Mitigating Unauthorized Access to Data - Logical Separation on AWS

Mitigating Unauthorized Access to Data

Preventing unauthorized access requires practicing proper security hygiene and implementing robust preventive and detective capabilities. For example, systems should be designed to limit the “scope of impact” of security events so that one node with unauthorized access has minimal impact on any other node in the enterprise. Hyperscale CSPs, such as AWS, provide a full security tooling environment to enable customers to maintain encrypted communications and implement tampering protections to mitigate the risk of unauthorized access. AWS does not have visibility into, or knowledge of, the content or data inside a customer account, including whether or not that content includes any personal information. AWS customers are empowered to use various techniques such as encryption, tokenization, data decomposition, and cyber deception to render content unintelligible to AWS or other parties seeking access to its content.

  • Encryption — Appropriately encrypting data can make the data unreadable. This means storing encrypted data in the cloud, regardless of location, can provide adequate protection against the vast majority of exfiltration attempts. It is crucial that the encryption keys for the data are carefully managed to ensure strong protections are maintained against any intercepting party. AWS provides services that can deliver these capabilities at an enterprise level with AWS CloudHSM or AWS KMS.[8] The amount of control that customers wish to have over the encryption method, storage of cryptographic keys, and management of cryptographic keys used with their data is up to the customer.

  • Tokenization – Tokenization is a process that allows you to define a sequence of data to represent an otherwise sensitive piece of information (e.g., a token to represent a customer’s credit card number). A token is meaningless on its own and cannot be mapped back to the data it represents without use of the tokenization system. Token vaults can be constructed in VPCs to store sensitive information in an encrypted form while sharing tokens out to approved services for transmitting obfuscated data. In addition, AWS has a number of partners that specialize in providing tokenization services that integrate with popular databases and other storage services.

  • Data Decomposition – This is a process that reduces data sets into unrecognizable elements that have no significance on their own.[10] These elements or fragments are then stored in a distributed fashion so that any unauthorized access to one node would yield only an insignificant data fragment. A particular advantage of this technique is it requires an unauthorized user to access all nodes, obtain all fragments, and know the algorithm (or fragmentation scheme) to piece together the data in a coherent way.

  • Cyber Deception Defense – Cyber deception architectures and solutions can be a key component for mitigating advanced security events. Deception solutions can use highly sophisticated traps and decoys to present an unauthorized party with the perception that they have infiltrated the system while in reality diverting them to a highly controlled environment. Intelligence about the unauthorized party is gathered in order to mitigate future attempts and the issue is neutralized. 

AWS also monitors for unauthorized remote management and expeditiously disconnects or disables unauthorized remote access once it is detected. All remote administrative access attempts are logged, and the logs are reviewed, not just by humans for suspicious activity, but also by automated machine-learning systems built by the AWS Security team to detect unusual access patterns that may indicate unauthorized attempts to access data. If suspicious activity is detected, the incident response procedures are initiated. Further, AWS has established formal policies and procedures to delineate standards for logical access to the AWS infrastructure and hosts. The policies also identify functional responsibilities for the administration of logical access and security. Unless prohibited by law, AWS requires that all employees undergo a background investigation commensurate with their position and level of access. Finally, customer virtual instances are solely controlled by the customer who has full root access or administrative control over accounts, services, and applications. AWS personnel do not have the ability to log into customer EC2 instances or ECS/EKS containers.

Duties and areas of responsibility (for example, access request and approval, change management request and approval) must be segregated across different individuals to reduce opportunities for an unauthorized or unintentional modification or misuse of AWS systems. AWS personnel with a business need to access the management plane are required to first use multi-factor authentication, distinct from their normal corporate Amazon credentials, to gain access to purpose-built administrative hosts. These administrative hosts are systems that are specifically designed, built, configured, and hardened to protect the management plane. All access is logged and audited. When an employee no longer has a business need to access the management plane, the privileges and access to these hosts and relevant systems are revoked. AWS has implemented a session lock out policy that is systematically enforced. The session lock is retained until established identification and authentication procedures are performed.

AWS enables organizations to retain audit records that support after-the-fact investigations of security events and the ability to meet regulatory and organizational information retention requirements. Customers can retrieve cloud audit logs and reports by leveraging CloudTrail and CloudWatch Logs, which they can then provide to the appropriate authorities. These solutions enable AWS customers to respond directly to law enforcement requests for information, enabling government officials to get the information that they require without accessing underlying customer content. For additional information on “compelled disclosure” or law enforcement access to data, see the AWS Data Residency whitepaper.