【Table of contents】
-
1. Benefits of AWS security
In this blog, we will discuss the benefits of AWS security and explain in detail how security measures in AWS have advantages over on-premises.
-
a) Limited liability
Unlike on-premises, AWS has a shared responsibility model※, which clearly defines the users who use AWS and the scope of their responsibility in AWS. For example, on-premises, you also need to consider data center and machine security, but with AWS, you don't have to think about data center security because AWS is responsible for it. Moreover, AWS has acquired global standard security certifications※, such as ISO27001 and PCIDSS, so there is no need for users to acquire these certifications. Therefore, users can focus on things like secure application design.
※The AWS responsibility sharing model is described in detail below.
https://aws.amazon.com/jp/compliance/shared-responsibility-model/
※You can check the security certification that AWS has obtained at the following URL.
https://aws.amazon.com/jp/compliance/programs/ -
b) Overwhelmingly low cost
With AWS, you can install various security measures inexpensively as a managed service. For example, we'll compare on-premises and AWS for WAF implementation.
Initial cost Operation cost Implementation period On-premise Thousands to hundreds of thousands of dollars Paid by user Immediately to several weeks AWS $0 Paid by AWS Immediately The same can be said for DDos countermeasures, etc., although WAF was given as an example. As you can see, the time and cost of implementing security measures in AWS can be significantly reduced compared to on-premises. This is a big advantage of AWS security.
-
c) Automatic extension
Have you ever had a hard time implementing a security product on-premises, only to find that the amount of traffic to the service has increased compared to when you introduced the security products, additional products were required, and the number of required licenses increased? There is also a risk that the service will be temporarily unavailable due to product additions or licensing. On the other hand, the security measures introduced in AWS are automatically extended. It automatically expands as traffic grows, and it doesn't require any additional licenses (although it does require a fee). Therefore, unlike on-premises, AWS allows for a smoother expansion.
-
d) Easy adoption of the latest technology
The security measures implemented in AWS use a large amount of the latest technology and the latest security measures. For example, a service called GuardDuty utilizes machine learning, and AWS WAF provides the latest signatures to defend against attacks against vulnerabilities. These latest technologies can be deployed on-premises, combining multiple products and requiring significant initial and operational costs. But with AWS, these latest technologies are available with a few clicks and for a fraction of the price.
-
e) Monitoring by specialized units
AWS has a dedicated security team that monitors security incidents for 365 days a year, and even if you are not aware of a security incident, you will be notified by email or other means. For example, if you accidentally upload a root user's access key or secret key to Git, etc., AWS will monitor it and notify you at a later date, and the advantage of AWS security is that just by using AWS, you'll be monitored by one of the world's best security experts.
-
-
2. Security services for AWS
When you open the Management Console for AWS security-related services, you can select and use the following items.
In this section, the services that are very often used as security measures in using AWS, and services that have great advantages when used, are listed in an excerpt.
-
a) AWS GuardDuty
GuardDuty is a service that detects and notifies you of security threats, is made available with one click, and costs less than $10. How it detects security threats is by automatically retrieving the various logs in your AWS account and analyzing them with machine learning to detect threats. It's an amazing feature when you write it out, but it's great to have a service like this available for less than $10 a month. If you haven't enabled it, we recommend that you do so by all means.
-
b) AWS WAF、AWS Shield
It is a service that prevents application attacks and DDos attacks in AWS. WAF and DDos countermeasures can be installed at an initial cost of 0 yen. The cloud is exposed to the Internet, which makes it vulnerable to outside attacks, but you can easily put up a defense with these services.
-
c) AWS Inspector
It does vulnerability diagnosis of servers built on AWS. You need to deploy an agent (software) on your server, and it will investigate and report whether there is any problem on the server for all the vulnerabilities currently published. On-premise may create a software management ledger and perform visual vulnerability diagnosis, and there is a risk of omissions, but with AWS, vulnerability diagnosis can be done automatically and easily, and there is no risk of omissions.
-
d) KMS、CloudHSM
It is an encryption key management service in AWS. When managing encryption keys on-premises, it costs a lot of money because it is necessary to purchase a dedicated terminal and manage the installation location and access rights. AWS doesn't have to do that. AWS will automatically perform operations such as key rotation and management. CloudHSM has a high initial cost, but it provides more stringent key management than KMS. Please use them according to your requirements.
-
-
3. Conclusion
You can say the following about the benefits of AWS security
・Compared to on-premises, the scope of responsibility on the user side is narrower, so they can focus on other measures.
・The operation and extension of security measures are often performed on the AWS side.
・There is support from a professional security team.
・You can introduce the latest technology at low cost.
In this way, you can enjoy various advantages over on-premises, and AWS has also made security a top priority (https://aws.amazon.com/security/), and various services are being considered to ensure that users can use them safely. It is a great advantage for users to understand and use these services.
