James,
Apologies for the length of this post – this area is completely new to me.
I don't know to what extent the security provided by Amazon Web Services (AWS), as standard or in the form of their various additional security measures, will give you what you're looking for as regards
security hardened servers that are set up so that the software running on it can't be changed without some elaborate process (your 6 March post refers) or whether you'll also have to deploy a third party security tool as well.
Here's a list, from the Amazon Web Services (AWS) Marketplace (
https://aws.amazon.com/marketplace) of 137 third party security tools for use with AWS (including Trend Micro's Deep Security – see previous posts):
https://aws.amazon.com/marketplace/b/2649363011/ref=gtw_navlft_node_2649363011?page=1&category=2649363011I'll be referring to this product list and my further research to date re 3rd party security tools in a separate post.
However before deciding which third party security tool(s) may be suitable, you would first have to decide which AWS product(s) to get.
Here's the link to the official AWS product list
http://aws.amazon.com/products/However a seemingly more comprehensive AWS product list and certainly a more accessible one is here:
http://en.wikipedia.org/wiki/Amazon_Web_ServicesTwo AWS products which I'd hazard a guess you might be interested in are:
Amazon Elastic Compute Cloud (Amazon EC2) is a web service that provides resizable compute capacity in the cloud. It is designed to make web-scale computing easier for developers.
http://aws.amazon.com/ec2/ 'You can use Amazon EC2 to launch as many or as few virtual servers as you need, configure security and networking, and manage storage.'
For more info:
http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/concepts.htmlHowever please note performance problems:
http://www.datadoghq.com/wp-content/uploads/2013/07/top_5_aws_ec2_performance_problems_ebook.pdf
Amazon Virtual Private Cloud (Amazon VPC) lets you provision a logically isolated section of the Amazon Web Services (AWS) Cloud where you can launch AWS resources in a virtual network that you define. You have complete control over your virtual networking environment, including selection of your own IP address range, creation of subnets, and configuration of route tables and network gateways.
You can easily customize the network configuration for your Amazon VPC. For example, you can create a public-facing subnet for your webservers that has access to the Internet, and place your backend systems such as databases or application servers in a private-facing subnet with no Internet access. You can leverage multiple layers of security, including security groups and network access control lists, to help control access to Amazon EC2 instances in each subnet....
http://aws.amazon.com/vpc/So far I've only looked at AWS Amazon Web Services and their security infrastructure, as they call it.
Though AWS is currently the clear leader in the cloud computing field of Infrastructure-as-a-Service (IaaS) there are two competitors: Google and Microsoft, which it seems may also be worth looking at:
' [AWSA] clearly leads the IaaS market and by some distance. But whether developers should follow AWS largely depends on where they want to go, according to new research from Forrester. Not only does this require a choice between Platform-as-a-Service (PaaS) offerings and IaaS, but there's also real IaaS competition brewing for AWS from Microsoft and Google. '
11 September 2013
http://readwrite.com/2013/09/11/amazon-about-to-get-serious-competition-in-the-cloud#awesm=~oycf6gcV8YSZIObtw since in your original post you referred to amazon [web services], I'm assuming you've decided, at least provisionally, that you want an IaaS rather than a Platform-as-a-Service (PaaS) .
A schematic showing the different elements of the 'cloud layer' for which the cloud service provider and the customer are respectively responsible depending on what service model is being used (IaaS; PaaS or Security-as-a-Service) is set out on p 4 of Trend Micro's White Paper:
http://deepsecurity.trendmicro.com/wp-system/uploads/2013/04/Trend-Micro-Best-Practices-for-Security-and-Compliance-with-Amazon-Web-Services.pdfThe 14pp Trend Micro White Paper contains:
an overview of the virtualisation security market,
describes the respective responsibilities of the cloud service provider and the customer depending on the service model (IaaS; PaaS; SaaS) and the cloud type (Public; Private or Hybrid)
simply put, there are numerous security characteristics specific to each cloud model and cloud customer, and provider security duties differ greatly between the cloud models.
pp 6/7
on p. 8 a set of 6 questions to ask when choosing logical [i.e. technical] controls to protect instances,
and
on pp 9 to14: 12 Steps for Secure Cloud Adoption.
A very useful summary of AWS Security can be found here:
https://aws.amazon.com/security/especially the section called: Built-in Security Features
And the following page has links to much more detailed info about the security features that AWS provides and how to stay safe in the cloud:
https://aws.amazon.com/security/security-resources/Including links to various AWS White Papers, including these two:
56pp AWS Security Best Practices
http://media.amazonwebservices.com/AWS_Security_Best_Practices.pdfThis whitepaper is intended for existing and potential customers who are designing the security infrastructure and configuration for applications running in Amazon Web Services (AWS)
.
It provides security best practices that will help you define your Information Security Management
System (ISMS) and build a set of security policies and processes for your organization so you can protect your data and assets in the AWS Cloud.
The whitepaper also provides an overview of different security topics such as identifying, categorizing and protecting your assets on AWS, managing access to AWS resources using accounts, users and groups and suggesting ways you can secure your data, your operating systems and applications and overall infrastructure in the cloud.
60pp AWS White Paper: Overview of Security Processes
http://media.amazonwebservices.com/pdf/AWS_Security_Whitepaper.pdfpp 9-13 Network Security
pp 15-17 AWS Account Security Features
pp17-51 AWS Service Specific Security
This white paper contains a complete list of all the security measures built into the core AWS cloud infrastructure, platforms, and services. These are provided on the basis of the Shared Responsibility Model under which the customer has the
responsibility and management of the guest operating system (including updates and security patches), other associated application software, as well as the configuration of the AWS-provided security group firewall. You should carefully consider the services you choose as your responsibilities vary depending on the services you use, the integration of those services into your IT environment and applicable laws and regulations.
It is possible for you to enhance security and/or meet more stringent compliance requirements by leveraging technology such as host-based firewalls, host-based intrusion detection/prevention, and encryption.'
Here's an extract of the security credentials page that appears when you open an AWS account –
Access to applications and services within AWS cloud is secure and protected in multiple ways. Accessing those applications and services requires the use of special credentials that are associated with your account. There are three types of credentials currently offered by AWS. If you know which security credentials you need, simply select one of the links below:
Access Credentials: Your Access Keys, X.509 Certificates, and Key Pairs
Sign-In Credentials: Your E-mail Address, Password, and AWS Multi-Factor Authentication Device
Account Identifiers: Your AWS Account ID and Canonical User ID
There's more info included on this (password protected) page but rather than set it all out here, I'll include in a separate post, unless of course you don't think that's necessary at this stage or you're already aware of it. Please let me know.
However please note that according to page 9 of the Trend Micro White Paper:
Step 1 - Put away your AWS “root” account and use IAM to enable access
An AWS account is the first entity that is created when initiating a relationship with AWS. This account is considered a “root” account and provides access to all AWS resources including billing information. it is recommended to not use this account and instead leverage the AWS IAM service to create users, groups and roles to interact with AWS.
http://deepsecurity.trendmicro.com/wp-system/uploads/2013/04/Trend-Micro-Best-Practices-for-Security-and-Compliance-with-Amazon-Web-Services.pdfAs I see it, once you've decided (at least provisionally) what AWS services you want and what additional AWS-provided security layers you want, you will then need to consider:
1. whether you want to use a 3rd party product, e.g. Trend Micro's Deep Security as-a-service, to configure 'the AWS-provided security group firewall' (as it's described on p 6 of the AWS security white paper) which I assume is the same thing which Trend Micro describe as AWS' 'host-based security capabilities such as intrusion detection and prevention, anti-malware, and integrity monitoring '
Or whether you want to do the above configuration yourself
2. the nature and extent of the security you want for those areas of the cloud layer for which you as the customer would be responsible – under the IaaS Service Model these include: the virtual network infrastructure; the virtual machines; guest operating system (including updates and security patches) and other associated application software; Solution Stack (Programming languages); Interfaces (APIs; GUIs) and Data
Post to follow shortly re my further research to date re 3rd party security tools.
Robert
