Well-Architected Framework: A quick look
The well-architected (WA) framework is a set of best practices identified as part of implementations across organizations & industries to build effective cloud solutions. The optimized, automated, and orderly approach of the Well-Architected framework enables organizations to build highly reliable and secure workloads, scheme efficient cloud deployments, and position cost-effective applications and infrastructure on the cloud.
In essence, it is important that these architecture frameworks as a whole provide direction, design concepts and additional tools to build and operate applications on cloud.
The five pillars of the well-architected framework of dominant cloud providers like AWS and Azure revolve around Security, Operational Excellence, Cost optimization, Performance Efficiency, and Reliability. While GCP combines performance into the cost pillar the crux remains the same, providing details on strategies, best practices, design questions, recommendations & remediation.
This article is a first in the 5-part series of the pillars of Well-Architected Audit and we will have an in-depth look at the security pillar, to begin with.
Security design standards: Expert Say
As per the 2020 Cloud Security Report sponsored by ISC, 93% of organizations are concerned about cloud security and one in four organizations confirmed a cloud security incident in the past 12 months.
Security is one of the prime pillars of the WA framework that encircles data, infrastructure, and asset protection. It facilitates integrity, confidentiality, and backup of information while capacitating risk assessments and mitigation plans. Before workloads are architected on the cloud, organizations need to assign experts and devise security practices to ensure end-to-end security and compliance strategies are in place right from the inception stage.
Moreover, conducting periodic structured audits enables traceability and enhances the enterprise’s security posture making them better prepared for security incidents. Regulating identification and authorization and and utilizing cloud technology tools across all layers of the cloud setup are assessment techniques adopted to determine a defined security approach on cloud.
For example, AWS uses its shared responsibility model to ensure infrastructure, physical network, and virtualization is overseen by AWS alone whereas their customers are solely responsible for securing data, applications, and identity management in the cloud.
The Key elements of the Security pillar
AWS and Azure recommended security approaches address: Identity and access management, Detection controls, Infrastructure Protection, and Network Security, Data Protection, and Incident response.
Similarly, Google infrastructure security design marks the same areas of security solutions terming it differently. GCP’s Trust and security model consists of Service Identity, Integrity, and Isolation, Inter-Service Access Management, Encryption of Inter-Service Communication, and Access Management of End User Data.
- Identity and access management (IAM):
Establishing authorized user accounts with designated permissions that adhere to security and compliance regulatory is the first step in securing resources on cloud.
GCP and AWS privilege management is supported by the IAM service that compels multi-factor authentication with least-privilege roles, profile passwords and controlled credentials.
Azure emphasizes categorizing access permissions into groups, sub-groups, and roles via Azure Active Directory (AD) enabling secure access to VMs, app services, and storage accounts on the cloud with its single sign-on, multi-factor verification, and role-based access and controls.
- Detection controls
Potential threats and incidents are identified via detection controls like log analysis and management that define where data can be securely stored, archived, or deleted.
Audits are conducted to keep a check on whether cloud practices abide by the defined policy standards, it helps examine the specified IT controls and set the right automated alerting notifications. These controls help diagnose the extent of breach or peculiar activity making data handling easy and cost-effective.
AWS Services like CloudTrail logs, AWS API calls, and CloudWatch provide metric monitoring; AWS Config for configuration history, Amazon GuardDuty manages threat detection and Amazon S3 handles log access requests. Likewise, Azure offers built-in services such as Azure AD, Azure Monitor logs, Azure Security Center, Azure AD Anomalous Activity Reports, and Azure Application Gateway Web Application Firewall and GCP’s Security Command Center services provide APIs, Security Health Analysis and Cloud Audit Logs.
- Infrastructure and network security:
Infrastructure protection includes inspecting packets via AWS native tools or by partnering with AWS marketplace products like Amazon Virtual Private Cloud (VPC) to create a private, secured and scalable environment. It monitors and controls networks, gateways, subnets, logging and alerting on multiple levels to form a robust system.
AWS users are able to customize and tighten the configuration of an Amazon Elastic Compute Cloud (EC2), Amazon EC2 Container Service (ECS), or AWS Elastic Beanstalk instance so that when it is triggered, all new virtual instances are proactively guarded. To avoid any instance being accidentally terminated, AWS can trigger Amazon EC2 service to enable termination protection for that instance. The same is available on Azure as Azure VMs.
Azure’s Network-as-a-service encompasses Azure Bastion, Azure firewall manager, DDos protection, Azure network watcher and Azure front door.
GCP’s Cloud4C service is a network and endpoint monitoring tool comprising of 40+ security controls and 26 security tools, which caters to the next-gen firewall, encryption, 24*7 proactive security investigation and monitoring, and integrated threat intelligence detection to name a few.
- Data protection:
Securing sensitive data, retaining its integrity and availability are the most vital aspects of protecting data on cloud. This can be achieved by classifying organizational data on levels of sensitivity, applying encryptions, maintaining file access logs and managing automated keys to shelter unauthorized data access.
AWS storage systems like Amazon S3 Standard and Amazon Glacier provide exceptional elasticity and durability. Implementing version control helps evade incidental overwrites or deletes.
Similar to Azure storage service encryption service, AWS server-side encryption (SSE) for Amazon S3 enables easy storage of encrypted data whereas Elastic Load Balancing (ELB) handles the entire HTTPS encryption and decryption.
Azure Key Vault supports control of keys used by cloud applications and services to encrypt data whereas Azure Disk Encryption enables VM encryptions.
- Incident Response (IR):
Teams can function productively if the cloud architecture is well designed, mature, and has preventive and detective controls in place. This helps organizations respond and mitigate well to any potential security events or restore operations back to working conditions.
Administering preventive tools and access before a security incident arises and rehearsing incident responses on regular basis would further validate the cloud security architecture’s capability.
AWS IR, Azure security center alerts and recommendations, and GCP security command center facilitates detailed file access and change logging. Incidents can be auto-processed and responded to using AWS APIs and tools can be provisioned beforehand via AWS CloudFormation.
How to enhance security on the cloud?
We have often heard about the shared responsibility model but here we just want to talk about user responsibility. Enterprise cloud-based systems can be developed and made more secure by:
- Ensuring effective compliance measures are implemented, assessed at periodic intervals and tweaked as and when necessary to keep abreast with industry standards,
- Continuous protection and evaluation of data, networks and architecture on cloud using automation tools as well as provisioning for data backup and recovery,
- Streamlining access credentials to systems through essential people, role and identity management and maintain privacy policies,
- Deploying multi-factor authentication to shield user accounts and systems from hackers and increase firewalls and encryptions,
- Conducting audits of business operations and processes,
- Overseeing security terms in the cloud service agreement as well as during the exit process and
- Establishing a constructive governance, risk and compliance framework across organizations on cloud
This is where tools like CloudEnsure come handy and help lay down, adopt and continuously adhere to the security pillar. With today’s technology led digitized world, it is even more vital for businesses to focus on safety, security and privacy.
Modernizing compliance policies for banks, financial institutions and insurance companies are essential to ensure they function within regulation. In 2020 alone, several banks globally, received major fines amounting to $11.39 billion due to non-compliance. Employing SaaS tools to manage financial data or design investment strategies is another major area of development in the banking sector.
Healthcare industries focus more on upgrading their compliance policies to ensure data confidentiality, safe storage of client information and enable ML-based predictive analysis for better medical diagnosis and treatment.
OTT platforms like Netflix and Hotstar implement cloud security measures to keep a check on credential compromises that may lead to infrastructure and data tampering or stealing. Optimizing server capacity to enhance streaming and scheduling application workloads on shared environments to increase performances are additional factors of cloud adoption.
Conclusion
The security pillar prioritizes design and implementation of security governance to provision for a comprehensive, layered and protected cloud based applications.
However, to optimize and manage the use of cloud services, it is vital that all pillars of the cloud governance framework are given equal emphasis. Governance can be achieved only by ensuring all the pillars influence each other and function collaboratively.
Thus, for an optimal and governed cloud set up, it is vital that all the pillars of the governance framework work conjointly on effective cost controls, operational excellence, reliability and performance efficiency while adhering to security measures.
In the following article of this 5-part series, we will attempt to understand the performance efficiency pillar of the Well-Architected framework.