In our last article, we took a look at some of the most common compliance regulations that affect IT organizations and their cloud stratagem. Understanding the requirements around compliance can help to inform your cloud infrastructure plans, but is only part of the equation. Today, I want to talk about how the recently announced (AWS re:Invent 2016) AWS Shield can help organizations put some of the complex issues into perspective in a more comprehensive policy.
We talked about the following compliance regulations in our previous blog post:
- Sarbanes-Oxley Act (SOX)
- Dodd-Frank Act
- Health Insurance Portability and Accountability Act (HIPAA)
- Federal Information Security Management Act (FISMA)
- Payment Card Industry Data Security Standard (PCI DSS)
Each of these have regulations or standards surrounding networks, encryption, data security, access and transmission. Although some of these are more demanding than others, we will limit our conversation today to the larger requirements that are contained in the PCI Standard. Each of the federal regulations listed above have pieces or parts of the standards created by the credit companies during the definition of PCI DSS, so by discussing those requirements, we can cover our bases on the others either directly or indirectly.
What is AWS Shield?
We have an excellent blog post right here that will give you a detailed breakdown of all of the features. But in short:
AWS Shield is a managed service, meaning they do the lifting for you while you offload the responsibility of Denial of Service attacks onto Amazon Web Services… AWS’s intention at launch is to have the service active for users at the outset, then offer an advanced level that works in conjunction as an add-on to Elastic Load Balancing, CloudFront, and Route 53. These are the primary services dealing with the OSI model that AWS is concerned with when it comes to advanced security.
Why AWS Shield is Important for Cloud Compliance
One of the most common threats to online applications is the DDoS attack (Distribution Denial of Service). These attacks overwhelm the server or services that an application relies on with more requests than it could possibly handle, resulting in sporadic connectivity, errors or full blown outages. Most IT organizations (even government and financial institutions) struggle to mitigate and then recover from these types of attacks. They can come in several forms and each one needs to be identified and then mitigated in different ways. The three types of DDoS threats that AWS Shield is focused on are:
- Volumetric Attacks – This type of model bombards a network with more traffic than it can handle.
- State-Exhaustion Attacks – Here, stateful protocols (those whose connectivity state needs to be maintained by hardware or software) force the exhaustion of resources that are available to maintain these connection states.
- Application Layer Attacks – Generally considered the most complicated attacks, these are “fuller” attacks that are designed to consumed vast resources (like HTTP or HTTPS GET or opening up multiple connections to a service) and will reserve and consume memory until the application is unresponsive.
By taking the burden of detecting, responding to and mitigating these types of threat models at various levels, AWS Shield helps to facilitate the documentation necessary to develop a comprehensive security profile that can withstand an audit.
Security Profile and Audit Requirements
Generally the most onerous and specific requirement in PCI DSS (and thus in most of the other regulations) is in documentating of your process, detailing your environment and who has access to it and then defining your mitigation and reporting strategy. Most IT organizations are not significantly challenged by the first two items in the development of their Security Profile (which is what this document defines in terms of an audit), but are less confident on the definition of their notification, mitigation and reporting strategy.
AWS Shield offers two “models,” AWS Shield Standard (free, available to everyone by default) and AWS Shield Advanced (with associated monthly fees). Those organizations that have light needs for monitoring and mitigation, can stay with AWS Shield Standard and receive:
- Active Monitoring – AWS will monitor the incoming network for your environment and make basic reporting on it available in CloudWatch.
- DDoS Mitigations – AWS will help protect from the most common DDoS attacks (SYN flood, UDP reflection, etc).
Note that anyone experiencing an issue can upgrade to the AWS Shield Advanced at any time and begin realizing those benefits, which include (in addition to the AWS Shield Standard):
- Automated Application Traffic Monitoring (Layer 7 of the OSI Model)
- DDoS Mitigation Capacity (allowing you to quickly provision additional capacity to help temporarily mitigate the effects of a suspect DDoS until it ends or can be resolved)
- Attack Notification and Forensic Reporting (Layers 3/4 of the OSI Model)
- Historical Attack Reports (Layers 3/4/7 of the OSI Model)
- Incident Management (during high severity events, the AWS team will manage the incident communication as well as reporting on ongoing mitigation efforts)
- Custom Mitigations (the AWS team will help to develop mitigations that are specific to the needs of your application and customers)
- Post Attack Analysis (a post mortem to discuss everything related to the attack and planning around future preventions or additional needed mitigation plans)
- Cost Protections (can be EXTREMELY important as you will avoid the additional costs related to additional capacity in Route 53 DNS, CloudFront and Load Balancing that could be significant depending on the size and duration of the event)
With this information, this level of reporting and a clearly defined process, IT organizations can now completely develop a defensible security profile in order to assess their risk in the cloud. Through the AWS Shield offering, the detection and mitigation definition and process will not preclude wholesale infrastructure, data and application moves to the AWS cloud.