About the Client
A leading provider of digital content protection for the film, entertainment, and broadcast industries was looking to mature its cloud management strategy. Security was a top priority. Sourced Group (Sourced) an Amdocs company identified security vulnerabilities and made practical recommendations for their improvement.
Outcomes included:
- Identification of high- and medium-risk items that could compromise security in the cloud.
- Explanation of cloud best practice for the items presenting security risk.
- Practical guidance on how to resolve security vulnerabilities.
Challenge: Cloud Security is a Moving Target
Cloud security was a priority concern for this digital content protection specialist. Its cloud estate is hosted on AWS which, like most hyperscale cloud providers, operates a shared responsibility model. This means that while AWS is responsible for security of the cloud, the customer is responsible for security in the cloud.
Users must take proactive measures to protect cloud-based assets and ensure security problems don’t arise. To this end, our customer wanted to understand its current cloud security status. As the company’s cloud managed services provider, Sourced set out to identify shortfalls and vulnerabilities, also suggesting how they could be resolved.
Solution: In-depth Security Assessment Pinpoints Risk Factors
Sourced ran the Cloudcheckr CMx service against the client’s AWS account to determine where the business was exposed to security vulnerabilities. Outputs from the Cloudcheckr report were analysed by our engineers and presented to the client with practical guidance on how to respond. The following high-risk scenarios were identified, with recommendations also put forward:
Elastic Block Store (EBS) Volumes Without a Snapshot
Snapshots of EBS volumes should be taken regularly for use in the event of disaster recovery. Our assessment revealed that several EBS volumes did not have snapshots captured. We advised the client to investigate why this was the case, suggesting that they create a lifecycle manager policy to ensure snapshots are taken regularly.
Relational Database Service (RBS) Instances with Insufficient Backups
RDS backups are essential for the initiation of point-in-time recovery, and they are stored for one day by default. However, user-specified retention can extend to as much as 35 days. We discovered that backups were only being kept for seven days. The client was alerted to the fact that this could be extended to further reduce risk.
Security Groups with Dangerous Ports Exposed
Security groups act as a virtual firewall for instances within a VPC. Each instance can be assigned up to five security groups, with rules established to control inbound and outbound traffic. Any changes to security groups can inadvertently leave resources and services exposed in the event of a cyberattack. We identified multiple instances which could be vulnerable and advised the client to review the situation as an urgent priority.
Instances not Taking Advantage of Termination Protection
Amazon EC2 instances can benefit from termination protection to avoid accidental deletion. Very few instances had this capability enabled, so we recommended a detailed review of the situation. Termination protection can be applied when an instance is launched, or after it is running.
Outcome: Small Changes Make a Big Difference to Cloud Security
Cloud security involves lots of moving parts and it’s not unusual for organisations to underestimate the scale of the challenge. However, many of the remedies are simple – they just need to be handled methodically and consistently. Running regular checks and controls is a vital part of any cloud security strategy to identify emerging issues before they escalate or get exploited. With our focused security review and recommendations, the client was empowered to make proactive changes which underpin a more mature cloud security stance.