AWS Security Best Practices: What Enterprises Need to Know About Open Source TLS

By Flux7 Labs
July 6, 2015

On Tuesday, June 30, Amazon Web Services announced a new open source TLS (formerly SSL) security protocol  implementation from the Berlin AWS Summit. 


Both our enterprise customers and the press were curious to pick our brains on the development: Should this new system be put to use? Will it become a cloud security best practice? Or is the verdict still out on TLS, and other AWS security assessment services are still the better choice for organizations?  

Upon hearing the announcement, Flux7 Labs CEO Aater Suleman said, “We find that AWS has yet again reinforced its position as a customer-focused cloud provider that is trying to simplify and optimize its customers’ operations and their own as well.

“TLS has been a primary mechanism for securing data over the wire for many years. It got further attention in the recent years when Google announced that they will be giving higher ranking to pages using HTTPs and encrypted connection rather than non-encrypted connections.”

Security remains a top concern for enterprises developing their cloud strategies and migration solutions. In fact, it is so important that, at Flux7, we devote a special strategy meeting to work with our customer’s security team, thereby ensuring that all of the security and compliance requirements are taken into account.

When it comes to safety, AWS has a rare pedigree, scoring 100% in Gartner’s security category. That score is based on its exceptional ratings and standards implemented into all of the services using AWS Identity and Access Management (IAM), as well as thorough compliance certifications and reports, customer-controlled firewalls and access control lists (ACLs), and SSL-secured endpoints.

As organizations expand their use of cloud infrastructure, they often encounter challenges in various areas, including security. Security can appear easy to configure, but it is an area where best practices really come into play. While rare, there have been high profile security breaches when errors have been made, including the infamous Code Spaces debacle, where the company went out of business due to a reasonably simple misconfiguration within AWS. In the past year, the service has asked users to disable its SSLv3 based on the Padding Oracle on Downgrade Legacy Encryption (POODLE) security vulnerability as well as Heartbleed, which at the time of its discovery, was exposing some 17% of the Internet’s certified secured websites.

Suleman added that these disruptions have AWS constantly seeking to improve itself, often using the idea of addition by subtraction.

From our recent data, nearly 90% of the customers on AWS use TLS in one form or the other, whether to protect access to a public website or to provide encryption over the wire between internal servers for compliance requirements. In this case, SSL vulnerabilities recently discovered, cause a lot of disruption for AWS customers, and resulted in a lot of work for AWS support staff as well,” Suleman said.

“AWS, again holding on to its promise of customer focus, has tried to solve this problem for their customers. Their solution is simple: remove the less frequently used features providing a simpler TLS library which is easier to audit. The downside of this approach is that not every customer will be able to use it. However, in our experience, it will satisfy the needs for the majority better than the current tools.”

At present, security, compliance, regulation and the control of data are the more significant inhibitors to cloud adoption and need to be addressed for adoption to occur smoothly.

Cloud computing is perceived as less secure, but this is more of a trust issue than based on any reasonable analysis of actual security capabilities. To date, the reality is…there have been very few security breaches in the public cloud as compared to those occurring in on-premise data centers.

Even though cloud providers continue to invest in security technology, organizations should not assume cloud infrastructure is automatically secure. It is a shared responsibility.

Did you find this useful?  

Interested in getting tips, best practices and commentary delivered regularly? Click the button below to sign up for our blog and set your topic and frequency preferences.