Data in Transit
As the technology is evolving day by day, companies too need to evolve to up-to-day with the new technologies, gain benefits of these technology and provide better user experience. One of the latest technologies is “Cloud Computing”, which provides better scalability, business continuity, reduced Cost etc.
The movement to cloud has led to hybrid environment, whether it is On-prem with Cloud or maybe multiple cloud platforms. One of the major concerns which comes with hybrid model is “data in transit” i.e. how to secure data while it is in transit between two different platforms or between regions within a cloud or maybe between on-prem to a cloud platform.
Amazon Web services (AWS) is the leading cloud vendors in today’s time. AWS has various methods to not only secure the data while in transit but also enough services to detect any unwanted activities which may hamper the data.
Here are few best practices to reduce the risk of unauthorized access or loss of data while in transit:
- Encryption in transit: Applying the required encryption based on appropriate Security Standards to the data in transit.
- Network: Using appropriate AWS services in accord with 3rd Party tools like firewalls to secure the communication channel is must.
- Key Management and Certificate Management: using AWS services to store keys and certificate used for encryption and applying access controls to restrict unwanted access
Before we start sending data, we need to create a secure communication channel. Using various AWS services like CloudFront, WAF etc. along with 3rd Party tools like firewall. Let’s see few options we can deploy to achieve a secure communication:
- AWS Direct Connect
AWS Direct Connect allows you to connect your AWS environment and your datacenter, office, or colocation environment. Along with providing a secure communication channel, AWS Direct Connect also provides high bandwidth with low cost, consistent network performance and it is compatible with all AWS services.
- Firewall IPSec tunnels
Firewall VPN / IPSec tunnels can be used to connect your AWS environment with your datacenter, office, or colocation environment. IPsec VPN secures point-to-point or network-to-network connections to provide both data privacy and integrity. VPN tunnel also encrypts data before sending it to the other site. Firewall native services can be used to protect the data from various attacks.
Both the above technologies uses up-to-day Transport Layer Security (TLS) protocol and follows certain compliance standards.
Data security between different sites/platforms is very crucial but we also need to secure the data been received or sent to the customer over internet i.e. customer accessing the website.
Various AWS services like Cloudfront adds another layer of protection to the data to/from customers over internet. Let’s look at what and how these AWS services contributes to the security of the data:
- Using HTTPS with CloudFront
We can deploy a cloudfront in front of our webservers to secure the communication via HTTPS and given encrypt the request/response.
CloudFront uses a certificate (self-signed/external/internal) to encrypt the response, which ensures attacks like man-in-the-middle can be eliminated to large extend.
Keys/Certificates used in firewalls, CloudFront etc. should always be stored in a centralize manner. AWS Certificate Manager and Parameter stores or AWS HSM are ideal for storing certificates and keys respectively. These services, not only helps you manage your certificate/keys with efficiency but helps you add protection layer so that only required and essential people/application have access to these.
- AWS Parameter Stores
- Control and audit access at granular levels.
- Use a secure, scalable, hosted secrets management service with no servers to manage.
- AWS Certificate Manager
- Let’s you easily provision, manage, and deploy public and private Secure Sockets Layer/Transport Layer Security (SSL/TLS) certificates for use with AWS services and your internal connected resources.
- AWS Hardware Security Module
- Helps you generate, manage and use your encryption keys.
- FIPS 140-2 compliant