AWS and the Quest for Identity-Centric Security
Everyone using Amazon Web Services (AWS) quickly becomes familiar with the Shared Responsibility model for security, depicted below. This is a necessary, and well-thought-out part of the AWS design, clearly delineating what customers and AWS are responsible for from a security perspective.
While some of these aspects are very straightforward to integrate into an enterprise’s standard tools and processes – like OS patching – others, in particular network security, are not so simple.
Let’s dive into this. AWS takes a straightforward, network-centric approach to network security. AWS Security Groups define firewall rules which allow source IP addresses to get access to AWS resources.
However, this IP address-based approach is to some degree at odds with how enterprises are now approaching security — moving away from IP addresses and perimeters, and toward architectures centered on users and identities.
”Identity is the new perimeter” – while this is a cliché, it’s a cliché that we fundamentally believe in. The Software-Defined Perimeter (SDP) model (read a quick backgrounder) leverages identity and user context and automatically creates an individualized network perimeter for each user – a network ‘segment of one’.
This approach allows enterprises to control user access to AWS resources, in a very fine-grained way, without having to manually create and maintain burdensome lists of IP addresses across security groups. And, because each user’s access is individually managed via simple policies, security teams’ workloads are lightened and compliance reporting becomes a snap.
With this approach, organizations can leverage their existing identity management and authentication systems, and create meaningful policies that control user access to AWS resources. Our solution, AppGate XDP, automatically detects new AWS instances so user access is automatically adjusted without requiring any manual changes.
Interested in trying this out? Our AppGate solution is now available in the AWS Marketplace. Check it out and sign up for a free trial. We’ve created step-by-step instructions so you can get started easily. Enjoy!
 Technically, Security Groups are used to protect EC2 and RDS resources. Other AWS resources don’t leverage security groups for network access control, so we’re using “AWS” here as shorthand for EC2 and RDS.