Edition 5b: AWS Well-Architected Framework - Security Pillar

Security Pillar

??????????? The Security pillar involves the capacity to safeguard data, systems, and assets in order to use cloud technologies for enhancing security.

Design Principles

??????????? Within the cloud environment, many concepts exist that might enhance the security of your workloads:

·?????? Implement a strong identity foundation: Apply the concept of least privilege and ensure that different tasks are assigned to different individuals with the proper authority for each contact with your AWS services. Implement a centralized system for managing identification and strive to reduce the need for long-term, unchanging credentials.

·?????? Maintain traceability: Observe, notify, and examine activities and changes to your surroundings instantaneously. Automatically incorporate log and metric collecting into systems to facilitate investigation and implementation of actions.

·?????? Apply security at all layers: Implement a strategy that employs numerous layers of security controls to provide comprehensive protection. Apply to all levels, including the edge of the network, virtual private cloud (VPC), load balancing, every instance and compute service, operating system, application, and code.

·?????? Automate security best practices: Implementing automated software-based security methods enhances your capacity to expand safely at a faster pace and with reduced costs. Develop robust architectures by including controls that are written and maintained as code in version-controlled templates to ensure security.

·?????? Protect data in transit and at rest: Categorize your data according on its sensitivity levels and implement suitable measures, such as encryption, tokenization, and access control.

·?????? Keep people away from data: Utilize processes and methods to minimize or eradicate the need for direct access or human manipulation of data. This minimizes the likelihood of misuse or alteration, as well as human mistake, while dealing with sensitive data.

·?????? Prepare for security events: Ensure preparedness for an occurrence by implementing incident management and investigative policies and procedures that are in line with your organization's needs. Conduct incident response simulations and use automated technologies to enhance your efficiency in detecting, investigating, and recovering from incidents.

Best Practices

??????????? The Security pillar encompasses seven domains in which we must establish and identify best practices.

·?????? Security

·?????? Identity and access management

·?????? Detection

·?????? Infrastructure protection

·?????? Data protection

·?????? Incident response

·?????? Application security

Security

??????????? In order to ensure the safe operation of your business, it is essential to implement comprehensive best practices across all aspects of security. Apply the criteria and practices that you have established for operational excellence at both the organizational and workload levels to all areas.

Identity and Access Management

??????????? Identity and access management are crucial components of an information security program. They guarantee that only authorized and authenticated users and components may access your resources, and only in the way you want.

Manage Identities

??????????? When dealing with secure AWS workloads, you must handle two distinct sorts of IDs. Comprehending the specific sort of identity that requires management and authorization helps in ensuring that the appropriate identities are granted access to the correct resources, under the appropriate circumstances.

·?????? Human identities: Administrators, developers, operators, and end users need an identity

part of your business or external users with whom you cooperate. They connect with your AWS resources via a web browser, client application, or interactive command line tools.

·?????? Machine identities: In order for your service applications, operational tools, and workloads to interact with AWS services, they need to have an identity that allows them to make requests, such as reading data. These identities include the computers operating inside your AWS environment, such as Amazon EC2 instances or AWS Lambda functions. You may also manage machine identities for external parties who need access. In addition, you may have machines located outside of the Amazon Web Services (AWS) infrastructure that need access to your AWS environment.

Manage Permissions

??????????? Administer permissions to regulate access for individuals and automated systems that need entry to AWS and your workload. Permissions regulate the access and circumstances under which individuals may get certain privileges.

Detection

??????????? Detective controls may be used to ascertain a possible security danger or occurrence. They are key components of governance frameworks and may be used to bolster a quality process, fulfill legal or compliance requirements, and facilitate danger detection and response initiatives.

Security Events Detection and Investigation

??????????? Collect and analyze data from logs and analytics to enhance visibility. Implement measures to address security incidents and possible risks in order to safeguard your workload.

Infrastructure Protection

??????????? Infrastructure protection involves implementing control methods, such as defense in depth, that are essential to comply with best practices and organizational or regulatory requirements. Employing these approaches is crucial for ensuring the continued success of operations, whether they are conducted in the cloud or on-premises.

??????????? Every task that involves network access, whether it is over the internet or a private network, needs numerous levels of protection to safeguard against both external and internal network-based risks.

Compute Resource Protection

??????????? The compute resources in your workload need the implementation of numerous levels of security to safeguard against both external and internal threats. Compute resources include a wide range of components such as EC2 instances, containers, AWS Lambda functions, database services, IoT devices, and other similar entities.

Data Protection

??????????? Data classification enables the categorization of organizational data according to its sensitivity levels, while encryption safeguards data by making it incomprehensible to unauthorized individuals. The significance of these tools and strategies lies in their ability to facilitate goals such as mitigating financial loss or adhering to regulatory duties.

Data Protection in AWS

·?????? As a client of AWS, you have complete autonomy over your data.

·?????? AWS simplifies the process of encrypting your data and managing encryption keys. This includes the ability to regularly rotate keys, which may be managed by AWS or manually maintained by you.

·?????? Comprehensive logging, which includes significant information like file access and modifications, is accessible.

·?????? AWS has developed storage solutions with extraordinary resilience. Amazon S3 Standard, S3 Standard–IA, S3 One Zone-IA, and Amazon Glacier are specifically created to ensure that items have a durability of 99.999999999% over the course of a year. This durability level corresponds to an average yearly predicted loss rate of 0.000000001% for items.

·?????? Versioning, as a component of a comprehensive data lifecycle management strategy, serves as a safeguard against unintentional overwrites, deletions, and other forms of damage.

·?????? Region will stay there until you specifically use a feature or take advantage of a service that offers that capability.

Data Classification

??????????? Classification is a method of organizing data according to its importance and sensitivity, which helps you decide on the proper measures for protecting and retaining information.

Data at Rest Protection

??????????? Ensure the security of your stored data by employing numerous measures to minimize the chances of illegal access or mistreatment.

Data in Transit Protection

??????????? Ensure the security of your data during transmission by applying several measures to minimize the chances of unwanted access or loss.

Incident Response

??????????? By implementing the necessary tools and access in advance and regularly conducting incident response exercises, you can ensure that your system's architecture is capable of promptly investigating and recovering from security incidents.

AWS Incident Response

·?????? Comprehensive logging is provided, which includes crucial information such as file access and modifications.

·?????? By using AWS APIs, events may be seamlessly handled and trigger automated reaction mechanisms.

·?????? With AWS CloudFormation, it is possible to pre-provision tools and create a "clean room" environment. This enables you to conduct forensic investigations inside a secure and separate environment.

Anticipate, Respond and Recover

??????????? Thorough preparation is crucial for promptly and efficiently investigating, responding to, and recovering from security events in order to minimize interruption to your firm.

Application Security

??????????? Application security, often known as AppSec, refers to the whole process of designing, constructing, and evaluating the security features of the application you create. It is important to have adequately skilled individuals in your business that possess a deep understanding of the security features of your build and release infrastructure. Additionally, using automation to detect security vulnerabilities is highly recommended.

Security Properties Throughout Application Lifecycle

??????????? Conducting training sessions, implementing automated testing, analyzing dependencies, and verifying the security features of tools and apps are effective measures to minimize the occurrence of security problems in operational workloads.

Bibliography

Acceldata. (2022, September 7). How to Architect a Data Platform. Retrieved from acceldata.io: https://www.acceldata.io/article/what-is-a-data-platform-architecture

Amazon Web Services. (n.d.). AWS Well Architected Framework. Retrieved from aws.amazon.com: https://aws.amazon.com/architecture/well-architected/?wa-lens-whitepapers.sort-by=item.additionalFields.sortDate&wa-lens-whitepapers.sort-order=desc&wa-guidance-whitepapers.sort-by=item.additionalFields.sortDate&wa-guidance-whitepapers.sort-order=desc

Amazon Web Services. (n.d.). What is AWS? Retrieved from aws.amazon.com: https://aws.amazon.com/what-is-aws/?nc1=f_cc

DAMA International. (2024). DAMA-DMBOK: Data Management Body of Knowledge: 2nd Edition, Revised. Los Angles: Technics Publications.

en.wikipedia.org. (n.d.). Data Management Association. Retrieved from en.wikipedia.org: https://en.wikipedia.org/wiki/Data_Management_Association

Groover, M. (2021). Speed of Advance. Lion Crest Publications.

Hiltbrand, T. (2024, May 9). From Data-Driven to Data-Centric: The Next Evolution in Business Strategy. Retrieved from tdwi.org: https://tdwi.org/Articles/2024/05/09/PPM-ALL-From-Data-Driven-to-Data-Centric-Next-Evolution-in-Business-Strategy.aspx

Intrepid Tech Ventures. (n.d.). Understand your data asset. Retrieved from theintrepidventures.com: https://theintrepidventures.com/value-proposition/understand-your-data-asset/

Khan, S. M. (2024, May 9). The data product lifecycle: Getting the most out of your data investments. Retrieved from starburst.io: https://www.starburst.io/blog/data-product-lifecycle/

Roberts, S. (2023, April 18). Understand the four Vs of Big Data. Retrieved from theknowledgeacademy.com: https://www.theknowledgeacademy.com/blog/4-vs-of-big-data/

Rowshankish, R. L. (2023, July 31). The evolution of the data-driven enterprise. Retrieved from mckinsey.com: https://www.mckinsey.com/capabilities/mckinsey-digital/our-insights/tech-forward/the-evolution-of-the-data-driven-enterprise

Simon, B. (2021, July 21). Complete Guide to PPT Framework | Smartsheet. Retrieved from smartsheet.com: https://www.smartsheet.com/content/people-process-technology#:~:text=for%20IT%20%26%20Ops-,What%20Is%20the%20People%2C%20Process%2C%20Technology%20Framework%3F,maintain%20good%20relationships%20among%20them.

Tharran, A. S. (2023, October 22). The Evolution of Data Science: Past, Present, and Future. Retrieved from linkedin.com: https://www.dhirubhai.net/pulse/evolution-data-science-past-present-future-aditya-singh-tharran-bmmre/

?#AWS #OperationalExcellence #WellArchitectedFramework #AWS #DataDrivenCompany #TechnologyPlatform

#DataManagement #DataStrategy #DataLifecycle #DAMA-DMBOK

#DataManagement #DAMA #DMBOK #DataDrivenCompany #DataDriven #BusinessStrategy #PPT #People #Process #Technology #Organization #Data #DataLake #DataWarehouse #Databases #OLTP #OLAP #BigData #Hadoop #AWS #WellArchitectedFramework #DataManagement #DMBOK #DataGovernance #DataIngestion #DataVisualization #DataProcessing #ETL #ELT #MasterData #Metadata #DataSecurity #Security #OperationalExcellence #Relaibility #Sustainability #CostOptimization #PerformanceEfficiency #Kenesis #DynamoDB #Redshift #RedshiftSpectrum #QuickSight?#Trino #Iceberg #Parquet #S3 #Lambda #EC2 #ECS #EKS #VPC #SecurityGroups #Python #PySpark #Spark #SparkSQL #SparkStreaming #DataFrames #RDDs #CoudFormation #AWSConfig #MachineLearning #AI #AI/ML #DataEngineer #MLEngineer #LLMs #DataManagement #DAMA #Newsletter #KnowledgeSharing

#AWS #DataDrivenCompany #TechnologyPlatform #DataManagement #DataStrategy #DAMA-DMBOK #WellArchitectedFramework #DataGovernance #DataIngestion #DataVisualization #DataProcessing #ETL #ELT #DataSecurity #Security #OperationalExcellence #Reliability #Sustainability #CostOptimization #PerformanceEfficiency #MachineLearning #AI #DataEngineer #MLEngineer #KnowledgeSharing #AWS #CloudComputing #WellArchitectedFramework

?