Automating the Protection – Determining Security Requirements and Controls – SAP-C02 Study Guide

Automating the Protection

Finally, automate all security maintenance tasks as much as possible. Repetitive manual tasks are error-prone and should be avoided at all costs. It may take you a bit more time to put the automation in place at first, but it will pay off from the very beginning as your AWS footprint grows. Automate the deployment of compute resources, taking an infrastructure-as-code (IaC) approach and using AWS CloudFormation or equivalent technology. Then, also automate configuration management tasks, using either built-in solutions such as AWS Systems Manager or third-party solutions if you are used to these (such as Chef, Ansible, and so on), or any combination of them.

Now that we have covered network and compute protection, we can proceed to discuss data protection aspects.

Protecting your Data

To start with, here are a few questions you should answer before you take any measures to protect your data:

  • Is the classification of the data used by the solution clearly established?
  • Does the solution process any personally identifiable information (PII)?
  • Does part or all of the solution have to comply with a specific regulation (such as the Health Insurance Portability and Accountability Act (HIPAA), the Payment Card Industry Data Security Standard (PCI-DSS), or the General Data Protection Regulation (GDPR))? If so, which one(s)?

This is by no means an exhaustive list of questions but is only given to illustrate a few examples of some of the questions that should guide you to clearly understand your data security and compliance requirements. Do not rush into solutions, and start looking at what your options are until you have the answers.

Data Classification

This is the first step in protecting your data. You need to figure out the type and classification of data your solution needs to handle. Data classification consists of categorizing the data to be processed according to its criticality and sensitivity. It is one of the key factors that will help you determine the degree of protection to apply as well as the data life cycle management.

You want to collect as much information as possible regarding the data at stake, such as the following:

  • Who owns the data?
  • Who has access to it, and which are the permissions for each authorized entity (end user; application)?
  • Does it contain any PII data or confidential/sensitive information? Or is the data meant to be publicly available?
  • What are the regulatory compliance requirements?
  • Does any of the data require some transformation (such as anonymization)?
  • What is the expected data retention period? Do you need to delete the data, or part of it, beyond that period?

Then, establish and maintain a data classification system documenting these properties for each type of data your solution must process. If needed, you can rely on tooling to automatically extract some of these properties from the data itself. For instance, Amazon Macie can analyze your data and alert you if it detects any PII data.

To ease access control management later, it is also recommended that you tag your data accordingly. You want to use any tag that can help you grant or block access to the data using attribute-based access control (ABAC)—for instance, a team’s identifier (ID) or a project’s ID. Please refer to Chapter 1, Determining an Authentication and Access Control Strategy for Complex Organizations, for more details on ABAC.

Now that you have a clearer picture of the data to be processed by your solution, it is time to look at how to protect that data.