AWS Security Compliance
Sukesh Kumar

What is AWS?

AWS is known as Amazon Web Services, which is a cloud platform by AMAZON. AWS provides Multi-functional resources where we can use the services according to the Project Requirement. AWS responsibility “Security of the Cloud” - AWS is responsible for protecting the infrastructure that runs all of the services offered in the AWS Cloud. This infrastructure is composed of the hardware, software, networking, and facilities that run AWS Cloud services.

Earlier we used to have Physical Virtual Machines which are maintained in our on premise environments. Where all the data is stored in the hard drives which are inserted manually and are upgraded according to the need of infrastructure. In this aspect though we have a security risk to our environment, the risk attacks are very high in number. Now-a-days we maintain the infrastructure on different Cloud Platforms where we have less infrastructure cost and also easy to maintain. These services are maintained in two aspects i.e. on premises and Private cloud. This is totally dependent on the Companies which type of services they need. When we use the cloud services, we have a very minimal risk of attacks and also the data can be secured in much peculiar way.

As an organization Security is one of the KEY Aspect which everyone thinks about. How secure the data and the servers are maintained. For every organization we have different types of security measures which are taken care on every Quarter. To Maintain this security measures, Security Manager is responsible to take the challenge and maintain their environment more Secure. These security People are so called as ISG’s or IRT and Security Manager. These are defined according to the organization. Every Organization has different levels of Security Certificates to represent their organization with their clients.

As a security measure every organization should be certified in the security levels. If these are not under security, then it is a non-complaint according to the security. The organization has to renew the certificate yearly.

Security

In Security we have different types of security levels and also different certificates where we can get complied off. For Example we have ISO 20000, SOC, PCI-DSS, SIPA, HIPAA, and CIS. For an ecommerce company where the transactions are involved we need to get certified in any of the aspect as per the rules. As a security measure the customer data should not be saved in the servers. If the information is saved the contract with the customer is void and also it is a breach of contract as per the security norms. As a security measure we use and maintain all the firewalls and also password protections are enabled. And data is also encrypted and restrict access to the certain users as per the norms. We restrict physical access to the servers to the employees, these access may be given as per the project requirements. All the logs are stored to analyze the issues if we get any threats. These all are adhere to the document policies which are transmitted to all the employees.

All the environments should be PCI or ISO compliant. Even the employee’s resources should be complaint as per the policy. Hence, all our data of the employees are scanned yearly by the security team and make them complaint as per the policies.

As we “SYMPHISYS” is an ecommerce organization, we maintain all the security standards as per the defined policies, and we the employees of the organization will adhere as per the policies. As a security standard we are adhere to the GREEN ARMY of our AWS Environment which is so called as “CIS”. CIS is one of the very useful security tool which can be run on the hardened servers to check the vulnerabilities and also security attacks. AWS Security Hub supports the CIS security standards and also has set the certain benchmarks. This AWS security Hub runs the checks for every 2 hours. We also have the periodical check from the last scan which is done.

According to the findings from the report, we also have the security SLA’s which are defined to resolve the issues. We also have the option to scan for vulnerability if any. Symphisys maintain all the servers to be vulnerable.