Home page logo
/

basics logo Security Basics mailing list archives

Re: AWS and security
From: Warner Tabor <pneusolematic () me com>
Date: Wed, 11 Jul 2012 12:23:30 -0400

Mikhail,

    You are absolutely correct, PCI is s security standard. What I failed to mention in my previous post is that we 
don't keep sensitive CC data on server in the cloud, which is why I haven't give the subject much thought and can't 
really speak on it. The reason I mentioned HIPPA and the like is that they are for more strict and cover more points of 
data than just billing info. We are talking about just a few data point for PCI, where I would assume there is far more 
to consider when it comes to HIPPA, etc.

On Jul 10, 2012, at 8:35 PM, Sean Simpson wrote:

Again, thanks for the insights!

On Jul 10, 2012, at 5:32 PM, Warner Tabor wrote:

Sean,

 No problem. Glad to be of some help. Seem my responses in-line below;

On Jul 10, 2012, at 8:04 PM, Sean Simpson wrote:

Hi Skip, thanks for your insights.  Some specifics:

On Jul 10, 2012, at 6:41 AM, Warner Tabor wrote:

Sean,

We've been using AWS for 3 years now to host our web and app servers without incident. If you make proper use of 
EC2 Security Groups you can lock things down pretty tightly. I think that as long as you do your due diligence as 
far a security is concerned and make sure you are using known good AMI's (ones that are provided by Amazon, for 
example,) I don't think that you'll be at any higher risk for attack than hosting in a co lo.

My main concern is that the "due diligence" is different, and will require a learning curve.  For instance, we 
don't normally worry about inter-host communications when they only exist on our trusted network.  Better to know 
that kind of stuff in advance...

This is true and there is a bit of a learning curve, but their web UI makes things pretty simple, and most tasks can 
be completed this way. There are certain things that you'll have to refer to the API tools for, but these are few 
and far between (attaching ephemeral storage, etc.) One thing that I can suggest to help with the learning curve and 
your investigation, is that you launch some Amazon Linux micro instances. These instance are free and will allow you 
to play with inter-instance communications, security groups, etc. If you don't want to go the Amazon Linux route, 
micro instances for other Linux distros and windows are so cheap per hour that they might as well be free (I think 
you'll pay $18 to keep one running 24/7 for a month). A quick aside; for all intents and purposes the Security 
groups act as routers/firewalls allowing only specific instances or IPs, subnets, etc access to instances within 
that group.


You have the ability to launch, test, provision and scale your app in a very fluid and dynamic way.

This is the big draw, particularly since we can re-architect (adding a memcached layer, for instance) with 
"practice" servers before changing a live system.

Absolutely. I haven't played with memcachd, but I do know that AWS even offers a service called ElastiCache for 
in-memory caching that I believe utilizes memcachd


Services like ELB with Sticky Sessions allow you to load balance your app very easily without worrying about a 
whole lot of configuration, extra SSL certs, etc. AWS has certainly allowed us to move far more quickly than we 
would have if we were hosting on site or in a co lo.

Have you found that you become "tied" to their services?  I'm a bit worried that management will change it's mind 
again, and then we will be sent scrambling to handle services in yet another way.  With a colo solution, we take 
our service solutions with us wherever we go.

Aside from using ELB, there is nothing that I can't replicate elsewhere. And we could certainly implement similar 
round-robin load balancing witout too much trouble using another solution if we had to. The rest of our architecture 
is all very portable using pretty standard stuff. There are certainly services that they offer that are tempting 
that would "tie" is to their service, but we haven't gone that route yet. Note that you do have the ability to 
export you images as well as import external images. This would allow you to move your machines to another 
virtualization environment, cloud computing service or to baremetal perhaps, but I haven't tried it. If you Google 
AWS VMI Import / Export you should turn up some results.

Sean Simpson
Senior Server/Web Developer
sean () stitcher com
http://stitcher.com



Sean Simpson
Senior Server/Web Developer
sean () stitcher com
http://stitcher.com



------------------------------------------------------------------------
Securing Apache Web Server with thawte Digital Certificate
In this guide we examine the importance of Apache-SSL and who needs an SSL certificate.  We look at how SSL works, how 
it benefits your company and how your customers can tell if a site is secure. You will find out how to test, purchase, 
install and use a thawte Digital Certificate on your Apache web server. Throughout, best practices for set-up are 
highlighted to help you ensure efficient ongoing management of your encryption keys and digital certificates.

http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be442f727d1
------------------------------------------------------------------------


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]