• United States




Enhancing cloud security for AWS deployments

Sep 13, 20185 mins
Access ControlCloud SecuritySecurity

As organizations continue to move their IT infrastructure to AWS or other cloud providers, addressing complex access control use cases with dynamic authorization is essential.

cloud security ts
Credit: Thinkstock

So many organizations are migrating their entire IT infrastructure to the cloud and adopting a “cloud first” approach. With this approach, organizations cut down on overall IT business costs, while increasing scalability, modernizing their IT infrastructure and enabling collaboration among development teams to help solve complex challenges.

The most popular cloud computing platform on the market today is Amazon Web Services (AWS). With 33 percent of the market share, AWS is a leader in facilitating this cloud computing migration. Shifting to an AWS deployment offers many benefits, including its ease to use, ability to scale and usage-based price. If a developer needs a new server, they can quickly and easily spin one up at a low cost and without waiting for IT to order and provision a physical server.

The advantages of an AWS deployment do outweigh the risks, but it is important to understand where the limitations are and how to mitigate them. A common challenge is cloud security. AWS provides built-in security features like Identity and Access Management (IAM) to help control access to Infrastructure as a Service (IaaS) and Platform as a Service (PaaS) services. However, the security of transactions and data handled in AWS require a deeper look and most often, need additional tools.

In addition, cloud platforms introduce new technology capabilities (such as orchestration) that require IT staff to consider new processes, including security processes. In another example, enterprises want to leverage cloud data storage to gather data from various sources. Previously, the data container or the application that was hard-wired to the data container handled security. When organizations pool data from multiple sources, they must rethink the security model and how it is applied across the enterprise.

AWS and other cloud platforms require organizations to rethink security principles

Out-of-the-box, AWS doesn’t offer the level of control and security needed to leverage data in the cloud while keeping sensitive data secure. Security products have emerged to protect the cloud, but they fall short because they tend to focus on the security of the infrastructure and containers instead of the protection of the data itself.

AWS does have an “IAM” strategy, focused on authorizing administrators to spin up/down servers, databases, containers, etc. A limitation of the AWS “IAM” strategy is the fact it focuses on the infrastructure rather than the data, and they use the same legacy identity/role/group-based approach to authorization, which is often not sophisticated enough to secure critical information.

Organizations require more advanced security measures than what’s provided by AWS. Security controls need to address the legal, regulatory, compliance and business requirements for the proper handling and sharing of sensitive digital assets. They must also implement access policies consistently across cloud platforms, rather than incurring the additional risk and cost of cloud platform-specific tools. Finally, security tools must be built and deployed in a cloud-native manner to be managed the same way business application workloads are managed.

Dynamic authorization for AWS hosted data

Organizations can expand access control beyond AWS with externalized dynamic authorization delivered with Attribute Based Access Control (ABAC). Dynamic authorization for AWS works by leveraging access control and business policies to dictate what resources can be accessed. Policies are a direct reflection of business requirements and/or compliance rules and are easy to understand.

With this approach, organizations can define their data access policies once and apply them consistently on-premise, in AWS deployments. Using policies instead of code makes dynamic authorization the system of choice to increase visibility, scalability and efficiency.

The advantage of dynamic authorization for AWS deployments

With the implementation of dynamic authorization for AWS deployments, organizations ensure secure access to applications and data in the cloud while also realizing a wide range of other benefits, from fine-grained access control to centralized digital policy management to faster proof of concepts and deployments.

Other benefits include:

  • Running an access control service in AWS alongside protected applications and data provides maximum system performance and allows organizations to operate the security infrastructure in the same way that applications are managed.
  • Dynamic authorization for AWS saves developers a significant amount of time because application development conforms to the microservice approach of bounded context and calls external services for security functions. Developers are no longer burdened with adding security logic to their APIs/microservices. Instead, they can call another microservice to process access decisions.
  • Application maintenance costs are greatly reduced by separating security logic from the application itself. By moving this exercise to a dedicated service, access policy changes can be implemented independent of the business logic code, resulting in a much simpler/faster access policy change process.
  • A dedicated dynamic authorization system can react faster to policy change requests because code changes are eliminated. Instead, policy changes are made in the authorization service via configuration and distributed to the runtime services.

As more organizations tap the power of the cloud and migrate their infrastructure to platforms like AWS, the need to address complex access control use cases for AWS based resources is going to continue to grow. By leveraging dynamic authorization delivered with ABAC, organizations enable secure access to administration of AWS deployments, as well as the sensitive information assets such as applications and data that are now stored within AWS.


Gerry Gebel is the vice president of business development at Axiomatics. He is responsible for sales, customer support, marketing, and business development for the Americas region. In addition, he contributes to product strategy and manages partner relationships.

Before joining Axiomatics, Gerry was vice president and service director for Burton Group’s identity management practice. He covered topics such as authorization, federation, identity and access governance, user provisioning and other identify management (IAM) topics. In 2007, he facilitated the first ever XACML interoperability demonstration at the Catalyst conference.

In addition, Gerry has nearly 15 years' experience in the financial services industry including architecture development, engineering, integration, and support of Internet, distributed, and mainframe systems.

The opinions expressed in this blog are those of Gerry Gebel and do not necessarily represent those of IDG Communications, Inc., its parent, subsidiary or affiliated companies.