Achieve Security Through Compliance in the Cloud

Digging through my cupboards recently, I came across my old collection of 3½ floppy disks. It’s been quite some time since I’ve had a need to plug in my trusty USB floppy drive, so upon making this great archaeology discovery, I was left simply to ponder about their content and whether I’d really intended to break the write protect notch to prevent writing to the disks.

A younger version of me no doubt would’ve thought this was the height of protecting my data – that and making sure I’d copied the data to at least two disks (the latter habit remains to this day and has often worked out to my benefit!). Arguably, these poor disks now represent an oddly extra hardened state of being – security through obscurity of access methods.

Fortunately, this method of securing media isn’t practical for the internet era. We may typically think about our cloud services high up-time only as a benefit, but availability is also a measurement of the time for which a misconfigured or unhardened system can be exposed. Thus, it’s even more important we take the time to apply hardening measures from the start.

The good news is that, along with increased stability, the standards that help us secure our systems are always improving. From PCI to CIS controls, and through various other standards, security hardening is a well-documented field, and ensuring that you are compliant against a hardening policy is a sensible first step when configuring both your traditional on-premise and cloud hosted solutions.

Take, for example, CIS.

CIS published (version 1.2.0) guidance around Amazon Web Services Foundations back in May of this year; these recommendations offer an excellent starting place for securing your Amazon Web Services. Broken down into two separate profiles (Level 1 and (Read more...)