How secure is AWS for ecommerce businesses? As an IT leader of an ecommerce company, responsibility to conduct a thorough risk assessment of AWS is always on your onus. To this end, this question of how secure is AWS for your business might keep echoing in your mind time and again. Right. So, do you see security of your ecommerce business as a knife incessantly hanging on top of your head?
Just so you may know, AWS is not completely responsible for the security of any system built in AWS, however, it provides many tools that help reinforce security best practices, including audit tools, compliance checkers and more. The AWS’ Shared Responsibility Model explains it how.
The backdrop for how secure is AWS for ecommerce?
Gartner says that “Through 2020, 95 percent of cloud security failures will be the customer’s fault.” The reportclearly indicated that cloud security failures until 2020 will be caused by the users rather than cloud service providers. So, as a user of AWS and as a IT leader of an ecommerce company, you should be able to differentiate between the security ‘of’ the cloud and security ‘in’ the cloud.
When we say security of the cloud, it refers to the security of the physical and staff resources of AWS. However, when we say security in the cloud, it refers to the security of systems built on top of AWS. Even though AWS provides a simplified system for administrators to both implement and audit standard security measures, it by no means replaces these traditional measures nor promises the security of your systems. Ultimately, the security of your system is your responsibility.
And one of the stepping stones towards securing your system is to ensure that your online business is complaint with industry security standards like Payment Card Industry — Data Security Standard (PCI-DSS).
AWS and the PCI-DSS Standard
The good news is that AWS Security helps ecommerce comply with PCI DSS Level 1 standard for physical security. This means that the underlying physical infrastructure has been audited and approved by an authorized independent Qualified Security Assessor. It’s interesting to note that, AWS was the first cloud platform to earn PCI DSS Level 1 compliance. AWS also provides all other building blocks necessary for PCI DSS Level 2 as part of its ecosystem.
Security Measures of PCI-DSS Compliance Level 2 & Other Standards
AWS, in collaboration with Anitian — a leading PCI Compliance Assessor, has published a whitepaper on the best practices. These practices have to be followed by ecommerce sites hosted on AWS. In order to ensure that the PCI-DSS, ISO270001, and other recommendations are implemented effectively, the following security measures need to be deployed along with the AWS apps.
- Implement Web Application Firewalls (either AWS WAF or 3rd party solutions such as ModSecurity) and ensure that sufficient rules are configured to protect against OWASP top 10 attacks.
- Ensure that all system defaults like port numbers protocols like SSH, username/passwords, etc. are modified periodically.
- Encrypt the entire data lifecycle, including “Data in Transit”, “Data in Use” and “Data at Rest”. For “Data in Transit”, AWS ELB (Elastic Load Balancing) should be deployed to enable SSL/TLS, which encrypts all data in transit. All the AWS resources holding critical data should in placed in appropriate security groups and NACLs, so that only secured protocols are used for data communication between them. For ‘Data at Rest’ in EBS and S3, AES256 encryption mechanisms should be used. The Private Keys can be stored in Key Management Systems (KMS) such as AWS KMS.
- Scan for Bots and other malware periodically using vulnerability scanners like OpenVAS, OWASP ZAP, and Nexpose, etc. By doing so, it will ensure that there are no ports opened due to negligence. Logging mechanisms like AWS CloudTrail should be enabled. Tools like AWS Cloud Watch can be used to monitor and detect anomalies in system behavior and performance.
- Proper management of identification and authentication of the people who can access the network resources is very critical. Because, this avoids hackers gain access to the network through identity theft methods. The System administration should be limited to very few set of people to reduce the probability of identity theft. AWS IAM (Identity and Access Management) tool should be linked Active Directory services using AWS Directory Services for securing Identity Management. Constant monitoring of access of protocols like SSH will also help detecting any malicious intrusions into the Network.
Even if an ecommerce website has obtained compliance for PCI DSS Level 2, it does not mean it is secure from cyber-attacks like DDOS. Security is not a destination like one time configuration setup. It is a continually ongoing journey. Hence, constant monitoring of the security posture is essential. Moreover, leading organizations today advocate security testing to be integrated with the DevOps process such that security tests like vulnerability scanning is performed every time a software update is made.
Checkout Botmetric’s Security and Compliance application, which can help DevOps to reinforce, manage, monitor, and govern AWS cloud Security measures mentioned above. Sign-up for a 14-day trial to get a hands-on experience of what Botmetric offers.
As an IT leader of an ecommerce company, if you want to know other AWS security facts and tips, do read the Botmetric blog, 5 Surefire AWS Security Best Practices (Not Just) For Dummies. And to know about 21 AWS Cloud Security Best Practices, read the Botmetric blog here. Also, get in touch with us on Twitter,LinkedIn, Facebook to know other facts about AWS and AWS security management.