AWS provides a wide range of services, from compute and storage to network infrastructure and security management. The comprehensive set of services gives users the ability to quickly, efficiently and consistently scale web services on a reliable platform, without the maintenance and costs associated with managing the underlying hardware.
The services offered can typically be categorised as Infrastructure (IaaS), Platform (PaaS), or Software as a service (SaaS).
Software as a Service (SaaS) leverages shared cloud resources to deliver scalable applications to the user base, They typically require no client side installation or desktop software, with most services delivering applications that communicate through HTTPS requests and running directly in a user’s web browser. With a SaaS offering you do not have to think about how the service is maintained or how the underlying infrastructure is managed; you only need to think about how you will use that particular piece of software. The time and money spent on tasks like installing and patching software can be redirected to other more creative tasks.
Using software as a service can introduce new concerns, so it is important to execute due diligence when choosing a service offering. Large amounts of data may have to be accessed, exchanged and analysed for SaaS apps to perform its desired functionality. Transferring sensitive information to cloud based SaaS services may result in compromised security and compliance if not properly addressed. All data transfers and communication between the user and application should be over secure channels and sensitive data should be encrypted in transit. In addition, proper user account hygiene should be enforced to ensure SaaS user identities are secure, credentials rotated, and leveraging Multi-Factor Authentication (MFA) when available. The regulatory requirements and laws around data tenancy and sovereignty may impact the ability to use certain SaaS offerings. It is important to understand how the data is stored on the shared servers and where it is stored. Planned and unplanned maintenance, cyber-attacks, or genuine network issues may impact the applications availability,
If the SaaS provider is compromised, encryption may limit the damage, but it will not protect against phishing and malware attacks designed to steal individual user credentials. The solution to SaaS security concerns are employee awareness and training, internal policies, procedures and processes.
Platform as a Service (PaaS) is similar to SaaS, except instead of delivering the software over the internet, PaaS provides a platform for simple, cost-effective development and deployment of apps. This platform is delivered via the web, giving developers the freedom to concentrate on building the software without having to worry about operating systems, software updates, storage, or infrastructure.
Since PaaS is based on the principle of shared resources (such as hardware, network, and security provisions), the main security concerns are unauthorised data access, data loss or data leak. Encryption, backup, disaster recovery and business continuity policies are the typical approaches to solving the majority of PaaS concerns.
Infrastructure as a Service (IaaS) is the most flexible cloud computing model providing the highest level of flexibility and management control over an organizations IT resources, which are typically available as dynamic, flexible services where the cost depends on consumption. IaaS delivers cloud computing infrastructure, including all the basic building blocks for complex, scalable solutions, providing access to networking features, compute providers, and data storage space. IaaS provides the same technologies and capabilities as a traditional data center, allowing clients to retain complete control of their infrastructure, accessible via a cloud interface, without having to physically maintain or manage all of it.
The security concerns of IaaS are similar to on premise concerns. Strategies and policies need to be in place to protect sensitive data. Relevant compliance standards need to be met. Auditing and monitoring solutions need to be meticulous and continuous as using a virtualized environment and managed services, means any weakness in the vendor’s security can affect your organization.
Regardless of the cloud computing model you adopt, the associated security concerns must be acknowledged and addressed. Use the AWS well architected framework and work with knowledgeable and trusted experts to design intuitive policies and controls and ensure you can deploy your solutions safely and efficiently.