AWS Security Blog

The AWS security blog is a great way to help keep you ahead of new challenges, changes and developments relating to all things related to AWS security. It is updated regularly with new posts, promoting news, best practices, service features and announcements, technical how-to’s, events and much more.  It provides a vast library of content that you can sift through to keep on top of your security needs. The posts allow you to comment should you have any questions or queries, in addition to sharing a link to the post using social media channels such as FaceBook, LinkedIn, Twitter, or email.

Some examples of the most recent posts include:

• AWS achieves its third ISMAP authorization in Japan
• Three ways to accelerate incident response in the cloud: insights from re:Inforce 2023
• Customer Compliance Guides now available on AWS Artifact

If you want to be notified every time a new security post has been published you can subscribe to the RSS feed using any feed reader. 

You can also check out the Cloud Academy Blog for the latest on recent AWS content updates, exam and certification updates and more. For more on how to stay in the know on all things AWS, read our latest post, Top 5 Ways to Get Certified on AWS Releases.

AWS Security Bulletins

AWS Security bulletins only focus on information that contains important information about security and privacy notifications, as a result there are far less bulletin posts compared to AWS Security blog posts. Any security bulletin posted should really be read and understood as it could have a significant impact on the security of your AWS environment.  You can filter the bulletins on the year it was published, in addition to if the content is listed as ‘important’ or ‘informational’.  

Some examples of the most recent bulletins include:

• Issue with AWS Directory Service EnableRoleAccess
  AWS-2023-003, 06/14/2023
• Reported GuardDuty Finding Issue
  AWS-2023-002, 05/18/2023
• Issue With IAM Supporting Multiple MFA Devices
  AWS-2023-001, 04/25/2023

As you can see, these bulletins focus more directly on security issues that could impact your environment.  

The Security Bulletin also has an RSS feed that you can follow to stay up to date.

As a tech leader, you know that security is one of the most significant issues holding back cloud adoption. Cloud Academy’s training library focuses deeply on IT Security, allowing your team to stay up to date on new security breaches and ways to resolve them.

To learn more about how we can help you to secure your cloud environment, or for help on choosing the right AWS security certifications for you and your team, contact us and request a free demo!

AWS Service Documentation

The rate of change to AWS services, features and toolsets can sometimes be difficult to stay on top of, last year alone there were over 2000 updates to their services.  If you subscribe to the AWS Security blog post, then you might want to dive deeper into an announcement that has been made regarding a new security service.  Looking at the Service Documentation will provide you a high-level overview of the service in question.  As expected there is a section for all AWS services, but the area that you’ll likely be interested in can be found under the heading of Security, Identity & Compliance which covers all security services offered by AWS.

Selecting one of these services will give you a single page high-level overview of the service selected, giving you enough information to understand what it does, the benefit it provides, and how it can fit into your architecture to enhance your security posture.

As an example of the kind of document you’ll see, the following extract has been taken from the AWS Key Management Service documentation.  

AWS re:Inforce

Every year AWS hosts a conference specifically aimed at all things security, AWS re:Inforce! This year (2023) it was held in Anaheim, California and was a 2 day event.  This is a fantastic opportunity to connect with industry leaders in this field and attend some great breakout sessions to enhance your knowledge in different areas, relevant for beginners and experts, you will find sessions for all.  By visiting the Expo you’ll be able to interact with AWS experts and receive demonstrations on the latest services and technology.  

It all starts with the Keynote session, which is highly recommended as you will normally be first to hear of new security services and technologies that AWS is launching and making generally available. To find out more about this year’s announcements that were made during the keynote, held by CJ Moses, Chief Information Security Officer (CISO) for AWS, read this post.

The great thing about these AWS conferences is that some of the sessions are recorded, which you can view at a later date via the AWS events YouTube Channel.  This playlist is specifically related to AWS re:Inforce 2023, so feel free to go and take a look!

Other Industry News

Now of course you shouldn’t just rely on AWS blogs and bulletins to enhance your knowledge within the world of security, there are also numerous industry news feeds which cover security as a whole, and these should also be regularly visited and reviewed.  A few of them include, and in no particular order:

• SecurityWeek
• The Hacker News
• The Register
• Wired
• Threat Post
• Information Security Magazine
• CVE

As these sites cover a wide scope of security news, you’ll uncover information on topics such as vulnerabilities, data breaches, cyber attacks, threats, risk management, CISO strategies, events and conferences, podcasts, and more! 

Common Vulnerabilities and Exposures List

The Common Vulnerabilities and Exposures List was set up as a program to help everyone identify, define, and catalog publicly disclosed cybersecurity vulnerabilities.  When these vulnerabilities are first discovered by partnered organizations across the globe, they are given a unique CVE record and published.  This allows security professionals to use this extensive list as a source of information to help them mitigate and protect themselves against known threats, and the great thing is that it’s free to use and search!  

Social Media

Most people use one form or another of social media, and it’s a very easy way to keep in the loop on topics of interest. There are a lot of companies and individuals who are leaders in the field of AWS and security, here are just 10 Twitter accounts to get you started! Start following and connect with these people and organizations to ensure their posts appear directly into your daily feed.

Twitter Accounts

• @awscloud – The official account for Amazon Web Services
• @AWSSecurityInfo – The official Twitter profile for AWS Security. Infrastructure and services to elevate your security in the cloud
• @AWS_Security – This is the official twitter account for the AWS Security Team. If you have a pressing security issue, please contact us.
• @AWSIdentity – The AWS Cloud allows customers to scale & innovate, while securely managing identities, resources & permissions. Follow us for the latest about AWS Identity.
• @ISC2  – An international nonprofit membership association focused on inspiring a safe and secure cyber world.
• @CVEnew – Official account maintained by the CVE Program to notify the community of new CVE IDs. cve.org
• @Werner – CTO @ Amazon
• @jeffbarr – Chief Evangelist @Amazon Web Services: follow me for AWS updates & chatter
• @mosescj58 – AWS CISO
• @TeriRadichel – CEO @2ndSightLab | Cybersecurity Author Instructor Pentester l GSE 240 | IANS Faculty 

To learn more about Cloud Academy and how we can assist you on your journey to the cloud, contact us and request a free demo!

The post Staying on Top of AWS Security Recommendations appeared first on Cloud Academy.

Here’s everything we’ll cover:

• What is AWS Shield?
  • AWS Shield Standard
  • AWS Shield Advanced
• How does AWS Shield work?
• AWS Shield Features
  • AWS Shield Standard Features
  • AWS Shield Advanced Features
• Benefits of AWS Shield
  • Benefits of AWS Shield Standard
  • Benefits of AWS Shield Advanced
• Do I need AWS Shield Standard or Advanced?
• AWS Shield Pricing
• AWS Shield vs WAF: what’s the difference?
• Learn AWS Shield on Cloud Academy

What is AWS Shield?

AWS Shield is a managed Distributed Denial of Service (DDoS) protection service that safeguards applications running on AWS. AWS Shield provides always-on detection and automatic inline mitigations that minimize application downtime and latency, so you can continue to operate during attacks.

AWS Shield Standard

AWS Shield Standard is a managed Distributed Denial of Service (DDoS) protection service that safeguards applications running on AWS. AWS Shield Standard protects against both known and emerging DDoS attacks, and provides always-on detection and automatic inline mitigations to help ensure that your applications are always available.

AWS Shield Advanced

AWS Shield Advanced is a paid subscription service that provides additional protection against DDoS attacks for your AWS resources. Advanced features include increased resources for attack mitigation, support from the AWS Professional Services team, and access to detailed attack reports.

How does AWS Shield work?

Amazon Web Services’ applications are protected by the managed Distributed Denial of Service (DDoS) security service known as AWS Shield (AWS). In the case of a DDoS attack, AWS Shield offers always-on monitoring and automatic inline mitigations to reduce application disruption and facilitate quick recovery.

AWS Shield defends against the most common, frequently occurring network and transport layer DDoS attacks, such as SYN/ACK floods, reflection attacks, and DNS and HTTP floods. AWS Shield provides comprehensive DDoS protection for AWS resources, such as Elastic Load Balancing, Amazon CloudFront, Amazon Route 53, and Amazon Elastic Compute Cloud (Amazon EC2).

Legal protection is a paid service that provides enhanced protection against more extensive and sophisticated DDoS attacks. AWS Shield offers two tiers of protection, Basic and Standard, to help you cost-effectively scale your DDoS protection as your AWS usage and traffic patterns change. Essential protection is always included with AWS Shield and is provided at no additional charge.

To start with AWS Shield, sign up for an AWS account and enable the AWS Shield service. AWS Shield is easy to set up and requires no additional hardware or software. There are no upfront costs or long-term contracts, and you pay only for the resources you use.

AWS Shield Features

Let’s have a look at the main features of both the standard and the advanced tiers.

AWS Shield Standard Features

• AWS WAF(Web Application Firewall): AWS WAF is a web application firewall that helps protect your web applications from common web exploits that could affect availability, compromise security, or consume excessive resources.
• Managed Rules for AWS WAF: AWS WAF includes a set of managed rules that are maintained and updated by AWS. These rules cover many common web attack vectors and can be used to immediately start protecting your web applications.
• 24/7 Monitoring and DDoS Protection: AWS Shield Standard provides 24/7 monitoring of your Amazon CloudFront distributions, Route 53 health checks, and Elastic Load Balancing resources. It also includes automatic detection and mitigation of DDoS attacks.

AWS Shield Advanced Features

• AWS WAF: This feature allows you to create security rules that can help mitigate DDoS attacks by filtering out malicious traffic before it reaches your resources.
• DDoS Event Notifications: This feature allows you to receive real-time notifications of DDoS events so you can take appropriate action.
• DDoS Protection for Amazon CloudFront: This feature automatically applies DDoS protection rules to your Amazon CloudFront distributions, protecting your content from malicious traffic.
• DDoS Protection for Amazon Route 53: This feature automatically applies DDoS protection rules to your Amazon Route 53 resources, protecting your DNS from malicious traffic.
• Unlimited DDoS Protection: This feature provides unlimited DDoS protection for your AWS resources, without any additional charges.

Benefits of AWS Shield

Let’s have a look at the main benefits and advantages of both the standard and the advanced tiers.

Benefits of AWS Shield Standard

• It is a managed service, so you don’t have to worry about configuring and managing your own DDoS protection infrastructure.
• It integrates with other AWS services to provide protection at multiple layers (e.g. from network attacks and application-layer attacks).
• It provides always-on protection against common DDoS attacks, with no need to manually enable protection or configure rules.
• It automatically scales up to meet sudden and large increases in traffic volume, without any action required from you.
• It provides detailed visibility into attack trends and patterns, so you can better understand the types of attacks you are facing and take steps to mitigate them.

Benefits of AWS Shield Advanced

The benefits of using AWS Shield Advanced includes all of the features of AWS Shield Standard, plus additional features that can help protect your applications from more sophisticated attacks. Advanced features include:

• AWS WAF: This allows you to create custom rules to block or allow specific traffic based on conditions that you define.
• DDoS Protection by AWS CloudFront: This provides automatic DDoS protection for your Amazon CloudFront distributions.
• Real-time monitoring and reporting: This provides you with data and reports on the status of your AWS Shield protection, including information on attacks that have been blocked.

Do I need AWS Shield Standard or Advanced?

This depends on your needs. If you require protection from large-scale attacks, such as distributed denial of service (DDoS) attacks, then you will need AWS Shield Advanced. If you only require protection from more common attacks, then AWS Shield Standard will likely suffice.

There is no “one size fits all” answer to this question, as the appropriate level of protection will vary depending on the specific needs of your business. However, in general, AWS Shield Standard is recommended for most users, as it provides protection against common attacks such as DDoS attacks. AWS Shield Advanced offers additional protection against more sophisticated attacks and is recommended for businesses that require the highest level of security.

AWS Shield Pricing

Let’s distinguish the 2 tiers.

AWS Shield Standard Pricing

There is no additional charge for AWS Shield Standard. You pay only for the resources that you use.

AWS Shield Advanced Pricing

Using AWS Shield Advanced will require a 1-year minimum commitment, with a monthly fee of 3000 USD.

AWS Shield vs WAF: what’s the difference?

AWS Shield is a managed DDoS protection service that protects your web applications and resources from DDoS attacks. AWS WAF is a web application firewall that helps protect your web applications from common web exploits that could affect application availability, compromise security, or consume excessive resources.

Learn AWS Shield on Cloud Academy

Here are 2 courses on Cloud Academy that introduce you to AWS Shield:

• What is AWS Shield?
• Protecting Web Apps with AWS WAF, Shield & Firewall Manager

I hope this blog post helped you understand AWS Shield’s aspects and features. If you have thoughts or questions, feel free to leave a comment or contact Cloud Academy.

Thanks and Happy Learning!

The post AWS Shield Overview: Tiers, features, pricing, and more appeared first on Cloud Academy.

Microsoft Sentinel (formally Azure Sentinel) is a SIEM (Security Information and Event Management) and SOAR (Security Orchestration and Automated Response) solution that is used in Microsoft Azure – a public cloud platform – and offers a unified approach to threat awareness, proactive hunting, alert detection, and threat response. In Microsoft sentinel, data is gathered from several data sources, data correlation is carried out, and the processed data is visualized in a single dashboard. Microsoft Sentinel also assists in gathering, identifying, looking into, and responding to security risks and occurrences.

Consequently, it delivers threat intelligence and intelligent security analytics in Microsoft Azure cloud infrastructure. Microsoft Sentinel now incorporates Azure Logic Apps and Log Analytics, expanding its functionalities. Additionally, it features strong built-in machine learning capabilities that can identify both people that pose dangers and suspicious activities, greatly assisting security analysts in the analysis of their environment.

Cloud security engineers can use Microsoft Sentinel for analyzing security events in on-premises as well as cloud environments. Typical usage scenarios comprise:

• Data visualization for logs
• Finding anomalies and notifying
• Examination of security-related occurrences
• Active threat detection and response by automation to security events

How Does Microsoft Sentinel Work?

Microsoft Sentinel allows you to centrally manage the collection, detection, response, and investigation of security threats in the environment and provides tools for threat intelligence and intelligent security analysis that improves the visibility of threats, detection of alerts, threat response, and proactive hunting.

Microsoft Sentinel operates following a cycle that begins with log management and includes automated alert responses before moving on to schema normalization, data validation, detection, and investigation. 

How does Sentinel provide this end-to-end functionality?

Collection: Microsoft Sentinel gathers information on all hardware, users, software, and infrastructure, including elements that are housed on-site and in various cloud environments. What detections can be applied to data depends on how it is gathered.

Detection: Microsoft Sentinel offers analytics and threat intelligence capabilities to help identify security threats that have already been discovered and minimize false positives. KQL-written detections can be stored as code.

Investigation: Microsoft Sentinel offers Artificial Intelligence technology to assist you in investigating suspicious activity on a large scale. Successful SOC (Security Operation Center) operations are aided by automation in both enrichment and containment.

Retaliation: Teams employing Microsoft technology may respond quickly to incidents using Sentinel’s proprietary orchestration and automation of routine security operations and business integration tasks.

Components of Microsoft Sentinel

Below are the notable Microsoft Sentinel components:

Workbooks: After you connect data sources to Microsoft Sentinel, you can monitor data using Microsoft Sentinel connectivity with Azure Monitor Workbooks. You can create customized workbooks based on your data using Microsoft Sentinel’s pre-built workbook templates and adaptable solutions.

Workspace: A log analytics is a place where data and configuration settings are kept. Data gathered from various sources is stored there by Microsoft Sentinel.

Dashboard: With this Microsoft Sentinel component, you can define rules in real time and visualize data from several sources using a straightforward standalone dashboard. You can give the security administrator more information about the occurrences those services are responsible for producing.

Hunting: Before an incident is reported, hunting is responsible for carrying out independent and creative investigations to identify and evaluate security vulnerabilities across the data sources used by your association. The MITRE ATT&CK frame serves as the foundation for the powerful stalking hunt and query technologies included in Microsoft Sentinel. The search functionality of Microsoft Sentinel is enhanced by KQL (Kusto Query Language).

Playbooks: Playbooks are tools to automate and streamline security unity that is associated with Microsoft services. Playbooks leverage Azure Logic Apps and are a collection of generalities to execute in response to a guard suggestion. For security admins, playbooks are intended to automate and streamline activities including data intake, enrichment, and disquisition.

Notebooks: Azure machine learning workspaces that use Jupyter scrapbooks, which are pre-built collections of resources and modules for machine literacy, visualization, and data analysis, are supported by this Microsoft Sentinel component. Through the provision of security views and training, a notebook can review errors and look for dangerous behavior. Using a notebook component, you may run real-time visualizations and legal applications online.

Data Connectors: In Microsoft Sentinel, connectors are sent out to allow data from Microsoft users and products. The benefits of out-of-the-box access to the greater security ecosystem can benefit non-Microsoft goods.

Statistics: Microsoft Sentinel employs analytics rules to connect warnings to potentially serious security incidents and to alert security inquirers in advance. Users can create custom criteria to trigger cautions in Analytics using Kusto Query Language (KQL). There are a variety of built-in regulations and connections to Microsoft sources including Azure ATP and Cloud App Security.

Community: Community is a Microsoft Sentinel page that uses GitHub as a power source and has several data sources for orchestration and troubleshooting. Users can use it to issue warnings and react to risks and threats in their environment.

Investigation: You can pinpoint an implicit security issue’s direction and identify its underlying cause with the aid of Microsoft Sentinel’s discourse capabilities.

How do you deploy Microsoft Sentinel?

Microsoft Sentinel monitors linked sources for data incidents and notify you when action is required. Microsoft Sentinel overviews, dashboards, and custom queries can be used to get a better understanding of unprocessed data and possibly harmful occurrences.

Install Microsoft Sentinel connections on services to retrieve data from various data sources that your management needs to keep track of. Microsoft Sentinel performs cross-data-source correlation after obtaining the log data from the services. Utilizing the Azure Monitor Log Analytics workspace, you can manage that data.

Artificial Intelligence and Machine Learning are used by Microsoft Sentinel to perform:

• Threat assessment
• Alert recognition
• Quick action after an incident

To deploy Microsoft Sentinel in your environment, you can perform the following steps:

1.    Log in to the Azure website.

2.    Choose the subscription for which Microsoft Sentinel will be made. This entry ought to have:

a.    The subscription where the Microsoft Sentinel workspace will be created must have contributor permissions.

b.    The resource group to which the Microsoft Sentinel workspace will belong has Contributor or Reader rights.

1.    Select Add after searching for and choosing Microsoft Sentinel. No Microsoft Sentinel workspace to display pane appears as the message.

2.    Select Create Microsoft Sentinel. The page for adding Microsoft Sentinel to a workspace loads.

3.    To create a new workspace, select it. The workspace pane for creating log analytics appears.

4.    Use the dropdown menus to choose the settings listed below on the Basics tab:

a. Select the Pricing tier to proceed.

b. Decide on a pricing tier.

c. After selecting Review + Create and letting Azure verify your Log Analytics workspace’s configuration, choose to Create.

d. The process of creating your work could take some time. You will be notified and your workspace’s name will show up in the Workspace list once it has been deployed to your resource group. When the Notification icon is selected in the upper right of the Azure toolbar, choose Pin to the dashboard.

e. Select Create new on the Pin to dashboard pane, give your dashboard a name, and then click Add at the bottom of the pane. Your workspace’s Microsoft Sentinel dashboard appears.

f. Select Overview from the left menu.

Microsoft Sentinel Roles

With the help of the Role-Based Access Control (RBAC) authorization paradigm, security admins can set up granular levels of permission based on various criteria and permissions while using Microsoft Sentinel. For Microsoft Sentinel, there are three pre-built roles.

• Reader: Only incidents and data can be seen by users with this position.
• Responder: Users who have been granted access to this position can examine incidents and data as well as participate in various activities related to adventures, such as assigning to another user or changing the incident’s severity.
• Contributor: Users with this job have access to examine incidents and data, interact with incidents, and add or remove analytical rules.

To deploy Microsoft Sentinel, the subscription where the workspace is situated must have contributor permissions. Use the Microsoft Sentinel roles to give specific rights to distinct groups so that different teams can have access based on how they use Azure Sentinel.

Connect Data Sources to Microsoft Sentinel

Connecting Microsoft Sentinel to the services you want to use is the next step after enabling it.

The following Azure and non-Azure services are compatible with Microsoft Sentinel natively:

• Azure AD (Active Directory)
• Azure Activity log
• Cloud-based Microsoft Defender
• Azure Web Application Firewall
• Azure AD Identity Protection
• Windows Defender Firewall
• AWS (Amazon Web Services) CloudTrail
• DNS
• Cloud ATP
• Defender for Cloud Apps
• Microsoft 365
• Microsoft Defender ATP
• Windows security events

Microsoft Sentinel Pricing

Microsoft Sentinel’s billing is determined by how much data it analyzes and saves in the Azure Monitor Log Analytics workspace. Analytics Logs and Basic Logs are two different forms of logs that can be used to absorb data.

Microsoft Sentinel may be purchased in Analytic Logs in two different methods:

Pay-as-you-Go

In this pricing model, you are charged per GB for the amount of data saved in the Azure Monitor Log Analytics workspace and ingested by Microsoft Sentinel for security analysis. The amount of data that will be stored in GB is used as a measure of data volume, and $2.45 is charged for each GB that is consumed.

Commitment Tiers

Commitment tiers enable a predictable overall cost for Microsoft Sentinel by billing you a fixed price based on the chosen tier. In comparison to Pay-as-you-Go pricing, the commitment tier offers you a reduction on the price based on your choice. After the initial 31 days of commitment, you have the choice to withdraw from the commitment tier at any time.

For 100 GB of data each day, it costs $123; for 200 GB, it costs $222; and for 300 GB, it costs $320. Visit Microsoft Sentinel Pricing for the complete details on pricing.

Microsoft Sentinel vs Splunk

The product portfolios of Microsoft Sentinel and Splunk are comparable. But some significant variations might affect how you decide:

• In general, Microsoft Sentinel is thought to be simpler to use, configure, and administer.
• Splunk consistently receives higher marks for customer service excellence and ease of use.
• Microsoft’s products, such as Network Management, Incident Management, and Security Intelligence, enjoy greater consumer trust.
• Only incident reporting and event management seem to be areas where Splunk truly shines.
• Splunk takes more time to learn as compared to Microsoft Sentinel due to its query language.

Cost is one area that could raise some red flags for your business. Depending on your company’s size and usage, Microsoft Sentinel and Splunk have different prices. Until you have quotations from both, it might not be possible for your company to determine which will be more inexpensive for it. Microsoft Sentinel and Splunk don’t offer free trials, however, you can ask for walkthroughs and samples.

Overall, Microsoft Sentinel has better technology, but Splunk is a smaller company and offers advantages unique to small businesses, such as customer support. Microsoft Sentinel will probably be successful for businesses that depend on its security and dependability services. Splunk does receive higher grades for support quality, but most of its technology receives lower marks. Regardless, an MSP will likely serve as the interface between your business and your solution.

Microsoft Sentinel training on Cloud Academy

Microsoft Sentinel is a powerful, SOAR-capable, cloud-native SIEM platform. If you just want to know the basics of Sentinel, we recommend our Introduction to Microsoft Sentinel course. But, If you want to master it, you can enroll in Cloud Academy’s Becoming a Microsoft Sentinel Expert learning path.

Learn how to leverage Data Connectors in the Sentinel workspace, construct and apply Analytics Rules to investigate risks, create Playbooks to automate threat response, and use the Threat Hunting dashboard to proactively search for threats with the aid of this course.

If you want to become an Azure Security Engineer, these courses will help you to achieve your career goal.

The post Microsoft Sentinel: AI-Powered Intelligent Security Analytics appeared first on Cloud Academy.

What is an information security analyst?

Information security analysts are responsible for analyzing security risks and vulnerabilities in a company’s network, computer systems, and software. They design and implement security measures to help protect company data.

They’re also responsible for identifying sources of information leaks. They use tools like firewalls, anti-virus software, encryption, and intrusion detection systems to monitor networks. An information security analyst’s job is incredibly important; the person in this role needs to be aware of all potential information security threats and prevent them from happening. In general, they also need to be familiar with computer systems, networks, and malicious software.

Technology evolves, fast. That means hardware and software required for data transmission, processing, encryption, and storage has to evolve fast, too. Information security analysts are only as good as their knowledge of existing and emerging security systems and cyber-attack techniques. Though these methods change, the overarching goal of keeping a company’s important information safe stays constant.

Steps to become an information security analyst

This occupation tends to be particularly appealing to curious people who enjoy learning how things work and disassembling and reassembling systems. It’s rare to become an information security analyst by chance, as this path does require a combination of concentrated education and experience.

Step 1: Earn a bachelor’s degree

A bachelor’s degree in cybersecurity is offered by many colleges and universities. This degree can prepare students for entry-level positions in the field of cybersecurity.

To complete a Bachelor’s degree in cybersecurity, students need to take courses focusing on computer security, cryptography, and network security. These courses are designed to prepare students for professional careers in the field of cybersecurity.

A Bachelor of Science in Management Information Systems is a good option for those who want to dive deeper into computer-based security as an undergraduate. Students can use their growing computer security skills in a business management environment, which is a function that goes beyond finding bugs and understanding the latest computer security strategies.

Students with a Bachelor of Science in Management Information Systems are expected to be able to plan, develop, implement, and supervise a company’s computer security system, all while working within the limits of a normal modern organization. The program provides students with an up-to-date understanding of various IT-related systems and trends, showing expertise that industry professionals employ.

The information gained from a Bachelor of Science in Management Information Systems degree allows students to handle various key computer-related concerns. The degree program, for example, teaches the fundamentals of developing, assessing, and implementing a data disaster recovery plan. In the aftermath of a disaster, tasks may include relocating data to an off-site location, restarting a whole IT system, and restoring its integrity.

Step 2: Gain on-the-job experience

While a degree can help students stand out in the job market, skilled applicants have better chances at securing a great gig if they include work experience on their resume. An intermediate-stage protection analyst is usually someone with several years of experience in statistics protection, so this type of on-the-job experience shows potential employers that applicants understand how to use their knowledge in real-world settings, making the candidate more likely to get hired.

As with most jobs in the technology business, staying up to date on new technologies and techniques in cybersecurity is an important aspect of on-the-job experience. The range of these advancements includes everything from cutting-edge firewall systems to new methods built around incident responses. Information security analysts can obtain real experience in staying one step ahead of any cyber intrusions by being aware of such advancements.

Step 3: Get certifications and training

In addition to being up-to-date on cyber security challenges, it’s also critical to stay current with state-of-the-art trends on the other side of the equation — namely the cyber assault side. Malevolent attempts to access computer networks and systems, as well as virus deployment and denial of service (DoS) attacks, are always evolving. Information security analysts must be capable of dealing with new versions and variants.

Security certifications are the best way for an information system analyst to keep up with the ever-changing world of cybersecurity. Some organizations demand that job hopefuls — and even current workers — have specific technology certifications, which serve as additional proof of a candidate’s aptitude and core capabilities.

Some badges, such as the Certified Information Systems Security Professional (CISSP), mirror general information security expertise. Many other specialist certifications, on the other hand, guarantee a greater understanding of a certain component of cybersecurity. A CREA (Certified Reverse Engineering Analyst) certification focuses on malware analysis, whereas a Certified Ethical Hacker certifies a legitimate breach into a network’s security system to uncover faults.

A candidate for CISSP certification must have at least five years of experience in two or more of the eight CISSP domains, which include asset security, communication, network security, identity management, and access management (IAM). Candidates must have at least two years of experience in the information security domain or have completed an officially sanctioned training course to apply for the initial Certified Ethical Hacker certification. 

Step 4: Pursue a master’s degree in cybersecurity

Although it takes years of on-the-job experience to become an information security analyst, an advanced degree such as an MS in Cybersecurity will help you get there faster. This type of curriculum usually combines academic study with practical work experience in a corporate setting. This component of experience not only helps to enhance cybersecurity abilities but also helps to acquire insight into the commercial side of the industry. Real-life case studies and studies of the profession’s legal repercussions may be part of the exposure.

A cybersecurity advanced curriculum usually aids in the development of skills in related fields such as computer engineering and business. This can give graduates a more well-rounded and comprehensive view of the information security analyst profession, which, when combined with relevant work experience, can help them be considered for higher-level positions or development.

Potential job titles and responsibilities

It’s time to apply for information security analyst jobs when you’ve completed the procedures above. These positions can be found in a range of industries, including computer systems design, finance, insurance, company management, administrative services, and more. People in this position could work for government agencies, banks, retailers, healthcare services providers, and in many other industries.

Possible job titles:

• Security Analyst
• Senior Security Analyst
• Senior Consulting Engineer – Information Security
• Information Technology Security Analyst
• Senior IT Security Analyst
• Senior Information Security Compliance Analyst
• Information Security Engineer

Day-to-day responsibilities:

• Keep an eye on your networks for security flaws.
• Install and update security software to keep sensitive data safe.
• Deploy fake attacks that can be used to identify areas of possible vulnerability.
• Develop a plan for the company’s recovery following an attack, as well as security standards and best practices.
• Prioritize, analyze, and document security incidents, threats, and critical metrics.
• Review data on a daily and quarterly basis to uncover vulnerabilities and generate reports.
• Analyze and set up security tools and software.
• Collaborate with IT and end-users to reduce issues and preserve assets.

 Skills needed to become an information security analyst

A good information security analyst is detail-oriented and can see subtle changes in a system’s performance that may signal a security breach, unauthorized software, or malware. The information security analyst detects and diagnoses the system’s “hiccups” accurately, preventing something much larger and more serious from occurring down the road.

A successful information security analyst should master these skills:

Project management: Overseeing teams that collect data and monitor systems for security threats are among the project management skills that an information security analyst will need. They’ll also need to be able to communicate effectively.

Security risk management: An information security analyst keeps an eye on things and strives to keep a system as risk-free as possible. They use security risk management to detect high and low-level threats and develop ways to counteract them.

Tableau software or other Business Intelligence tools: Information security experts utilize Tableau software, a business intelligence, and analytics program, to comprehend the data they collect.

Cybersecurity: An information security analyst must have a general understanding of cybersecurity, as every firm requires an expert who knows risk management and mitigation. They should also have a basic understanding of IT and coding.

Network security management: An information security analyst must be able to apply ways to improve a company’s computer system’s security. This includes putting new security technologies to the test, responding quickly to threats, and managing a staff of IT specialists and analysts.

IT security: An information security analyst will need to know how to use a firewall and a router when it comes to IT security. They can keep an eye on the infrastructure and traffic of the computer system, looking for any potential security or data breaches.

Incident response and handling: While not all security analysts are involved in incident response to some extent, the majority are. The ability to work inside a formal instance detection and response procedure increases the value of the security analyst profession to a firm.

There are ways to protect a company’s digital assets from hackers. When reacting to a crime scene, you must have a broad understanding of the situation. If you remove or change data that was intended to be used as digital proof, you may lose your ability to sue the attackers.

Communicating and documenting incidents: Communication skills are critical in security crises and are essentially measured as soft skills rather than the technical skills listed above. You will almost always work in a larger group. As incidents escalate and are delivered faster, strong communication is essential.

To really drive this point home, consider finding a new zero-day bug. You may need to escalate this to Tier 3 SOC members, vendors, or system users. Also, any activity or action must be properly documented as it may be used in a court proceeding.

Salary and job outlook

Information security analysts will see a 32 percent increase in employment over the next ten years, which points to substantially more growth than the average for all occupations. To provide novel solutions to prevent hackers from obtaining sensitive data, information security analysts will be in high demand in the future.

According to the Bureau of Labor Statistics (BLS), the median annual salary for information security analysts was $102,600 in 2021 or $49.33 per hour. According to ZipRecruiter, the average annual salary for an Information Security Analyst in the United States is $99,944 per year as of May 28, 2022.

Certifications for an information security analyst

An information security certification is a group of certificates that develop basic knowledge in a variety of disciplines, as well as validate for industry professionals that the person has achieved certain standard levels.

CompTIA Security+

The CompTIA Security+ certification is a fundamental need for an information security analyst. It’s a basic, vendor-neutral certification that teaches network security and risk management fundamentals. The accreditation is the initial stage, but it opens up a lot of doors on its own. Our online training course covers all six categories of knowledge required for certification and includes a test voucher.

Certified Ethical Hacker

The CEH (Certified Ethical Hacker) certification teaches advanced logistics, such as viral code development and reverse engineering, to uncover the strategies hackers employ to commit data breaches. This certification helps professionals learn and comprehend a hacker’s thoughts — including learning enemy techniques — and create successful protection measures.

Certified Information Systems Security Professional

The Certified Information Systems Security Professional (CISSP) is the gold standard in information security analyst certification. It prepares students to work as professionals in the information security industry. The CISSP covers a wide range of topics:

• IT security
• Architecture
• Design
• Management
• Controls

The most sought-after information security certification in the IT business is the CISSP.

Certified Information Systems Auditor

The Certified Information Systems Auditor (CISA) certification covers a variety of topics related to enterprise IT governance and control and prepares students to design and perform successful security audits. The CISA certification is a complete cycle that includes security system purchase, development, testing, and implementation.

Start your career as an information security analyst

Companies hire information security analysts to supply security solutions. An information security analyst’s responsibilities include conducting research, gathering data, devising secure tactics, and maximizing productivity. They adhere to rigorous privacy policies while implementing security concepts. When it comes to detecting security threats and other weaknesses, information security analysts are more proficient. They inspect corporate environments regularly and keep a close eye on logs and computer traffic.

To reduce downtime and avert security incidents, information security experts recommend updates for running technology in their companies. They used to document security breaches and follow company procedures. They understand how to successfully operate firm infrastructures, such as routers, firewalls, and other physical devices. They work together with other IT specialists to achieve the company’s objectives.

Information security analysts are in high demand, and technical security experts with the right training and qualifications can work in one of the world’s most diverse job marketplaces. The demand for IT and cybersecurity is only going to grow. In a complicated and extremely volatile security environment, Cloud Academy’s security courses and training can help you achieve job security. 

The post Information Security Analyst: Skills You Need to Become One appeared first on Cloud Academy.

What is Threat Detection?

No matter the industry, employee count, or security posture, every business that holds sensitive information faces cyber threats. As threat actors become more sophisticated, ransomware threats rise, and attack vectors evolve, businesses must put continuous monitoring and intelligent threat detection measures into place. Threat detection tools provide alerts to potential or active malicious behavior. Without the proactive capabilities of threat detection tools, businesses lose the ability to identify and respond to threats before compromise. Early detection of anomalous behavior is the key to stopping threats and initiating incident response or remediation processes.

Threat detection among AWS log data is a tough task. There is an immense amount of data to review – it’s like finding a needle in a haystack. That’s where threat detection tools prove their value. Instead of manual work done by an IT team, security services like Amazon GuardDuty can provide continuous monitoring for log data. 

Why use Amazon GuardDuty? 

When AWS environments require a scalable way to monitor and protect all accounts and workloads, Amazon GuardDuty is a native solution.

GuardDuty, a feature of the AWS Security Hub, is an AWS threat detection service that collects and analyzes data from three sources to detect unexpected or unwanted behavior, then deliver findings. GuardDuty uses when businesses need to harden their environment and respond faster to instance compromise, account compromise, or bucket compromise, GuardDuty will support this at scale. 

GuardDuty leverages log data from AWS CloudTrail Event logs, VPC Flow logs, and DNS logs against security and threat detection feeds to find anomalies and known suspicious sources. This enables GuardDuty to detect attacker reconnaissance, compromised resources, or compromised accounts through behavior like unauthorized escalation of privileges or communication with malicious IP addresses.

Understanding Findings from Amazon GuardDuty 

GuardDuty uses machine learning, anomaly detection, and integrated threat intelligence to discover potential security issues among log data and deliver findings in the Management Console. This information provides the context that businesses need to mitigate risk and take action on remediation. 

The finding summary provides the most basic information about each finding, including:

• Finding type – Represents the type of activity that triggered the finding
• Finding ID – A way of aggregating similar activity to one ID
• Severity – Categorizes findings into low, medium, or high severity issues
• Region – The location where the finding was generated, based on AWS Regions
• Count – The amount of times certain activity has been aggregated an activity to an ID
• Account ID – The AWS account where the activity took place 
• Resource ID – The AWS resource that the activity took action against 
• Created at – The time and date when this finding was created
• Updated at – Indicates an ongoing issues that occurs multiple times 

In addition to the summary, the Management Console also provides details like: 

• The role (TARGET or ACTOR) and type (AccessKey, S3 bucket, KubernetesCluster or Instance) of the affected resource 
• The IP address, location, organization, port, and domain of the Target or Actor
• The type of action taken (NETWORK_CONNECTION, PORT_PROBE, DNS_REQUEST, or AWS_API_CALL)
• Additional information like the name of the threat list that the finding came from or an unusual protocols 

Once an AWS user has its GuardDuty findings, remediation can begin. HTTPS APIs, CLI tools, and Amazon CloudWatch Events will elevate remediation by providing automated security responses to GuardDuty findings. For example, AWS users can use GuardDuty findings to trigger AWS Lambda functions and automate remediation tasks. When AppsFlyer leveraged GuardDuty and Lambda together, their Security Operations Team Leader said, “Amazon GuardDuty reduces the noise. We can fine-tune the alerts so that we only get the most precise detections. Then we can react to each alert with great confidence.”

Integrating Amazon GuardDuty 

Is GuardDuty comparable to other AWS services? How can it be paired with services within AWS Security Hub? Using the right services and understanding their purpose is incredibly important for developing a robust security posture. Let’s look at the differences between Amazon GuardDuty vs. AWS WAF, as well as how Amazon Inspector and Macie differ from GuardDuty. 

Amazon GuardDuty vs. AWS WAF 

As part of your security posture, AWS Web Application Firewall (WAF) provides infrastructure protection by sitting in front of your Application Load Balancer and producing a web ACL to block malicious traffic. By controlling HTTP and HTTPs requests, web applications and APIs are protected. 

Users can leverage Amazon GuardDuty and AWS WAF together to automate responses to GuardDuty findings. If GuardDuty detects suspicious activity, it updates WAF web ACLs and VPC NACLs to block communication from that host. From there, you can focus on further investigation and remediation. 

Amazon GuardDuty vs. Amazon Inspector

Like GuardDuty, Amazon Inspector is a part of AWS Security Hub and provides detection services. But Inspector is more of a security assessment tool that scans your EC2 instances to find areas of exposure. Inspector measures and compares your EC2 instances and their configurations against industry standards like CIS Benchmarks or CVE information. This testing will determine how accessible your network and applications are to malicious actors. 

Although both GuardDuty and Inspector provide detection services, Inspector is focused on vulnerability management for EC2 while GuardDuty is using intelligent threat detection for AWS accounts. AWS users should utilize both services for an enhanced security posture. 

Amazon GuardDuty vs. Amazon Macie 

Also a part of AWS Security Hub, Amazon Macie provides data protection and privacy services through machine learning and pattern matching. Macie gives businesses visibility into where sensitive data is stored – specifically, if sensitive data is stored in unencrypted, publicly accessible, or shared S3 buckets.

GuardDuty and Macie both use machine learning, but in different ways. GuardDuty identifies anomalous behavior with machine learning, but Macie utilizes it to classify objects and data. For an improved data protection strategy, AWS users should utilize both services.

Getting Started with Amazon GuardDuty

Because Amazon GuardDuty is a part of the AWS Security Hub, getting started is actually a fairly simple process that only requires a few clicks in the Management Console or an API call. The first step is signing up for the free 30-day trial, which gives users access to all its features. After the trial, pricing is based on the amount of log data that is analyzed. Once you’ve deployed GuardDuty, it immediately begins threat detection and continuous monitoring. 

The post Amazon GuardDuty: Introduction to Intelligent Threat Detection for AWS appeared first on Cloud Academy.

It’s that sinking feeling in your gut of fear and worry about another missed deadline. But what if the project is mission critical? You must find a way to achieve your goals even if you don’t know if you have the talent on your team right now. And you need to use your budget wisely to generate results, fast.

So, you consider your options. Hiring cycles for specialty tech talent are both slow and expensive, and that’s before onboarding even begins. You can start looking for the right people with the right mix of interpersonal and technical expertise, but that timeline is really out of your control — and the clock is ticking.

Taking a step back… could your team execute if they were given the proper tools to upskill quickly?

Putting a stop to the guesswork

The first step in forecasting your skill requirements is to fully understand where your team sits versus where it needs to be to execute against current and future business objectives. This knowledge will give you the confidence to make the right decisions with regard to investing internally or looking for talent on the open market. But where to begin?

Cloud Academy provides the answer to the question, “What are my team’s current tech skills?” with our accurate and objective tech skill assessment tool. Use our out-of-the-box assessments or create a custom version to test and validate on topics including:

• Cloud computing: AWS, Azure, GCP, Alibaba
• Software engineering: Python, Java, React, and more
• Big data: Machine learning (ML), Artificial intelligence (AI)
• DevOps
• Security

Sounds good. What next?

In addition to assessing your team, Cloud Academy for Business helps you recommend and assign the training plans you need to take individuals’ skills to the next level. We are nothing like other e-learning platforms that outsource their content, don’t curate it properly, and leave skills development to the whim of employees’ motivation.

Cloud Academy is a software company built on the premise that an investment in the skills growth of your workforce should have a direct, positive, and measurable effect on operational goals. And that without accountability via regular evaluation, training programs are bound to fail.

With our platform, managers and administrators can set expectations around timelines that promote programmatic upskilling, establishing defined job roles with career progression tracks, and better execution on business objectives — all in a predictable and scalable way — whether you have two employees or tens of thousands. This method of shared accountability promotes team growth, improved retention, and a culture of success.

Our in-house content team consists of tech experts around the globe who continually create new and refresh existing educational assets. This means the learning paths, hands-on labs in live environments, quizzes, exams, and certifications that you assign your team are always up to date. Not to mention, our dedicated customer success team works with you to help you identify the right priorities and the best path forward for getting your squad to where it needs to be.

Try Cloud Academy’s Enterprise Plan for 2 weeks free

For registrations from May 17 until May 31, 2021, we’re offering your business unlimited access to the Cloud Academy platform for 14 days at no cost. Start by assessing your team’s skills, and explore the upskilling potential enabled by our library of content. We’ll be there to help you every step of the way.

Don’t miss out! Click here to get started.

The post It’s 10:00 AM: Do You Know Where Your Team’s Tech Skills Are? appeared first on Cloud Academy.

In this post, I want to talk about the tactical areas (points 1-7 of the above screenshot taken from Stephen’s session) in a little more detail and the resources where you can learn more about them.

1. Use AWS Organizations

As organizations begin to expand with multiple accounts, it will become increasingly difficult to manage them as separate entities. The more accounts you have, the more distributed your environment becomes, and the associated security risks and exposures increase and multiply.

However, AWS Organizations can provide a means of centrally managing and categorizing multiple AWS accounts that you own, bringing them together into a single organization, which helps to maintain your AWS environment from a security, compliance, and account management perspective.

The primary benefit of AWS Organizations is its ability to centrally manage multiple Accounts from a single AWS account, known as the master account. You can start by inviting your existing accounts to an Organization and then create new accounts directly from the Master Account.

Using service control policies (SCPs), you can secure your AWS Organization. SCPs are different from both identity-based and resource-based policies, which grant permissions to users, groups, and roles. However, SCPs do not actually grant permission themselves. Restrictions made within an SCP set a boundary of permissions for AWS accounts.

For example, let’s say a user within an AWS account had full access to S3, RDS, and EC2 via an identity-based policy. If the SCP associated with that AWS account denied access to the S3 service, then that user would only be able to access RDS and EC2, despite having full access to S3. The SCP would serve to prevent that service from being used within the AWS account and so have the overriding precedence and determine the maximum level of permissions allowed.

So to be clear, an SCP does not grant access. It adds a guardrail to define what is allowed. You will still need to configure your identity-based or resource-based policies to identities, granting permission to carry out actions within your accounts. 

Cloud Academy resources:

Course – Securing AWS Organizations with Service Control Policies (SCPs)

AWS resources: 

https://aws.amazon.com/organizations/

2. Understand your usage

Here I want to touch on a couple of the services that Stephen highlighted, these being AWS Config and AWS Security Hub.  

AWS Config

One of the biggest headaches in any organization when it comes to resource management of IT infrastructure is finding the answers to some of these questions:

• What resources do we have? 
• What devices are out there within our infrastructure performing functions?
• Do we have resources that are no longer needed, and therefore, can we be saving money by switching them off?
• What is the status of their configuration? 
• Are there any security vulnerabilities we need to worry about?
• How are our resources linked within the environment? 
• What relationships are there, and are there any dependencies? 
• If we make a change to one resource, will this affect another?
• What changes have occurred on the resources, and by whom? 
• Do we have a history of changes for this resource that shows us how the resource changed over time?
• Is the infrastructure compliant with specific governance controls, and how can we check to ensure that this configuration is meeting specific internal and external requirements?
• Do we have accurate auditing information that can be passed to external auditors for compliance checks?

Depending on the size of your deployment with AWS, trying to answer some of these questions can be very time consuming and laborious. AWS is aware that due to the very nature of the cloud, the resources within an AWS environment are likely to fluctuate frequently, along with the configurations of the resources. The cloud, by its very nature, is designed to do so, and so trying to keep up with the resource management can be a struggle. AWS Config fixes this problem.

AWS Config has been designed to record and capture resource changes within your environment, allowing you to perform a number of actions against the data that help to find answers to the questions that we highlighted previously. 

AWS Config can:

• Capture resource changes, so any change to a resource supported by Config can be recorded within a configuration item (CI).
• Act as resource inventory, discovering supported resources running within your environment, allowing you to see data about that resource type.
• Store configuration history for individual resources. 
• Provide a snapshot in time of current resource configurations.
• Using SNS, it can notify you of any changes.
• Integrate with AWS CloudTrail to help you identify who made the change and when, and with which API.
• Enforce rules that check the compliance of your resource against specific controls.
• Perform security analyses within your AWS environment.
• Identify relationships between resources.

This makes AWS Config very useful when it comes to carrying out security analysis and understanding your resource usage and the changes that have been made.  

Cloud Academy resources:

Course – AWS Config: An Introduction

Lab – Compliance check using AWS Config Rules (Managed and Custom)

AWS resources: 

https://aws.amazon.com/config/

AWS Security Hub

AWS Security Hub can be used to help you detect and remediate security incidents within your environment. It is designed to help you centralize security findings, alerts, and compliance reports, and is fully integrated with:

• AWS Identity & Access Management
• Amazon Macie
• Amazon GuardDuty
• Amazon Inspector
• AWS Firewall Manager

The findings gathered from these services are presented via a series of interactive graphs, tables, and statistics. In addition to these native AWS services, it can also be incorporated into third-party partner solutions, such as Sumo Logic, Splunk and many more, which you might already be using within your own organization. This enables you to use Security Hub to receive and present data from not only the AWS security services mentioned, but also the security data gathered by tools and services offered by AWS partners that you may already be using as a part of your infrastructure.

AWS Security Hub can be deployed across multiple accounts to centralize your findings. When findings are generated and found, Security Hub will prioritize each one allowing you to focus on the key security threats and weaknesses detected across your multi-account configuration.  

The service itself is continually running and provides automatic assessment of compliance and security best practice checks based on the information being ingested from the different feeds.  Based on the results of these automatic checks, Security Hub is able to define and present which AWS accounts and resources are most affected by potential security issues, allowing you to rectify and remediate them as soon as possible.  

From the Security Hub console, you are able to carry out a number of immediate actions on the findings, such as being able to send the details of the findings to your engineers via email, chat, or even to a ticketing system. As the service is supported by Amazon CloudWatch, you can also configure automated responses based on metric information.  

It also integrates with Amazon Detective, and this helps to simplify the effort in analyzing and investigating the root cause of security incidents and suspicious activity, through machine learning and log data received by multiple AWS services.  

In summary, AWS Security Hub saves you time by centralizing security findings from multiple accounts, from multiple security services and partner tools, enabling you to quickly identify and spot security threats, weaknesses, and trends. This allows you to provide a more efficient way of maintaining a safe, secure, and protected environment.  

AWS resources:

https://aws.amazon.com/security-hub/

3. Use Cryptography Services

In this section, I want to focus on both the AWS Key Management Service and AWS CloudHSM.  

AWS Key Management Service

Basically, the Key Management Service is used to store and generate encryption keys that can be used by other integrated AWS services and applications to encrypt your data at rest. So it’s a fundamental security service offered by AWS to help you manage your cryptographic operations. 

There are different types of keys used within KMS which perform different roles and functions, such as the CMK, the Customer Master Key, and Data Encryption Keys.  

The CMK is the main key type within KMS, and contains the key material that is used to encrypt your data. There are three different types of CMK:

• Customer Managed: These keys offer the greatest level of flexibility and control of the three types. You are able to create, disable or delete the key, configure the key policies associated with your key, configure Grants, and also alter and adjust the key rotation periods and view full usage history of the key. 
• AWS Managed: As the name suggests, AWS Managed Keys are managed by AWS. However, you are still able to view these keys within the Management Console, and also audit and track their usage and view their key policies. Because they are managed by AWS, you are not able to modify them (for example, it’s not possible to edit the key policy or control their rotation frequency). They can only be used by the service that creates them and can be identified by their alias (for example, aws/s3 is an AWS managed key used for S3 encryption).
• AWS Owned:  These are not visible within the KMS console or anywhere within your account; neither do you have the ability to audit and track their usage. They are essentially abstracted from your AWS account. But of course, some services use this key type to encrypt your data within your account (for example, the S3 Master key used for SSE-S3 encryption).

The CMK NEVER leaves KMS. It is created within KMS and remains within KMS at all times, but it can generate Data Encryption Keys and bucket keys, and these keys can leave KMS and are used by other AWS services to implement encryption, such as S3.

Next we have Data Encryption Keys:

Data keys are created by CMKs; however, they are used outside of KMS to perform encryption against your data, either in your own applications or by other AWS services.  

When a request to generate a data key is received by KMS, the associated CMK in the request will create two identical data encryption keys — one will be a plaintext key, and the other will be an encrypted key.

During the encryption process, it’s the plaintext data key that will be used to perform the encryption of your data using an encryption algorithm. Once the encryption has taken place, this plaintext data key will then be deleted and the encrypted data key will be stored and associated with the newly encrypted data.  

Cloud Academy resources:

Course – How to use KMS key encryption to protect your data 

Lab – Using Amazon Key Management Service to encrypt S3 and EBS data

Lab – Encrypting objects using SSE-KMS

AWS resources:

https://aws.amazon.com/kms/

AWS CloudHSM

Firstly, what does the HSM stand for? Well HSM stands for Hardware Security Module, but what is a hardware security module? It’s a physical tamper-resistant hardware appliance that is used to protect and safeguard cryptographic material and encryption keys.

The AWS CloudHSM service provides HSMs that are validated to Federal Information Processing Standards (FIPS) 140-2 Level 3, which is often required if you are going to be using your CloudHSM for document signing or if you intend to operate a public certificate authority for SSL certificates.

As I mentioned, CloudHSM is a physical device, and it’s important to note that this device is not shared with any other customer, so it’s NOT a multi-tenant device. It is a dedicated single-tenant appliance exclusively made available to you, for your own workloads.  The fact that the HSM is based upon single tenancy should not be surprising bearing in mind how sensitive the information is that it contains.

CloudHSM is an enterprise-class service used for secure encryption key management and storage which can be used as a root of trust for an enterprise when it comes to data protection, allowing you to deploy secure and compliant workloads within AWS.

There are a number of different operations that CloudHSM can help you provide. These include:

• The creation, storage, and management of cryptographic keys, allowing you to import and export both asymmetric and symmetric keys
• The ability to use cryptographic hash functions to enable you to compute message digests and hash-based message authentication codes, otherwise known as HMACs
• Cryptographic data signing and signature verification
• Using both asymmetric and symmetric encryption algorithms

• Ability to generate cryptographically secure random data

Cloud Academy resources:

Course – Getting started with CloudHSM 

AWS resources:

https://aws.amazon.com/cloudhsm/

4. Federation for human access

Sometimes it’s not feasible, or even possible due to limitations, to create IAM accounts for everyone who needs to access your AWS resources, as you might have hundreds or even thousands of users needing different access. As a result, you could implement Federated access to help you simplify access management for your users within a big organization. In this section, I want to highlight AWS federated access, which will allow you to create a single sign-on (SSO) approach, and Amazon Cognito, a service enabling you to configure and grant access through Mobile devices.

Federated access is a great method of centralizing account management to use your AWS resources without having a requirement of using IAM user credentials. Instead, access credentials are federated by an identity provider (IdP). This could be your own enterprise federation by using your MS Active Directory account, or alternatively, you could use a social identity provider, such as Amazon, Google, or Facebook, which are all well-known social IdPs.

Using your own enterprise MS-AD account, you could create an SSO approach using SAML, Security Assertion Markup Language, allowing users to gain access to your AWS Management Console. SAML provides an effective and secure way to exchange authentication between an IdP, such as MS-AD, and a SAML consumer, your AWS account, specifically IAM roles, with the help of the Security Token Service (STS). This would then enable authenticated MS-AD users to assume IAM roles, providing temporary access and permissions to access the AWS Management Console.

Using a social IdP (Amazon, Facebook, Google, etc.) allows you to authenticate users without your own corporate MS-AD. Perhaps you don’t know which users will need access. You might have a mobile game that requires access to your resources to log high scores and team data, but you need the users to authenticate first. In this scenario, social federation can help. 

Social federation enables you to create your applications, allowing them to request temporary credentials. These temporary credentials are associated with an IAM role which provides the relevant permissions to access any resources required.

Cloud Academy resources:

Course – AWS Identity Federation

Course – AWS: Overview of Identity & Access Management (IAM)

AWS resources:

https://aws.amazon.com/identity/federation/

Amazon Cognito

This service allows users to log in directly with their user credentials that are maintained in Amazon Cognito on behalf of your web and mobile applications. It also allows sign-in through third-party social networking applications such as Facebook, Amazon, Google, or Apple, and other Identity providers.

Amazon Cognito provides important features to achieve different use cases in user management and authentication in web applications and mobile applications.

Let us have a quick look at Amazon Cognito features:

• Managing user directory – Amazon user pools function as user directories to store user’s personal data such as login ID, password, etc. This information will be used during sign-in for validation. As this is a cloud service from AWS, we need not worry about managing infrastructure, setup, and scaling the service. We could store even millions of user details if required.
• Integrate with social network logins and federated identity providers – Amazon Cognito accepts and allows sign-in for users who have an account in social networking sites such as Facebook, Google, or PayPal without the need to create a new account in Amazon Cognito. This feature is also available if a user signs in through an external identity provider (IdP) that is compatible with OpenID Connect and SAML 2.0.
• Standards-based authentication – OpenID Connect, OAuth 2.0, and SAML 2.0.
• Security for your apps and users – HIPAA eligible and PCI DSS, SOC, and ISO/IEC 27001, ISO/IEC 27017, ISO/IEC 27018, and ISO 9001 compliant.
• Simple integration with your app – Amazon Cognito provides a software development kit (SDK) for Android, iOS, and Javascript to call APIs that implement user sign-up and sign-in functionality. In addition to providing simple APIs, Amazon Cognito also comes with a default and customizable UI page for user sign-up and sign-in.
• Role-based access control for AWS resources – An AWS IAM role has specific permissions to access AWS resources. You could use identity pools to map users to specific roles and authorize their access to AWS resources.

Cloud Academy resources:

Blog – What is Cognito in AWS? 

Lab – Manage Authentication with Amazon Cognito 

AWS resources:

https://aws.amazon.com/cognito/

5. Block public access on accounts

One of the biggest pitfalls that I have seen by some organizations has been the lack of basic security controls, and specifically those that are placed around Amazon S3 buckets.

Over the years, we have all seen news articles of instances where organizations have left themselves exposed by leaving customer and confidential information within unprotected AWS buckets allowing access to the general public. This has resulted in huge security breaches and has left those organizations answering difficult questions in addition to financial penalties.  

As a response to the mistakes made by these organizations and the resulting repercussions, AWS has continually worked to improve the security around Amazon S3 to prevent instances such as these from happening again. 

When creating a new bucket in S3, there is an option that’s dedicated to helping you protect your bucket from public access, and by default there is a checkbox that’s ticked which blocks ALL public access.  

If you do need some public access to this bucket, then you can turn off this setting and it allows you to select four additional options that can be used to filter public access.

So you can:

• Block public access to buckets and objects granted through NEW access control lists 
• Block public access to buckets and objects granted through ANY access control lists 
• Block public access to buckets and objects granted through NEW public bucket or access point policies 
• Block public and cross-account access to buckets and objects through any public bucket or access point policies

This allows you to allow some public access based on certain security controls and block others. You don’t have to select any, or you can have a combination of any of the four selected.

Because ALL public access to this bucket is blocked, you will not be allowed to configure any kind of public or cross-account access via the Bucket policy or ACL.

Cloud Academy resources:

Course – Increasing your security posture when using Amazon S3 (Coming Jan 2021)

Course – Introduction to Amazon S3

Course – Using Amazon S3 bucket properties and management features to maintain your data

AWS resources: 

https://aws.amazon.com/s3/

6. Edge protection on external resources 

Amazon CloudFront

Amazon CloudFront is AWS’s fault-tolerant and globally scalable content delivery network service. It provides seamless integration with other AWS services to provide an easy way to distribute content.

Amazon CloudFront speeds up distribution of your static and dynamic content through its worldwide network of edge locations. Normally when a user requests content that you’re hosting without a CDN, the request is routed back to the source web server, which could reside in a different continent than the user initiating the request. However, if you’re using CloudFront, the request is instead routed to the closest edge to the user’s location which provides the lowest latency to deliver the best performance through cached data.

So Amazon CloudFront provides a means of distributing the source data of your web traffic closer to the end user requesting the content via AWS edge locations as cached data. 

AWS edge locations are sites deployed in major cities and highly populated areas across the globe. While edge locations are not used to deploy your main infrastructure, such as EC2 instances or EBS storage, they are used by AWS services such as AWS CloudFront to cache data and reduce latency for end user access. For example, you may have your website hosted on EC2 instances or S3 within the Ohio region, with an associated CloudFront distribution. When a user accesses your website from Europe, they would then be redirected to their closest edge location in Europe, where cached data could be read off your website. This significantly reduces latency.

CloudFront uses distributions to control which source data it needs to redistribute and to where. When configuring your distributions, you will be required to enter your origin information. This is essentially where the distribution is going to get the data to distribute across edge locations.

You can also select a host of different caching behavior options, defining how you want the data at the edge location to be cached via various methods and policies, and which edge locations you want your data to be distributed to.

You can also define if you want your distribution to be associated with a web application firewall (WAF) access control list for additional security and web application protection. 

Cloud Academy resources:

Course – Introduction to DNS and Content Delivery on AWS

Lab – Serve your files using the CloudFront CDN 

Lab – Configuring a Static Website with S3 and CloudFront 

AWS resources:

https://aws.amazon.com/cloudfront/

AWS Web Application Firewall (WAF)

The AWS Web Application Firewall is a service that helps to prevent websites and web applications from being maliciously attacked by common web attack patterns such as SQL injection and cross-site scripting. It also integrates with Amazon CloudFront distributions, the Application Load Balancer, and the API Gateway to analyse requests over HTTP or HTTPS. The services work together to filter both HTTP and HTTPS by distinguishing between legitimate and harmful inbound requests that will then either be allowed or blocked. 

AWS WAF is comprised of a number of different components, including:

• Web Access Control Lists (Web ACLs): This is the element within WAF that is used to help you protect your resources. Each ACL contains another component: rules, which inspect the incoming requests.
• Rules: Each rule contains specific statements that are used to filter any incoming requests, and these rules are added to a Web ACL. Upon inspecting the traffic and determining if it matches the rule  If a match is found, the rule will indicate if the traffic should be “Allowed” or “Blocked.”
• Rule Groups: These allow you to group your rules together to form a defined set of security standards or best practices allowing you to quickly and easily assign them to different Web ACLs

Cloud Academy resources:

Course – Protecting Web Apps with AWS WAF, Shield and Firewall Manager

AWS resources:

https://aws.amazon.com/waf/

7. Patch and Measure

AWS Systems Manager is a great service, providing a method of easily performing operational actions against your instances without having to remotely connect to them first – and this can be achieved at scale. Providing a single dashboard helps your operational teams gain insight into your EC2 resources, widening the visibility of your fleet. This helps to view configurations, patching levels of your instances, in addition to specific software installed on the instance.  Using Patch baselines, Systems Manager can scan your instances to ensure they remain compliant.

The Patch Manager within Systems Manager provides a method of automating and managing any patch updates that are required across your whole fleet of EC2 instances within your environment. As a result, it enables you to quickly deploy newly released patches that could protect your resources from any new vulnerabilities that have been detected. Maintaining the best level of patch protection is so important, and to help you stay on top of this, Patch Manager has the ability to scan your instances to see which key patches are missing that could be exposing your resources unnecessarily. If instances are discovered to have missing patches, Patch Manager can be configured to automatically update any missing patches for you.

Patch Manager follows a four-stage process:

1. Use default patch baselines, or create your own
2. Organize instances into patch groups (optional)
3. Automate the patching schedule by using maintenance windows
4. Monitor patch status to ensure compliance

AWS resources: 

https://docs.aws.amazon.com/systems-manager/latest/userguide/systems-manager-patch.html

Summary

Ultimately, when working with AWS, security still remains a priority, and with the huge range of AWS services that are available today, there is no reason to overlook security at any stage throughout your deployment. There are services to help you protect your environment at every step of your cloud journey, and it’s critical that you take time to learn about these services and how they can help architect your environment, allowing you to implement and build a robust security posture.

For more information on AWS security services, see our existing learning paths: 

AWS Security Services 

AWS Access & Key Management Security

Security – Specialty Certification preparation for AWS

The post Where Should You Be Focusing Your AWS Security Efforts? appeared first on Cloud Academy.

Encryption helps you protect the data you send, receive, and store using your device. This process scrambles readable text to provide security or sensitive information. This digital security measure ensures that personal data that’s stored on servers are kept private. 

Individuals and organizations also may use a Virtual Private Network (VPN) for added privacy. This allows you to create a secure connection over the internet. It’s helpful if you want to access regionally restricted sites and shield browsing activity when you’re connected to public Wi-Fi. 

These concepts can be challenging to wrap your head around. That said, they’re essential to understanding your level of internet security. In this guide, we’ll go each term and provide an overview of two primary encryption techniques used by VPN services. If you enjoy understanding the nitty-gritty details, you can learn about connecting VPNs in a live cloud environment with Understanding the VPN Connection Scenario Hands-on Lab. This lab introduces several AWS networking concepts in the context of migrating an on-premises application to the cloud. 

What is VPN Encryption?

VPN encryption is a process by which the VPN hides your data. The data is translated into a coded format that’s unreadable by any snooping parties. When you’re using a VPN, your information is encrypted when it enters and then passes through its tunnel. 

Tunneling is the process by which data is sent over the internet privately through the VPN. All data is split into packets when it’s transmitted on the web. With a tunneled connection, all of the data packets are placed inside another before its sent. This is called encapsulation. 

The VPN then decrypts the data at the other end, once you’re connected to your chosen website. All of your information is secure and hidden by all of the encryption during any transfer. A VPN uses different encryption techniques and combinations. 

Types of VPNs

Site-to-Site VPNs

Typically sites use a site-to-site VPN, which is also called a router-to-router VPN. This is generally used by companies that need to connect an office to another remotely. A site-to-site VPN builds an encrypted tunnel and allows the business to maintain privacy and secrecy. 

A site-to-site VPN secures all connections when it works in combination with IPsec. The traffic is encrypted when it moves through the tunnel from one website to another—which blocks out hackers, potential viruses, and any malicious content. 

This encryption is scalable., and you can add a new site or another branch to your network. It’s simple to install this network at the new location. 

Remote Access VPN 

Another option is the remote access VPN. This provides an internet connection to any users through a private network. This is mostly useful for people working away from the office or home users. 

Today, many people are working from home or on-the-go. Remote working is one of the perks of modern-day technology. With remote access, you or your employees will have a connection through a secure virtual tunnel. This service is used to get around geo-restrictions and access any blocked websites. 

A remote-access VPN is a solution for many businesses. To gain access, you’ll log in using valid credentials that are authenticated by a series of encryption protocols. This is the first level of security. Then your computer uses client software to maintain your connection. 

This client software sets up the tunnel connection and manages the encryption of data.

VPN Encryption Techniques

When you use a VPN, typically, you use two different encryption algorithms: symmetric and asymmetric. Each technique serves a unique purpose in protecting your data. 

Symmetric

With symmetric encryption, you use the same key to encrypt and decrypt data. This means that you and your VPN server use the same shared key. Once a connection is established, all data is encrypted and transmitted through the protocols. 

This encryption is efficient and fast, but it doesn’t require much computer processing power. It transmits a large amount of data quickly. The one weakness is that you have to share the key between the two parties that are exchanging data.

The most common way to share is to use a password that serves as the key. The problem is if anyone discovers the password, they could decrypt 100% of the data that has been shared. This is where asymmetric encryption comes in handy. 

Asymmetric Encryption

To add further protection, VPN services use a combination of techniques. Asymmetric encryption is a type of public-key cryptography where each user involved has two keys — one private and one public. 

Each person has one key that everyone can see, and one that no one else can access. These are different from each other. The public key is to encrypt the message, and the private is used to decrypt the data. 

Asymmetric encryption is only used for the “handshake” as they say and isn’t fast or very efficient. This is generally used at the start of the VPN session. 

How to Find The Best VPN Solution

A VPN is a secure solution for home users and businesses alike. Without using a VPN, there’s an array of sensitive information that’s exposed to potentially malicious users. This technology offers you enhanced security and remote control. This can lead to an increase in productivity all around. 

According to VPN Watch – VPN reviews, there are a few questions that you should consider before installing a VPN for your business. It’s important to ask yourself how and why you plan on using the service. Many available remote access VPNs offer different levels of speed and encryption. 

No matter your reason for installing a VPN, the service should offer:

• A free trial to test out the service before you invest any money
• Speed
• Connectivity and stability
• A large number of servers
• Cross-platform apps
• Privacy policy
• Outstanding customer support

This service will also allow you to share files between a group securely. A good VPN network is relatively low-cost to maintain. You may even notice that a VPN solution offers bandwidth and efficacy. 

The Verdict

Now that you know how VPN encryption works, you can ensure that your data is safe from sneaky eyes. These services offer a range of benefits and solutions, which come in handy for remote working and managing employees around the globe.

The post VPN Encryption: How to Find the Best Solution appeared first on Cloud Academy.

Ultimately ‘the cloud’ is just another business handling your data. So, the question of whether or not you can trust the cloud is whether or not you can trust that business. It is absolutely essential that you put in the full level of research into the provider you are thinking of using to ensure that they put your data security first.

If you’re still learning the basics of cloud migration, you can check out Cloud Academy’s Cloud Migration Learning Paths. You can quickly learn best practices, test your skills using live cloud environments, and build the skills you need to help migrate your business. Or if you’re more interested in security, Cloud Academy has an entire Security Training Library designed to get you up to speed with the latest concepts and practices in cybersecurity.

In this article, we’ll take a look at whether cloud data storage could be right for you, and how to establish whether you can trust cloud providers with your data. However, it is important first to understand why you might choose the cloud in the first place. Let’s take a look at some of the advantages.

The advantages of storing data in the cloud

The alternative to storing data in the cloud is keeping all of your business information on in-house servers. However, building your own data center comes with a number of drawbacks – it is expensive, energy-hungry, and extremely time-inefficient. Managing a server can take up a great deal of time for your IT department. 

When you use the cloud, you are essentially outsourcing your in-house data center to specialists who can do all of the maintenance for you – it also means you won’t have any of the costs associated with running energy-sapping servers around the clock as well as saving you physical space in your premises.

Better yet, cloud storage is far more flexible and scalable. If you need more space in your data center, you’ll need to add an expensive server, potentially with far greater capacity than you actually require. With cloud storage you only pay for what you use – this means you’ll be reducing your costs and making things easier for your company to run. 

The risks of cloud storage

While you might be well-aware of all of the benefits of cloud storage, you may yet to be convinced by the security measures in place. Some businesses are against the idea of using cloud storage because they either don’t understand the security measures in place, or they aren’t sure whether their data will remain secure.

In some ways, this is warranted. Of course, it is naturally the case that no matter what security features are put in place, cybersecurity can never be 100% guaranteed. Cybercriminals are becoming more and more sophisticated. Whether it is through phishing, DDoS attacks, or any of the myriad ways, hackers can compromise a business.  

But another serious issue for businesses is the concept of data privacy. Ultimately, your data stored on the cloud is in the hands of another organization, and governments are in a position to put pressure on these organizations and request information. While many cloud providers stake their reputation on their privacy, companies will nevertheless hand over some data to government agencies.

Reasons to trust the cloud with your data

Security benefits

Of course, it is also important to remember that while these issues should be in your mind, storing data in the cloud can actually have a number of positives from a security perspective too. It is in the interest of cloud storage providers to ensure that their premises are highly secure. Not only are servers typically a long way away from employees, but they also benefit from a huge about of physical and cybersecurity measures.

Services providers will encrypt their data, as well as putting in extremely powerful cybersecurity software and processes – the kind of cybersecurity that is simply not practical or cost-effective for standard businesses. This makes hacking into cloud storage providers an extremely arduous task, and it is enough to turn off many from even trying. 

With in-house servers, your data could potentially be vulnerable to malware infections and ransomware attacks, while the chances of these being deployed effectively against cloud service providers are extremely slim. 

Better still, cloud services will comprehensively back up their own servers and have multiple copies of the data available. This means that they are not at risk of possibilities such as a fire in the building or a critical error, which could be an issue should your business use an in-house data center. 

How cloud vendors protect data

In order for your business to feel that it can trust the cloud services provider, you need to understand the kind of defenses that they have put in place. When you start evaluating your cloud storage provider, you should assess them based on whether they have key security measures. 

Here we provide a list of some of the most important security features that a cloud services provider should have:

Physical measures

The first thing to establish is whether the cloud services provider has physical security measures in place. If cybercriminals are able to gain physical access to the premises of a cloud storage provider, this can be just as damaging as a cyberattack. 

One issue here is the physical location of the servers – does the provider offer data centers in a number of different locations? Spreading your data over multiple data centers is an excellent way to minimize the risk of data loss or theft. 

At the cloud provider premises, there are also many physical security measures that the company should have in place, such as CCTV for round-the-clock surveillance and concrete barriers to prevent vehicular access and ramraiding.

“Whether it’s keeping travelers off a site permanently or for use as part of an ongoing construction or maintenance project, or even to block off disused vehicle entrances, concrete blocks and barriers offer security on a permanent basis.” (Maltaward)

Encryption 

One of the major lines of defense for any cloud security provider is encryption. The cloud uses complex algorithms in order to conceal data stored on the cloud. Encrypted data is useless, and functionally impossible to decode, without the encryption key – due to the fact that it would take an amount of time and computing power to do so that it would make the operation pointless. 

Data encryption is regarded as one of the most important measures of cybersecurity, as it means that even if your data is able to be taken by criminals, they will not have access to it, and will not be able to use it in any way. 

Look for cloud services providers who provide local encryption and decryption of your files, as well as offering backup and storage. This means that your data is entirely secure at every step in the process. 

Cloud security controls

Your cloud services provider should also put a number of cloud security controls in place so that data is secure at all times. There are many different types of controls, so you need the provider to give you an understanding of which key measures they use. Some of the most important include:

• Preventative controls – while these cannot eliminate vulnerabilities in the system, preventative controls strengthen the system a whole. They could include things such as authentication for cloud users, making it impossible for unauthorized users to access the system. 

• Deterrent controls – these are effective in reducing attacks against the system, informing potential attackers of the powerful protections in place.

• Detection controls – these controls detect and respond to any incidents that occur against a system. They can include system, network, and endpoint monitoring.

• Reactive controls – these controls attempt to limit the damage of an attack against the system. For example, they might restore a system backup in order to rebuild the system.

Final thoughts

No system is perfect, and this is the same for cloud service providers too. However, if you choose a provider with powerful defenses, your business can benefit from the many security advantages of using the cloud to store your data. You can additionally mitigate any risks by putting strong cybersecurity procedures in place in your own system, and ensuring that you have a backup of all data in the event of a worst-case scenario. 

The post Can the Cloud be Trusted with Your Business Data? appeared first on Cloud Academy.