AWS and the Quest for Identity-Centric Security

September 13, 2016 |
Control user access to AWS resources, in a very fine-grained way, without having to manually create and maintain burdensome lists of IP addresses across security groups

Everyone using Amazon Web Services (AWS) quickly becomes familiar with the Shared Responsibility model for security, depicted below. This is a necessary, and well-thought-out part of the AWS design, clearly delineating what customers and AWS are responsible for from a security perspective.

While some of these aspects are very straightforward to integrate into an enterprise’s standard tools and processes – like OS patching – others, in particular network security, are not so simple.

AWS Shared Responsibility Model

Let’s dive into this. AWS takes a straightforward, network-centric approach to network security. AWS Security Groups define firewall rules which allow source IP addresses to get access to AWS resources.[1]

However, this IP address-based approach is to some degree at odds with how enterprises are now approaching security — moving away from IP addresses and perimeters, and toward architectures centered on users and identities.

”Identity is the new perimeter” – while this is a cliché, it’s a cliché that we fundamentally believe in. The Software-Defined Perimeter (SDP) model (read a quick backgrounder) leverages identity and user context and automatically creates an individualized network perimeter for each user – a network ‘segment of one’.

This approach allows enterprises to control user access to AWS resources, in a very fine-grained way, without having to manually create and maintain burdensome lists of IP addresses across security groups. And, because each user’s access is individually managed via simple policies, security teams’ workloads are lightened and compliance reporting becomes a snap.

Control user access to AWS resources, in a very fine-grained way, without having to manually create and maintain burdensome lists of IP addresses across security groups

With this approach, organizations can leverage their existing identity management and authentication systems, and create meaningful policies that control user access to AWS resources. Our solution, AppGate XDP, automatically detects new AWS instances so user access is automatically adjusted without requiring any manual changes.

Interested in trying this out? Our AppGate solution is now available in the AWS Marketplace. Check it out and sign up for a free trial. We’ve created step-by-step instructions so you can get started easily. Enjoy!


 

[1] Technically, Security Groups are used to protect EC2 and RDS resources. Other AWS resources don’t leverage security groups for network access control, so we’re using “AWS” here as shorthand for EC2 and RDS.

Back to Blog Home

Jason Garbis

Vice President of Products, Cryptzone
Jason Garbis is Vice President of Products for Cryptzone, where he's responsible for the company's product strategy and product management. Garbis has over 25 years of experience with technology vendors, including roles in engineering , professional services, product management, and marketing. Jason joined Cryptzone from RSA, and holds a CISSP certification.

Leave a Reply

Your email address will not be published. Required fields are marked *