Top 3 Security Tips for Storing Your Digital Content & Media Workloads on AWS

Last year, the world saw a sharp increase in Distributed Denial of Service (DDoS) attacks aimed specifically at the world’s largest media and entertainment companies. DDoS attacks are used to flood a network, system, or application with more traffic, connections, or requests than it can handle. Think back to October 2016, when the Dyn attack occurred, causing the world’s largest social media sites to come to a screeching halt.

Despite these widespread attacks, AWS is continually making strong efforts to improve security standards and protocols to improve resiliency. However, security is still a top concern for companies migrating their digital media assets to the cloud. How can you be sure that your cloud service or access is not disrupted? In this blog, we share the top AWS security tips for storing your digital content and media assets in the cloud.

Leveraging AWS Shield (Managed DDoS Protection)

With the recent DDoS attacks in Q4 2017, Amazon quickly announced a managed protection service called AWS Shield , which safeguards web applications running on AWS. These services provide always-on detection and protect against the most common DDoS attacks, including SYN/ACK floodsUDP floodsapplication layer and reflection attacks (See figure 1 below). The great news is that this basic service is provided at no cost to AWS customers you because it comes standard with all AWS accounts. Customers  will also be notified when a DDoS attack occurs through CloudWatch.

DDoS attach trends

If you want even higher levels of protection, AWS offers a paid service called AWS Shield Advanced. This service offers additional detection and mitigation options against large and sophisticated DDoS attacks. This could be particularly important for large media or entertainment companies that are running their web applications on Amazon CloudFront or Amazon Route 53. AWS Shield Advanced also comes with the added comfort of a 24x7 AWS DDoS Response Team.

Data Encryption: Who Controls the Keys?

When it comes to cloud security concerns, the most common apprehension relates to data. Who owns the data, who controls it, and who can access it are important questions from cloud consumers. Fortunately, AWS offers over 1800+ security controls to ensure data is secure and compliant.

Data encryption in AWS focuses on two common areas; data at rest and data in motion. You can encrypt data at the client-side (data in flight). At the client-side, you can supply encryption keys or use keys in your AWS account to ensure data is protected. It’s available in Amazon S3Amazon EMR File System, and Amazon DynamoDB.

You can also encrypt at the server-side, encrypting data after it is received by an AWS service and is at rest. In this way, encrypting data at rest can be done in the file or database level. Server-side encryption integrates with Amazon S3Amazon EBSAmazon RDSAmazon RedshiftAmazon WorkspacesAWS CloudTrailAmazon Simple Email Service (SES)Amazon Elastic TrasnscoderAWS Import/Export Snowball, and Amazon Kinesis Firehose. AWS provides controls to encrypt everything automatically or as each piece of data is stored. (See figure 2 below)

DDoS-2

When you want to encrypt your data, you have some options using AWS Key Management Service (AWS KMS). AWS KMS is a managed service that enables a user to use encryption keys in your applications to control, rotate, and delete them as necessary. It’s used in both server-side and client-side encryption. You can also integrate them into CloudTrail which  provides auditable logs of key usage for compliance and regulation requirements. Many customers use a two-tiered key hierarchy, where AWS KMS encrypts data keys as a master and then uses the keys to encrypt your data at the server-side. (See figure 3 below)

KMS

Leveraging CloudTrail for Auditing

A third of companies in the US suffered a data breach in 2016, according to a study from BitdefenderJuniper Research found that cybercrime will cost businesses $2.1 trillion globally by 2019. When it comes to cloud security, businesses need to have controls and self-auditing in place to mitigate against increasing cyber security risks. AWS offers CloudTrail to help IT leaders get a history of APIs calls on your AWS account.

CloudTrail continuously records API calls made in your AWS account. It then delivers and stores log files and you can view a seven-day log of any recorded activity through the AWS Management Console. You can also monitor and receive alarms through CloudWatch and receive SNS notifications when specific activity occurs. CloudTrail is perfect for performing a security analysis of your AWS cloud environment, troubleshooting operational issues, and aids in compliance and regulation audits.

What Benefits Does CloudTrail Provide?

CloudTrail shows you who made an API call, when the API call was made, what the API call was, and which resources were used to make the call. All helpful features for performing security analysis and detecting user behavior patterns during a security analysis of your cloud environment. If you want to take your security analysis to the next level, you can even implement a log analytics stack using CloudTrail, Amazon S3, and Elastisearch, AWS Lambda, Amazon Machine Learning (ML), and Amazon SNS to create a real-time security analysis.

DDoS-4

Is your organization using these security best practices for AWS? Are there additional areas you recommend? Share your experience in the comments below!

Always be in the Know, Subscribe to the Relus Cloud Blog!