on which users can deploy their code. 

Furthermore, AWS provides high-level PaaS and managed hosting solutions so users don’t have to worry about securing operating systems, library code, services such as web servers, and other aspects of server security. AWS doesn’t guarantee security, but it does provide a secure foundation. 

2. Powerful Access Management Tools

The OWASP Top Ten includes two security risks related to access management: broken access controls and identification and authentication failures. Identity and access management are among the most challenging security and privacy management features to get right. Infrastructure is useless if the right people can’t use it, but opening the door to them often creates vulnerabilities that bad actors can exploit. 

AWS integrates a range of powerful tools for verifying identity and controlling access.  The Identity and Access Management (IAM) service provides tools for managing access to AWS services and resources. It allows businesses to attach fine-grained permissions to users, groups, and roles. It also offers extra security with multi-factor authentication, and it provides federated access for systems such as Microsoft Active Directory. 

IAM is the centerpiece of AWS’s access management, but the platform incorporates several additional access management tools, including AWS Single Sign-On, AWS Resource Access Manager, and Amazon Cognito

3. Vulnerability and Breach Protection

How does a business know when its cloud resources have been compromised? Sometimes it’s obvious: data becomes unavailable, and a ransom demand is delivered—there were over 300 million ransomware attacks in 2020. But businesses would ideally be aware of breaches before the worst happens. 

AWS offers several tools for monitoring cloud resources for potential breaches. Amazon GuardDuty continuously analyzes logs, using machine learning and threat intelligence to identify breaches. Amazon Inspector assesses applications for vulnerabilities. AWS CloudTrail tracks user activity and API usage, helping businesses to identify and mitigate security breaches. 

4. Encryption and Data Protection

Cryptographic failures are in second place on the OWASP Top Ten. Data should be encrypted in transit and at rest, and encryption keys should be managed to limit the risk of exposure. AWS has many data protection tools that help businesses to encrypt their data. 

Data storage services such as Amazon S3 and Amazon EBS can encrypt data transparently. Data is automatically encrypted as it moves between components of an AWS environment. Amazon Macie helps businesses to identify and protect sensitive data. In addition to integrated encryption services, AWS also offers a range of key and certificate management services, including AWS Certificate Manager and AWS Key Management Services

5. AWS Firewalls 

Firewalls allow AWS users to analyze and filter incoming and outgoing network traffic. AWS incorporates a multitude of firewalls, including the stateful Security Groups and stateless Network Access Control Lists. We wrote more about both in Cloud Security: What are AWS Security Groups? 

In addition to network firewalls, AWS also provides more specialized firewall services, such as the AWS Web Application Firewall (WAF), which analyzes web traffic to identify malicious requests. AWS WAF filters attacks before they reach web applications, including SQL injection and cross-site scripting, which appear on the OWASP Top Ten. 

How AWS Audits Improve Cloud Security

We’ve looked at five ways AWS empowers businesses to enhance cloud security, but the existence of these tools and services is no guarantee they are used correctly. Misconfiguration is the most common cause of cloud security breaches and data leaks. 

KirkpatrickPrice is a CPA firm specializing in information security, including cloud security. Our services help businesses to verify their AWS cloud environments are secure and compliant. They include:

  • Remote Cloud Security Assessments, which analyze AWS, Azure, and GCP configurations for misconfigurations and vulnerabilities.
  • Cloud Security Audits, which test your cloud controls against a framework based on the CIS Benchmarks for AWS and other cloud platforms. 
  • Pen Testing Services, which leverage the expertise of skilled penetration testers to verify your network, web application, API, and wireless security. 

To learn more, contact an AWS security auditor today or visit the KirkpatrickPrice AWS Cybersecurity Services, where you’ll find a wealth of actionable information focused on AWS security and our AWS Security Scanner.  

Cloud platforms make it easier for businesses to leverage complex technologies. Instead of buying, configuring, and managing a physical server, you deploy an instance of a server in the cloud. Instead of licensing, installing, and updating enterprise software, you deploy software for the time and purpose that you need through your provider. Cloud platforms provide many technical intricacies through a user interface, but sometimes how and what you should configure securely is not obvious. You may not be responsible for physical servers and networks, but you are responsible for the security configuration and privacy of business and customer data in the cloud.

That’s why it’s vital your company chooses the right cloud security provider or managed cloud security service to support you in your objectives. In this article, we will explore what a cloud security provider is and help you choose the right provider for your business. We’ll also take a look at some of the limitations of cloud security providers and what they can’t do. 

What is a Cloud Security Provider?

Cloud security providers offer services that help businesses to use cloud environments securely. Companies in this space range from managed security service providers (MSSPs) who offer outsourced cloud monitoring and management to SaaS and cloud software vendors with products that help businesses to avoid common cloud security issues. Cloud security software typically leverages platform APIs, adding enhanced security functionality that is not available on the platform itself. 

Among the services a cloud security provider may offer are:

  • Security hardening, including configuration analysis to identify and mitigate vulnerable security and privacy configurations. 
  • Log analysis to identify security events and threats.
  • Exploit prevention through patching or firewall configuration. 
  • Network intrusion and threat detection. 
  • Malware scanning and ransomware protection. 

Cloud security providers typically have expertise in a specific cloud platform, although some offer solutions targeting multiple cloud platforms or hybrid clouds with cloud and on-premises infrastructure. 

Does Your Business Need a Cloud Security Service?

Cloud platforms, including Amazon Web Services (AWS), operate a shared responsibility model for security. The vendor takes care of some aspects of security, leaving others to the customer. Where exactly the line is drawn depends on the service: IaaS leaves more to the user than SaaS, but the user always retains some responsibility. 

For example, AWS provides secure data storage, but if the user uploads unencrypted data to an S3 bucket with misconfigured access permissions, the platform will do nothing to stop them. 

That’s where cloud security providers come in. Cloud security providers help cloud users with their share of the cloud security and privacy burden. They offer services that enable businesses to avoid the type of mistake just described. However, the ultimate responsibility for information security and privacy always rests with your company. If private customer data leaks or your business fails to comply with HIPAA or PCI DSS, you will suffer the consequences, not the cloud security provider. 

5 Questions to Ask Cloud Security Service Providers

Businesses should assess cloud security providers before engaging them, but information asymmetry can make this difficult. You may need help precisely because your organization lacks internal cloud security expertise. But without that expertise, how can you adequately assess the services on offer? A vendor compliance assessment can help, and in the initial stages of vendor research, asking the following questions will give you an idea of a prospective vendor’s capabilities. Ultimately, communication and clear expectations are key.

Is Cloud Security Your Core Competency?

Many MSSPs and cloud outsourcing service providers offer security-related services. However, “cloud security” is a broad area. A service provider may advertise their ability to make your cloud environment more secure. But their security efforts may be limited to deploying an off-the-shelf monitoring solution that will bombard your internal team with alerts. Also, the default services may not be as comprehensive as you need. For example, they may monitor Windows systems but not Linux. 

That may be all you’re looking for, but an expert cloud security provider can go much further. They will employ a technical team with expertise in IT and cloud security. Their technicians will have hands-on experience with real-world cloud environments and understand how to mitigate potential security issues. Just as important, they will understand the regulatory environment your company operates in and how to leverage cloud technologies to maintain compliance. 

Before engaging a cloud security vendor, ask about their experience, qualifications, certifications, and tools. 

What Will You Do to Keep Our Data Secure?

This question elicits information about the vendor’s products and processes. As we said earlier, businesses need to know what cloud vendors mean by “cloud security.” You may want to ask the following questions:

  • Will you assess our cloud environment’s configuration for mistakes that may cause security vulnerabilities?
  • Will you monitor our environment for potential intrusions and malware?
  • When you find a problem, will you help mitigate the risk, and what form will that help take?
  • Do your services include asset discovery, threat intelligence, and behavioral monitoring?
  • How do you document actions taken and assigned tasks? 

If possible, you should have a clear idea of your cloud security issues before beginning the vendor selection process. If you know what you are trying to achieve, you can ask focused questions about how the vendor can help you meet those objectives. Businesses lacking internal cloud security expertise should consider hiring an independent third party to assess cloud security risks and develop a mitigation plan. 

Does Your Infrastructure Comply with Information Security Standards?

Consider the following scenario. A company contracts with a cloud security provider to reduce risk and ensure sensitive data storage and processing complies with information security and privacy standards. The company gives the provider access to its cloud environment. Later, the provider’s network is hacked, and bad actors gain access to the data the company hired the vendor to protect. 

This is not an unusual outcome, so it’s essential to verify prospective cloud security vendors follow best practices for their own infrastructure and software. Third-party security audits are helpful here. Ask prospective vendors to demonstrate they are compliant with relevant industry standards, such as SOC 2 and ISO 27001. Also, be sure to inspect their penetration testing results.

Do You Understand the Security and Privacy Concerns of My Industry?

Ensure that cloud security vendors understand your industry’s legal and regulatory requirements. The specifics vary, and a vendor focused on general cloud security concerns may not have the experience or expertise to help you comply with HIPAA, PCI DSS, FISMA, and other standards. 

Do You Offer Security Awareness Training?

Cloud security concerns more than just technology. Many data breaches result from human error and inadequate awareness of security risks. Security awareness training tailored to your company’s security and compliance needs can reduce security risk while improving compliance. 

The Limitations of Cloud Security Providers

A cloud security provider or managed security service provider can reduce security risks, but they can’t objectively verify that your cloud environment is secure or compliant. The optimal approach combines cloud security best practices with cloud security assessments and audits by a qualified independent auditor with cloud and information security expertise. 

KirkpatrickPrice is a licensed CPA firm specializing in information security compliance. Contact a cloud security expert to learn how we can help your business improve cloud security and comply with relevant regulations and industry standards.

Security compliance is a primary concern for data-driven, technology-empowered businesses. On the one hand, they face internal and external security threats ranging from ransomware and phishing attacks to malicious insiders and human error. On the other hand, regulatory frameworks such as HIPAA and the GDPR impose stringent security and privacy standards with legal and financial penalties for non-compliance. 

A security compliance program helps a business to own its compliance risks. However, there are numerous challenges along the path to a security compliance program that supports long-term compliance goals. This article explores security compliance programs and suggests strategies to help businesses manage security compliance risks.

What Is a Security Compliance Management Program?

A security compliance program is the policies, procedures, and processes an organization creates to maintain security standards, typically based on regulatory frameworks such as HIPAA or recognized industry standards such as SOC 2. 

Security compliance programs also encompass the mechanisms by which the organization reviews and assesses information management practices. Without ongoing monitoring and auditing, it’s impossible to verify the organization is complying with its own policies.

Perhaps most important, security compliance programs are people-focused; they aim to create a management framework with resources and incentives that encourage employees to follow security best practices. 

An organization without a security compliance program may follow security best practices in an ad-hoc manner, but then again, they may not. Information security and privacy concerns are often deprioritized relative to other business goals. A security management program supported by an organization’s leadership helps align business practices with security compliance objectives. 

A security compliance management program enables organizations to:

  • Comply with regulations such as Sarbanes-Oxley, the Health Insurance Portability and Accountability Act (HIPAA), and the Payment Card Industry Data Security Standards (PCI DSS), among many others. 
  • Protect data assets and reduce the legal, financial, and reputational risk of regulatory compliance failures. 
  • Design policies and implement processes that allow executives to exercise control over the organization’s security posture.
  • Monitor and verify security compliance 

Those interested in building a security compliance program may find it instructive to read the U.S. Department of Justice Criminal Division’s Evaluation of Corporate Compliance Programs. Although broader in scope than information security, it explains the factors that prosecutors look for when evaluating compliance.  These include the presence of risk assessments and risk management processes, well-designed and comprehensive policies, risk-based training, properly scoped investigations by qualified personnel, internal and external audits, and more. 

The Components of Effective Security Compliance Management 

A security compliance management plan is tailored to the business’s needs and the environment in which it operates, but effective security compliance programs are built on the following components. 

Security Compliance Policies

Policies are the key documents in a security compliance management program. Security compliance policies describe the minimum security standards with which the organization intends to comply. Policies should be informed by a variety of factors, including:

  • The organization’s business objectives,
  • The regulatory environment in which the business operates, and
  • The specific risks the organization faces. 

Policies are long-lasting, high-level documents, but they are not permanent. A company must be prepared to evolve policies in response to changes in the organization, its operating environment, and the technology on which it relies. 

Structures to Implement Security Compliance Policies

Policies are only useful insofar as they are implemented, but this is often the biggest challenge. Security compliance impacts almost all aspects of modern business: data is a key asset, and information technology is ubiquitous. 

There are two possible approaches. The first is to “bolt” security compliance onto existing business processes. However, as Gartner’s research makes clear, this is unsustainable and unscalable. It makes security a potential hindrance to normal operations, creating the risk that compliance processes are bypassed as managers and employees prioritize efficiency. 

The second approach is to make security compliance an integral part of business processes. As workflows are designed, compliance is “baked in,” informing organizational structures, processes, relationships with business partners, and technology choices. 

Learn more about building compliant business processes in Auditor Insights: Compliance from the Start.

Whichever approach is chosen, security compliance management requires leadership and clear communication with stakeholders throughout the organization. A typical security compliance management structure includes:

  • A leader with authority to sponsor security compliance projects. This may be an executive or a security compliance steering team with executive support. 
  • Participation from relevant stakeholders within the organization. This might include stakeholders from IT, information security, sales, finance, and other business units. The IT department plays a critical role in security compliance. Still, other stakeholders should also be involved to reduce the risk of security compliance procedures failing to align with broader business objectives. 
  • A compliance manager or managers with information security expertise. The compliance manager is responsible for overseeing compliance projects that integrate security compliance throughout the business. For example, the compliance manager may work with IT to implement encryption policies for sensitive data. The compliance manager also gathers evidence to assess compliance efforts’ effectiveness and inform future policy and process changes. 

Additionally, it is usually necessary to offer information security training. Any employee who has access to potentially sensitive data should receive security awareness training that prepares them to comply with information security policies. 

Security Compliance Evaluation and Auditing

Compliance monitoring and internal audits are essential. Security compliance is a continuous process of implementation and evaluation. Policies evolve as regulatory standards change, and procedures and outcomes must be re-evaluated to ensure they meet security compliance objectives. Internal monitoring and evaluation should be augmented by external audits conducted by experienced auditors with information security expertise

Implementing a Security Compliance Management Program for Your Business

There is no universally applicable template for building a compliance management program. Every company is different, and so are its compliance requirements. However, most businesses benefit from a plan which follows these steps. 

  • Conduct a risk assessment to establish which risks the company faces, including compliance risks. 
  • Develop policies and standards to mitigate those risks. 
  • Appoint a compliance leader to oversee implementation and communication with stakeholders. 
  • Implement processes, procedures, and tools that support compliance policies. 
  • Train and educate employees to understand your compliance objectives and the role they play in achieving them. 
  • Monitor compliance and conduct internal and external audits to measure how effective your compliance efforts are. 
  • Act to correct risks and compliance failings identified by monitoring and audits. 

As we mentioned earlier, security compliance management is an ongoing process. The steps outlined above should be thought of as a cycle rather than a linear process that will be complete at a point in the future. 

To learn more about how audits can help your business achieve its security compliance objectives, visit KirkpatrickPrice’s Compliance Audit Services or contact a security and compliance expert today.