Amazon AWS is at the heart of many of our customers workloads. Last year I started a series of tech blogs to discuss how to leverage Centrify's product portfolio to secure your AWS assets.
This year, I've had the opportunity to review the AWS Security Best Practices document and in this new series we'll provide guidance on how to implement controls to meet or exceed the Shared Responsibility Model.
This article discusses how you can use Centrify Privilege Service to meet or exceed the requirements to secure shared database accounts in Amazon RDS.
About the Shared Responsibility Model
The concept is very straightforward. Amazon AWS will implement controls to provide assurance for confidentiality (e.g. encryption at rest and in transit), integrity (transaction trust), availability (redundancy of hardware, power, etc), however, depending on your business requirements, you may need to add additional controls to increase your security posture or to provide assurances to your customers beyond what's offered by AWS.
Amazon AWS Defines a "Shared Responsibility" model that has the following scope
- Infrastructure Services: Controls that apply to IaaS services like EC2, VPCs and Block Storage.
- Container Services: Controls that apply to PaaS services like RDS Database, EMR MapReduce or Elastic Beanstalk
- Abstracted Services: Controls that apply to Services like S3 Storage, SES SMTP, etc.
How are Amazon RDS instances secured?
The WS Security Best Practices document specifies the following information:
Amazon best practices provide information about data security and encryption and additional controls in each database, however, it's up to you to secure other areas like shared database accounts. This is where Centrify Privilege Service can help you meet or exceed your goals for shared responsibility.
Note that it still possible for you to add your instance to an infrastructure like Active Directory; however, you can control the account, and use least privilege with other users.
The Database Shared Account issue
The problem is straightforward. When you provision an Amazon RDS instance, you are provided with an administrative account that is typically shared amongst administrators.
In an enterprise environment, depending on the data classification, risk profile, regulation or policy, you have to be able to control the shared account lifecycle:
- Governance/Business Process: Request/Approve
- Password operations: Check out-Check-in, Rotate/Update, Maintain History.
- Policy: length, complexity, expiration, rotation requirements, etc.
- Operations: Provide input for security operations (monitoring, remediation) and compliance
Controlling the Governance Lifecycle
Centrify Privilege Service provides the ability to take control over this process and enhance your capabilities, it can implement an Access Request model (native or with ServiceNow) to control requests and approval flow.
Controlling Password Operations Everywhere
The SAPM process is enhanced by Centrify by providing the ability to control both on-premises or public cloud database deployments. The Connector infrastructure facilitates the deployment.
Leverage your Enterprise Directory (AD or LDAP) and have the flexibility to use federated identity, Google for Work or the built-in Centrify Directory for added flexibility.
RBAC, Policy Engine and Multi-factor Authentication (MFA)
Role-based access controls starts with a great grasp on identity. With CPS, roles can be constructed leveraging any identity source visible to the platform.
Establish controls like accessibility only from inside the network, geo-location, plus using modern Multi-factor (Smart Card, Yubikey, OATH, Authenticator), step-up methods (e-mail, phone factor, SMS) or your own legacy (SecurID, Vasco, Symantec) infrastructure.
Enhance Security Operations
Provide flexible mechanisms to export event information (REST, SQL) to integrate with your existing monitoring infrastructure, or leverage the provided dashboards and activity feeds.
Demo: Setting-up Centrify Privilege Service to Manage a SQL Server-based Amazon RDS Instance