As enterprises look for greater operational efficiency in order to secure a competitive advantage, they turn to cloud service providers like Amazon Web Services to manage their IT infrastructure.
This move can be perceived as risky – the value-add of AWS is that users give up some control over the underlying infrastructure. But cloud services providers such as AWS continue to invest significantly in the security of their services, with the goal of making cloud services more secure than an on-premises infrastructure.
Amazon offers a complex array of services to ensure the security of specific deployments. To help users understand these services conceptually, the AWS Shared Security Model dictates which security controls are AWS’s responsibility, and which are the customers.
AWS Security Responsibilities
In general, AWS considers itself responsible for the security of the cloud as a whole, while customers should maintain responsibility for the security of their specific instances.
- AWS Hardware/Global Infrastructure: this includes regional, available, and edge zones of Amazon's cloud infrastructure. This is done through physical security protections, and constant IT maintenance.
- AWS Software (Computation, Storage, Database, Networking): Amazon guarantees a secure software platform across all of its services. This aspect of Amazon’s responsibility also refers to AWS security services built by Amazon for use by customers. This can include encryption keys, network monitoring tools, database protection, and more.
Customer Security Responsibilities
Security control responsibility on the customer side is determined by the AWS Cloud service they select. When a customer chooses any of Amazon's ‘Infrastructure as a Service’ (EC2, VPC, S3), the customer has perform all of the necessary security configuration and management tasks. This includes:
- Customer Data: protection of the businesses data on the network side, as it enters and exits the cloud service.
- Platform, Applications, Identity and Access Management: the customer is responsible for the maintenance and protection of the platform running on the cloud, and all aspects under that. For example, a customer running a clothing store online will have to ensure protection of its shoppers identities and accounts.
- Client Side Data Encryption: either through an AWS managed encryption key, or through a personal key not provided by AWS.
- File System Encryption: When protecting their data at rest, the customer can use an independent protection system, or by utilizing a file system protection provided by AWS.
- Network Traffic Protections: customers need to guarantee the security of all traffic going in and out of the server.
- Service and Communications Protection: a customer is responsible for routing and zoning data within specific security environments.
Shared Security Responsibilities
AWS provides the requirements for the infrastructure and the customer must provide their own control implementation within their use of AWS services:
- IT Controls: Not only are IT operations shared between AWS and its customers, so are the management and operations of said controls. AWS can help with moderating the customer burden of security methods like firewall maintenance, network level encryption, while also overseeing IT controls deployment to ensure proper adherence to AWS security regulations.
- Patch Management: AWS is responsible for patching and fixing flaws within the infrastructure, but customers are responsible for patching their guest OS and applications.
- Configuration Management: AWS maintains the configuration of its infrastructure devices, but a customer is responsible for configuring their own guest operating systems, databases, and applications.
- Awareness & Training: AWS trains AWS employees, but a customer must train their own employees.
- Customer Specific: Controls which are solely the responsibility of the customer based on the application they are deploying within AWS services.
- Service and Communications Protection: or Zone Security which may require a customer to route or zone data within specific security environments.
The AWS shared responsibility model is designed to increase the total security level of Amazon’s cloud infrastructure. By educating its customers on how they can manage and maintain strong operational protections, both Amazon and Web Services customers can feel better protected. The mutual benefit of shared security gives assurances to Amazon that they don’t have to directly maintain every aspect of their security, and helps customers feel like Amazon can adjust to their specific security needs. To assure a successful security model when responsibility is shared, customer awareness is key, along with a strong understanding of the risks associated with trusting a 3rd party.
The freedom from total responsibility can be a huge asset for lowering costs, and increasing quality of security.
- Blog: Barracuda Achieves AWS Security Competency
- Datasheet: Barracuda Email Security Gateway for AWS
- Datasheet: Barracuda Firewall Control Center for AWS
How Barracuda Can Help
Barracuda offers two products to secure your AWS environment:
The Barracuda CloudGen Firewall for AWS provides native network protection to AWS and hybrid networks. It helps ensure reliable access to applications and data running in AWS with full support for auto-scaling and metered billing.
The Barracuda CloudGen WAF for AWS protects AWS-hosted websites and web-facing applications from thousands of types of cyber-attacks, automatically integrates security into your application deployments, and accelerates application delivery.
Do you have more questions about the AWS Shared Responsibility Security Model? Contact us today.