Information Technology

<p style="text-align: justify;">As many organizations are leveraging cloud-based technologies and migrating their critical data onto the cloud, it becomes even more imperative to have a holistic view of data security on the cloud. Though the major cloud providers offer multiple ways of securing data, using them to your advantage is a big challenge.</p><p style="text-align: justify;">Cloud security is a set of policies, strategies, controls, procedures, and practices which are designed to safeguard the data, resources, and applications hosted on the cloud.</p><p style="text-align: justify;">Talking of security from the perspective of Amazon Web Services, below are the best practices to be followed in securing VPC in AWS:</p><ul style="text-align: justify;"><li>Subnets to be created in multiple Availability Zones</li></ul><p style="text-align: justify;">An availability zone is one or more discrete data centres with redundant power, networking, and connectivity in an AWS region. Using multiple availability zones makes applications highly available, fault-tolerant, and scalable.&nbsp;</p><ul style="text-align: justify;"><li>Use of security groups to control the traffic to EC2 instances in your subnets</li></ul><p style="text-align: justify;">It provides control over the traffic that is allowed to reach and leave the resources that it is associated with. Every VPC comes with a default security group, though it has a facility to create additional ones, creating minimum helps reduce the risk of error.</p><ul style="text-align: justify;"><li>Inbound access rules to have only specific IP address ranges and protocols<br />Do not open large port ranges.</li><li>Consider creating network ACLs with rules like your security groups to add an additional layer of security to your VPC.</li></ul><p style="text-align: justify;">Network ACL operates at the subnet level, whereas the security group operates at the instance level.&nbsp;</p><ul style="text-align: justify;"><li>Administrator can securely control the access to AWS resources by using AWS Identity and Access Management (IAM) Service.</li><li>Creating policies and attaching them to AWS identities or resources can further provide control over access.</li><li>Using VPC flow logs to monitor the IP traffic going to and from a VPC, subnet, or network interface to get insight and perform tasks like diagnosing the restrictive security group rules, identifying traffic reaching your instance, and the direction of the same on the network interface.</li><li>Identify unintended network access to resources in our VPCs using Network Access Analyzer and further understand, verify, and improve network security posture and compliance.</li><li>Verify that your production environment VPCs and development environment VPCs are isolated from one another. And have logical separation for systems that handles and process credit card information.</li><li>Internet accessibility &ndash; Identify resources in your environment that can be accessed from internet gateways and verify that they are limited to only those with a legitimate need to be accessible from the internet.</li><li>Use AWS Network Firewall to monitor and perform deep packet inspection on traffic entering or leaving your VPC and protect your VPC by filtering inbound and outbound traffic at the perimeter, including Internet Gateway, NAT Gateway, over VPN, and AWS Direct Connect.</li></ul><p style="text-align: justify;">&nbsp;</p><p style="text-align: justify;">&nbsp;</p><p style="text-align: justify;"><span style="font-size: 10pt;"><em>This article was contributed by our expert <a href="https://www.linkedin.com/in/ninad-manapure-534285a/" target="_blank" rel="noopener">Ninad Manapure</a></em></span><br />&nbsp;</p><p style="text-align: justify;">&nbsp;</p><h3 style="text-align: justify;"><span style="font-size: 18pt;">Frequently Asked Questions Answered by Ninad Manapure</span></h3><p style="text-align: justify;">&nbsp;</p><h2 style="text-align: justify;"><span style="font-size: 12pt;">1. How do you secure data for cloud transport? </span></h2><p style="text-align: justify;"><span style="font-size: 12pt;">Following are the ways in which data can be secured. </span></p><p style="text-align: justify;"><span style="font-size: 12pt;">Data Encryption Encryption protects your sensitive data from hackers; only the computer you send it to should have the key to decode the data. On the internet, the primary protection mechanism is encryption. Cloud providers use encryption, such as Advanced Encryption Standards (AES) and Triple Data Encryption Standards (3DES), to ensure a standard of security in their environments. </span></p><ul style="text-align: justify;"><li><span style="font-size: 12pt;">Remote access encryption - SSH provides a secure communications channel for remote access to your Linux instances</span></li><li><span style="font-size: 12pt;">Encryption at the physical layer - All data flowing across AWS regions over the AWS global network is automatically encrypted at the physical layer before it leaves AWS-secured facilities. All traffic between AZs is encrypted</span></li><li><span style="font-size: 12pt;">Encryption provided by Amazon VPC and Transit Gateway cross-Region peering. All cross-Region traffic that uses Amazon VPC and transit gateway peering are automatically bulk-encrypted when it exits a region</span></li><li><span style="font-size: 12pt;">Encryption between instances - AWS provides secure and private connectivity between EC2 instances of all types. VPN (Virtual Private Network) </span></li><li><span style="font-size: 12pt;">A virtual private network (VPN) is one way to secure data while it is being transported in a cloud. Firewall </span></li><li><span style="font-size: 12pt;">A firewall will act as a barrier between the public and private networks</span></li></ul><p style="text-align: justify;">&nbsp;</p><h2 style="text-align: justify;"><span style="font-size: 12pt;">2. What are the technologies for data security in cloud computing?</span></h2><p style="text-align: justify;"><span style="font-size: 12pt;">Protecting data in the cloud is similar to safeguarding data within a traditional data center. Authentication and identity, access control, encryption, secure deletion, integrity checking, and data masking are all data protection methods applicable in cloud computing. </span></p><ul style="text-align: justify;"><li><span style="font-size: 12pt;">Data access </span></li></ul><p style="text-align: justify;"><span style="font-size: 12pt;">Security teams control data access through identity and access management (IAM), which helps safeguard data assets through authentication and authorization processes. </span></p><ul style="text-align: justify;"><li><span style="font-size: 12pt;">Firewalls </span></li></ul><p style="text-align: justify;"><span style="font-size: 12pt;">A firewall is the initial security layer in a system. It is designed to keep unauthorized sources from accessing enterprise data. A firewall serves as an intermediary between a personal or enterprise network and the public internet. </span></p><ul style="text-align: justify;"><li><span style="font-size: 12pt;">Data encryption </span></li></ul><p style="text-align: justify;"><span style="font-size: 12pt;">A standard security feature cloud service providers offer, data encryption uses mathematical encoding to prevent unauthorized access to information. While data encryption is ubiquitous, not all providers offer the same level of encryption services. </span></p><ul style="text-align: justify;"><li><span style="font-size: 12pt;">Data deletion </span></li></ul><p style="text-align: justify;"><span style="font-size: 12pt;">An integral part of data security is properly disposing of sensitive &mdash; but no longer essential data. Data of this nature can pose a substantial organizational risk if allowed to persist indefinitely within cloud data stores, creating unnecessary liability. </span></p><ul style="text-align: justify;"><li><span style="font-size: 12pt;">Data recovery </span></li></ul><p style="text-align: justify;"><span style="font-size: 12pt;">Robust data recovery processes are yet another pillar of data security in the cloud. Data loss can occur for any unforeseen reasons, making it essential to continuously perform backups of every system that relies on cloud-based applications.&nbsp;</span></p><p style="text-align: justify;">&nbsp;</p><h2 style="text-align: justify;"><span style="font-size: 12pt;">3. What is the security associated with VPC? </span></h2><p style="text-align: justify;"><span style="font-size: 12pt;">Infrastructure security in VPC </span></p><ul style="text-align: justify;"><li><span style="font-size: 12pt;">Use of separate VPCs to isolate infrastructure by workload or organizational entity</span></li><li><span style="font-size: 12pt;">A subnet is a range of IP addresses in a VPC. Use subnets to isolate the tiers of application (for example, web, application, and database) within a single VPC. Use private subnets for your instances if they should not be accessed directly from the internet</span></li><li><span style="font-size: 12pt;">Restrict access to subnets using control traffic to resources using security groups </span></li><li><span style="font-size: 12pt;">Configure VPC subnet route tables with the minimal required network routes</span></li><li><span style="font-size: 12pt;">Virtual Private Network or AWS Direct Connect to establish private connections from your remote networks to your VPCs. </span></li></ul><p style="text-align: justify;"><span style="font-size: 12pt;">Identity and access management for Amazon VPC </span></p><ul style="text-align: justify;"><li><span style="font-size: 12pt;">AWS Identity and Access Management (IAM) is an AWS service that helps administrators securely control access to AWS resources</span></li><li><span style="font-size: 12pt;">Control traffic to resources using security groups </span></li><li><span style="font-size: 12pt;">A security group controls the traffic that is allowed to reach and leave the resources that it is associated with VPC </span></li></ul><p style="text-align: justify;"><span style="font-size: 12pt;">Resilience in Amazon Virtual Private Cloud </span></p><ul style="text-align: justify;"><li><span style="font-size: 12pt;">AWS Regions provide multiple physically separated and isolated Availability Zones connected with low-latency, high-throughput, and highly redundant networking. With availability zones, you can design and operate applications and databases that automatically failover between zones without interruption. Compliance validation for Amazon Virtual Private Cloud </span></li><li><span style="font-size: 12pt;">Third-party auditors assess the security and compliance of AWS services as part of multiple compliance programs, such as SOC, PCI, FedRAMP, and HIPAA. </span></li></ul><p style="text-align: justify;"><span style="font-size: 12pt;">Configuration and vulnerability analysis in Virtual Private Cloud </span></p><ul style="text-align: justify;"><li><span style="font-size: 12pt;">Patching client applications with the relevant client-side dependencies</span></li><li><span style="font-size: 12pt;"> Conducting penetration testing for NAT gateways and EC2 instances</span></li></ul><p style="text-align: justify;">&nbsp;</p><p style="text-align: justify;">&nbsp;</p><p style="text-align: justify;">&nbsp;</p>