In this article, we’ll look at the full suite of AWS cloud compliance tools and talk about how you can leverage them to be fully compliant with your desired certification.
The bigger and older the enterprise is, the less capable it is to change when new trends in business arise and dictate the change itself. This particularly holds true for IT. Over the past decade, we’ve seen smaller startups or new companies become industry leaders (such as Netflix or Airbnb) by fully embracing the power of cloud from the start.
Meanwhile, various banks, financial institutions, healthcare, and insurance conglomerates haven’t got there. So what has gotten in their way?
We could argue that costs are an obstacle. But since such companies spend millions or billions of dollars on their data center presence, this is hardly the case.
Could it be security concerns? Yes and no. Cloud is an unknown territory for most enterprises, but financial, banking, healthcare and insurance institutions have a more than skilled engineering force that could tackle cloud security challenges in a reasonable time.
So what was that ultimate hurdle that was preventing these sensitive business verticals to migrate their on-premise workloads to cloud?
Compliance standards, such as PCI-DSS, HIPAA–and as of 2018–the notorious GDPR.
Major public cloud providers have worked around the clock to offer top-notch security and obtain all possible compliance standards and tailor them around their shared responsibility model. But the issue is that many enterprises whose business goals are completely shaped by compliance certification still prefer to keep their important data on premise or deploy and administer their systems and applications.
The number of such enterprises is getting smaller by the day, and the options that cloud providers offer to enterprises to achieve and maintain various compliance standards are getting more advanced with each new “compliance-helping” service introduced.
On-premise vs. cloud compliance: are there any real differences?
When you’re gearing towards a certain compliance certification as a company, and your IT presence relies on data center presence, most of the work required to obtain such compliance standard is up to your IT engineers. The only “outsourced” part is the physical security of the data center. This security is the task of the company leasing you the rack space, that is, unless you’re managing your own data centers.
Everything else should be covered by a clear plan, designed by your security team and implemented by several different IT divisions, such as network, systems, storage, databases, applications and so on.
Each compliance standard has specifications for its respective area. And for your company to be compliant as a whole, you need to have efficient collaboration between different teams, supervised by a security company.
Let’s explain this on a specific example.
On-premise compliance
For years, your company has been providing physical retail services, but now they’ve decided that it is time to implement online purchasing.
To enable the processing of credit cards online, the company would like to be PCI-DSS certified. The web application that will offer a catalog of products to online users will be maintained locally, in the company’s data centers. Meanwhile, the IT security team has been tasked to design a strategy on how to achieve PCI-DSS certification. So, what are the components that need to be included and secured in this case?
First, it’s physical security and physical access to servers, network and storage devices that will process, store and route customer data through internal network and out to the Internet.
Then, the application should be hosted on fully redundant and highly available hardware, meaning you will need to have a DR location and sufficient hardware on both sites.
As for the software layer, we would need to secure OS hosting the application, the application itself and all components (web server, application server, database, specific version of client and server-side scripting languages).
And finally, we would need to have specific controls in place on how to monitor the application when in production, as well as to continuously analyze and inspect all traffic and user behavior on the site.
And this is just a brief overview of what’s needed. The entire list of all required controls dictated by a specific compliance standard can be several hundred pages long, which then your IT engineers should read, completely understand and implement.
Cloud compliance
When it comes to deploying a similar application to the cloud, the work related to achieving the compliance status is somewhat easier.
There are no requirements in terms of physical security or maintaining and securing servers, network or storage devices. This is all up to the public cloud provider based on the shared responsibility model.
The cloud user or the enterprise deploying a compliant application into the cloud should take care of network segmentation and security, securing OS running in provisioned VM (instance), and securing the application itself, just as you would do in the on-premises environment.
When it comes to the database and other accompanying services (database caching tools such as Redis or Memcached, message queuing or storing static files), there are a number of SaaS tools in the cloud, managed by public cloud providers, which are compliant by specific standard by default.
The only responsibility of companies is authorization and authentication, which is done by corresponding IAM services.
Most cloud vendors provide customers with significant security and compliance information where they can see how the security and compliance programs operate in relation to customers’ services. To understand where risk responsibility is transferred to the vendor (and where it is not), check out the following sources: Amazon: security, compliance; Google Cloud Platform: security, best practices; Microsoft Azure: security, compliance.
So, it follows that it’s easier to achieve and maintain compliance in the cloud, especially nowadays.
But the transformation of the cloud in such a state, where most of the services offered come pre-compliant with required security standards, didn’t come at once. That’s why companies were reluctant whether they could migrate and stay compliant. By doing so and not being able to receive green light from independent auditors would put their business at great risk, so it’s quite normal that it took some time for compliance-required companies to consider cloud workloads.
AWS compliance enablers
We’ve already mentioned that a lot of SaaS services offered by cloud providers are already compliant with the most popular compliance standards. Amazon in some cases even went one step further. Just a couple of months after GDPR compliance standard was implemented, Amazon announced that all AWS services are GDPR compliant.
On the other hand, if we look at the HIPAA standard, Amazon maintains a list of compliant services, updated weekly, but some of the services there aren’t considered compliant, so you shouldn’t use them if your business is in dire need of this certification.
Also, requirements change, so companies should also follow best practices and guidelines.
For example, before May 2017, if you were HIPAA compliant, your only way of using EC2 instances was to host your application on dedicated hardware. Today, this requirement is no longer active, so AWS customers with HIPAA certification can launch regular, inexpensive EC2 instances not running on dedicated hardware.
Besides following requirements and lists of compliant services tied to the specific certification program, AWS offers several services whose sole goal is to help you achieve and maintain the certification status. You should use and leverage these services, as they can simplify your compliance-related efforts required to maintain your cloud environment.
Amazon GuardDuty
Amazon GuardDuty is a managed threat detection service that monitors your AWS CloudTrail, VPC flow logs and DNS logs and notifies you of any anomalies.
It lets you monitor multiple AWS accounts at the enterprise level and it’s easy to set up. You first need to enable CloudTrail and logs for AWS VPC / Route53, and then you should enable GuardDuty and set up notifications with SNS.
Pricing is calculated based on the amount of data analyzed (the more events CloudTrail logs, and the more traffic you have in your VPC / Route53, more data would be gathered), multiplied by the number of accounts you monitor.
Also, with GuardDuty, you can automate remediation on specific threat detection and launch other AWS services or actions inside your AWS environment to remediate such threat with AWS Lambda. For example, if you get an alert that a port on an EC2 instance has been hit with an unusual number of requests, you can automate AWS Lambda which would remove this port from the security group tied to the EC2 instance.
Threat detection and continuous reporting and analysis of network traffic is a common requirement by most compliance standards, so it’s highly recommended that you enable GuardDuty, if you haven’t done so so far.
Amazon Inspector
Amazon Inspector is an EC2 agent which will scan your EC2 instances for vulnerabilities and threats. It will also monitor traffic coming in and out from your EC2 instances. Plus, it comes with a set of pre-built templates, which let you scan instances to see if they’re compliant with specific compliance standards or security benchmarks, such as CIS or NIST.
Installation of agents can be automated with AWS Systems Manager if you have a big fleet of EC2 instances. Amazon Inspector leverages tags you place on your EC2 instances, so you can have different groups of instances scanned by different templates (based on OS, application, required certification standard, etc).
Templates are developed and maintained regularly, and pricing is done based on the number of scanned instances.
But the true power of this service lies in its audit and reporting.
Whenever a scan is run, it generates a report for the scanned instances, stored both in CloudTrail and S3, so you can show to your auditors that you’re scanning instances with specific requirements regularly, and also show them future CloudTrail logs what happens when a vulnerability is discovered and remediated afterwards.
Amazon Detective
Amazon Detective is a new service, just announced at re:Invent 2019, and while still in preview, it’s already interesting to enterprises bound by specific compliance standards.
Amazon Detective relies on machine learning, statistical analysis and graph theory to build a linked set of data from your AWS logs to create an entire picture of your environment for future investigations. In a nutshell, it’s a service that combines and analyzes data from most of your AWS services together, and so cuts the time your security teams would spend investigating root causes.
As the service is free in the preview mode, we recommend you to try it out and see if it makes an impact in your environment. A good starting point to learn about the service is the re:Invent presentation.
Amazon Macie
Amazon Macie is a machine learning scanning service that continuously scans and analyzes your data stored in S3 buckets (additional AWS data stores should be announced soon).
This service can recognize sensitive data and provides you with dashboards and notifications to track how the data is stored (by also inspecting your IAM or S3 bucket policies).
The tricky part about this service is the pricing model, so be sure to study it out before you enable Amazon Macie in your AWS accounts.
AWS Artifact
AWS Artifact gives you access to AWS security and compliance reports, as well as agreements with local authorities from various countries, required for Amazon to conduct business in these locations.
This service is free of charge and you can use it in cases when auditors require the documentation about AWS and your organization. All available documentation (or as Amazon calls it “artifacts”) are updated regularly, and older versions of the artifacts are also available to AWS customers.
AWS Config
In a nutshell, AWS Config is a service that creates a “state” of your entire AWS environment and reports changes to that taken “state”. Once enabled, AWS Config will create an initial desired configuration of the AWS services you use and will continue to monitor the entire environment for changes.
With Config, you can also view the relationship between different AWS resources, check the history of your configurations and cross-compare your configurations to configurations tied with specific compliance standards.
AWS Config takes some time to configure and master but can prove quite helpful in environments that shouldn’t change often and where changes are made in a controlled, audited way (with change management processes).
AWS Security Hub
AWS Security Hub is a one-stop place that integrates different AWS services to perform compliance checks and create compliance reports.
When enabled, AWS Security Hub creates Service Linked Roles (SLRs) used for compliance scanning in AWS CloudWatch, SNS, Config and CloudTrail. It also creates integrations with Amazon Macie, GuardDuty, Inspector and IAM Access Analyzer to group findings from all of these services together, creating unified reports and alerts.
With Security Hub, you can also create automated compliance checks so that your environment is scanned at specific times and reports produced for auditor’s usage. Security Hub is quite easy to set up, since it has a wizard that guides you through enabling services, and will also create all the necessary IAM roles for you.
Pricing is performed per number of checks completed, so if you’re using automated scans, be sure not to do it too often.
Jatheon Cloud is a fourth-generation, cloud-based email archiving platform that runs entirely on AWS. To learn more about how your organization can meet email compliance, improve ediscovery and transform its data request processes using Jatheon’s cloud archive, contact us or get a personal demo.
Read next:A Comprehensive Guide to Cloud Security (Part 1) |