Cloud Computing escalates the security risks of an organization. This happens because of the extended trust boundary associated with deploying IT assets beyond the data centers of the asset owners. The trust boundary exposes organizations to such risks as internal malicious actors, man-in-the-middle attacks, ransomware attacks, and more. In order to mitigate these risks, cybersecurity experts have come up with frameworks to address cloud security - risks related to unauthorized access and risks related to the data breach.
In this article, we shall discuss a three data-oriented security mechanisms developed by cloud service providers and give examples of how AWS implements mechanisms to mitigate the risk of data breaches.
The following terms are used in this article and thus need to be clarified. These definitions are sourced from resources available from Arcitura and other experts on cloud security.
Malicious intermediary - This refers to a security threat that arises when messages are intercepted and altered by a malicious service agent. The confidentiality and/or integrity of the message are hereby compromised. The malicious agent may also insert harmful data into the message before forwarding it to its destination.
Trust Boundary - A trust boundary is a logical perimeter that typically spans beyond an organization's physical boundaries. It represents the extent to which IT resources are trusted. If physical IT resources within a cloud are shared by different cloud service consumers, these cloud service consumers have overlapping trust boundaries. Malicious cloud service consumers can target shared IT resources with the intention of compromising cloud consumers or other IT resources that share the same trust boundary.
Authentication - This is the process of verifying the identity of a user or device requesting access to a resource. Authentication is typically achieved using a variety of techniques, such as challenging the requester to supply something they know, something they have, something they are, or any combination of these elements. These are referred to as the three factors of authentication.
Authorization - The process of granting or denying access to resources based on the identity of the user or machine. Authorization is achieved through a variety of mechanisms, such as access control lists (ACLs), role-based access control (RBAC), and attribute-based access control (ABAC).
Authentication and authorization are two of three common combined processes for controlling access to computing resources. The third "A" in this "AAA" trinity is accounting. One can think of these three processes as asking basic questions:
- Authentication - Who are you?
- Authorization - What can we let you do?
- Accounting - What have you done?
Cloud Security Mechanisms
This section does not discuss all security mechanisms. We focus on three data-oriented security mechanisms specifically: encryption, hashing, and digital signatures. We consider these mechanisms data-oriented because these mechanisms focus on protecting data at rest, in motion, or in use rather than just controlling access to the systems where such data is stored.
Encryption is the process of converting data into a code or cipher that can be securely transmitted or stored without being accessed by unauthorized users. It is critical to the protection of sensitive or confidential information from interception or theft.
Encryption mechanisms are mathematical algorithms that transform the original plaintext into ciphertext - the encrypted form of the data. These algorithms apply keys to plaintext to produce ciphertext. The same key must be used to decrypt the ciphertext back into plaintext. An encryption algorithm could be symmetric or asymmetric. Symmetric key encryption algorithms use the same key for both encryption and decryption, while asymmetric key encryption algorithms use a public key for encryption and a private key for decryption.
The encryption mechanism mitigates the following security threats:
- Malicious intermediary - confidentiality of message data received is protected
- Insufficient Authorization - Will protect the confidentiality of the message data is protected if the intention of the intermediary is to steal message data
- Overlapping trust boundaries - Encryption can be applied to data exchanged or residing within overlapping trust boundaries preventing access by attackers that exploit these trust boundaries.
Hashing is a process of converting data into a fixed-size key that represents the original data in a unique and irreversible manner using a mathematical algorithm. The output of this process is a hash value or digest.
Hashing is commonly used in computer science and information security to validate data integrity, store passwords securely or create digital signatures. Common hashing algorithms include MD5, SHA-1, SHA-2, and SHA-3.
A digital signature is created by applying an algorithm to a document or message, which produces a hash. The hash value is then encrypted using the sender's private key, which creates a digital signature that can be attached to the data being sent. The recipient can then use the sender's public key to verify the digital signature and confirm that the data was not altered during transmission. In other words, Digital Signatures combine encryption and hashing to secure data.
Digital signatures provide several benefits, including:
- Authenticity: Digital signatures verify that the sender of the message or document is who they claim to be.
- Integrity: Digital signatures ensure that the document or message has not been tampered with or altered during transmission.
- Non-repudiation: Digital signatures provide proof that the sender cannot deny sending the document or message.
Digital signatures use encryption and hashing. If the contents of a message are altered, the digital signature is invalid.
- Malicious intermediary - the integrity of message data received by intermediaries is protected
- Insufficient Authorization - The use of DS provides a means to detect alterations if an attacker modifies the message
- Overlapping trust boundaries - Digital Signatures can be applied to data exchange within overlapping trust boundaries and between IT resources.
Cloud Security Mechanisms in AWS
Amazon Web Services (AWS) provides data-oriented cybersecurity capabilities through their wide range of services. Some services are designed to deliver these security mechanisms, while others have the mechanisms built in as part of the service to ensure data is secure.
Providing AWS Data-Oriented Security Mechanisms.
Here are some AWS Services that provide data-oriented security mechanisms to protect your data.
Amazon KMS (Key Management Service)
KMS is a managed service that provides a centralized key management system for encrypting data in various AWS services. It offers a secure and scalable way to create, manage, and use encryption keys.
AWS Secrets Manager
Secrets Manager helps you protect secrets, such as database credentials and API keys, by storing and managing them securely. It provides encryption of secrets at rest and in transit, as well as automatic rotation of secrets for better security.
AWS CloudHSM (Cloud Hardware Security Module)
CloudHSM provides dedicated hardware security modules to protect sensitive data by providing secure key storage and cryptographic operations. It is a fully managed service that helps you meet regulatory and compliance requirements.
AWS Services that Leverage Data-Oriented Security Mechanism
The following services leverage the security mechanisms to improve data security.
Amazon S3 (Simple Storage Service)
S3 provides multiple security features for data protection, including server-side encryption with Amazon S3-managed keys, client-side encryption, bucket policies for access control, and access logs for audit trails.
Amazon RDS (Relational Database Service)
RDS offers security features such as encryption at rest, SSL/TLS encryption for data in transit, IAM database authentication, and VPC security group for network access control.
Redshift provides multiple security features, including encryption at rest, SSL/TLS encryption for data in transit, IAM authentication for user access control, and VPC security groups for network access control.
Encryption Options in Amazon S3
When you create a bucket in Amazon S3, you are given the option of Amazon S3 managed Keys or AWS Key Management Service. Both of these options are sub-sets of Server-Side Encryption which is the default for Amazon S3 (See Figure 1). According to AWS, starting January 2023, all new object uploads to Amazon S3 are "automatically encrypted at no additional cost and with no impact on performance".