Why the AWS Cloud Is More Secure than On-Premises
Security as a Consisting Foundation
Complex infrastructures need to be configured, operated and maintained for the secure operation of on-premise applications. These include, for example, firewalls, RAID systems, encryption and backups. When it comes to redundancy, the complexity increases, especially with geographically redundant systems.
A major advantage of cloud solutions with Amazon Web Services (AWS) is the high level of IT security and encryption that is a fundamental part of all AWS services. In addition, with AWS, redundancies can be configured with just a few clicks, which would require geographically separate locations and enormous costs with on-premise architectures.
The expenses for the procurement and secure operation of the IT infrastructure are associated with high fixed costs. With AWS, employees no longer have to worry about RAID systems, hard disk encryption, etc. and can, for example, create an S3 bucket in a few minutes, in which the data is encrypted, redundant, versioned and secured with access logs. For the storage of a few gigabytes, the solution usually costs only a few cents per month.
Transparency With Monitoring, Logging and Audits
Another advantage is that monitoring and logging is an integral part of the AWS services. Via CloudWatch it is possible to evaluate and visualize metrics and logs. Among other things, dashboards can show how much the company applications are used or how busy they are.
Alarms can be triggered at threshold values, which, for example, automatically start up or shut down new containers or servers. Applications can be regularly checked via status checks, e.g. in order to inform and repair failures.
User activity and API usage can be logged and evaluated using CloudTrail. For example, access to customer data or resource changes within the entire AWS environment or defined areas could be monitored. The accesses can be evaluated in audits or, in the case of defined security incidents, automatically trigger workflows that react to the threats.
Secure Connections
The connections to all AWS services are encrypted via TLS so that data can be transmitted and retrieved securely. In addition, VPCs can be used to configure separate networks and demilitarised zones that are not accessible from the outside world. Access from the corporate network could be allowed via firewalls or a VPN.
Detailed Access Control
Identity and Access Management (IAM) enables detailed access control that is hardly feasible in on-premise environments. In small and medium-sized enterprises, we often observe that employees are given full access to machines on which the services are operated. This access can be used, for example, to update services, make backups or maintain the operating system. In the event of misuse, data could therefore also be stolen and services blocked.
In contrast, detailed privileges can be created with AWS IAM, in which the permitted operations for individual resources or areas are defined and can be tightened with further conditions. As an example, it is possible to create maintenance access for employees, with which no customer or company data can be read or stolen. Nevertheless, the employees are fully able to work and can, for example, update services and configure resources (e.g. servers).
Multi-Account Environments
Systems can be divided into several separate environments. We like to work with a development, test and production environment. The development environment always contains the latest status of the software project. Updating is done automatically several times a day. As soon as the software increment is ready for publication, a deployment to the test environment is triggered. The test environment is then intensively tested. As soon as testing is complete, the new version is rolled out to the users with the help of the productive environment. Upgrading and publishing is an automated process where AWS resources are created via Infrastructure as Code.
The advantage of AWS is that these environments can be set up as separate organizational accounts. For example, developers have extensive privileges in the development environment. There they actively develop, test and check their changes. In the test environment, developers have read-only privileges. After the new beta release, they can use the test environment from the customer’s point of view and have read access to e.g. protocols and databases in the backend. Write permissions are not allowed because publishing is an automatic process and developers are not supposed to get the systems running via Monkey Patching. Finally, developers generally have no rights to the production environment. The release in the test environment was the dress rehearsal for the new release.
Due to the lack of authorizations in the production environment, it is not possible to steal customer data. On- and offboarding is simplified and it is easier and safer to work with external service providers and freelancers.
Compliance Programmes
In conclusion, AWS is certified to a wide range of IT standards, building additional confidence. The compliance programs can be viewed here. Examples include numerous ISO certifications (27001, 27017, 27018, 9001) and the C5 Standard of the German Federal Office for Information Security.
Known Companies in AWS
As a comprehensive ERP system, SAP is used by large corporations worldwide to process all kinds of enterprise data. A study from 2019 shows that more than 5,000 companies use AWS to run their critical SAP systems. The companies include well-known German corporations such as Bayer, Siemens, E.ON and Deutsche Bahn.
Companies with SAP solutions in AWS (Quelle: SAP AWS Case Study)
As a strong partner, Volkswagen relies on AWS to transform the production and logistics of the automotive group in the Industrial Cloud. In the future, all machines, plants and systems of all plants and supply chains of the 30,000 locations will collect and intelligently process data via AWS as an Industry 4.0 solution (status 2019).
The Siemens Cyber Defense Center (CDC) uses AWS to protect its customers. Using AWS Machine Learning services, the CDC processes 60,000 threats per second (source).
Conclusion
The security of cloud services remains a highly debated topic. Nevertheless, we are convinced that AWS solutions are significantly more secure than on-premise architectures for our customers.
The high level of enterprise security is an integral part of the cloud provider and does not involve any additional (fixed) costs. AWS solutions can be monitored transparently to track activities on company data and by employees. In the event of incidents or system failures, alarms can be defined to inform or initiate automatic countermeasures. The connections to AWS are always secured and can be embedded in the corporate network in a variety of ways, e.g. via VPNs. Privileges on data, systems and the cloud environment can be configured and tightened in detail. Instead of root access data, employees can, for example, be given maintenance access with which the systems can be maintained but no data can be stolen. Finally, AWS is certified in many ways and is used by large (German) companies to process critical data.
Do you use the AWS Cloud and how do you rate the security of cloud environments?