Felix Pergande - Fotolia

Ministry of Justice publishes public cloud security baseline

Guidelines from the Ministry of Justice aim to avoid potential cloud security issues such as S3 ‘leaky buckets’

The Ministry of Justice (MoJ) has set security guidelines for use of public cloud computing services provided by Amazon Web Services (AWS).

The MoJ uses public and private clouds intensively to operate more than 800 different technology systems ranging from device management for laptops to case management, as well as new digital services.

The department mainly uses AWS and Microsoft Azure for commodity public cloud hosting. On AWS in particular, the MoJ noted that it has more than 120 accounts, which can be configured differently.

This has prompted the MoJ to publish its security baseline for AWS accounts, which sets “a ‘lowest common denominator’ for security-related promises, capabilities and configurations of AWS accounts”.

According to the MoJ’s Siddharthan Elangovan, senior security engineer, and Joel Samuel, cyber security consultant, the department wanted to set the guidance “at a good level”, while catering for the various architectures and applications without burdening teams.

The guidelines also aim to ensure best practice to avoid issues such as “leaky S3 buckets”, Elangovan and Samuel said, referring to potential breaches in AWS’s public cloud storage service.

The good practices, according to Elangovan and Samuel, cover areas such as encryption, as well as use of AWS platforms intended to provide security “with minimal effort”. The baseline recommends use of Config, AWS’s threat detection, user tracking and configuration auditing services, on all accounts at all times, as well as CloudTrail and GuardDuty.

“The baseline is not a holistic list of dos and don’ts, but a minimum line in the sand for what ‘at least’ must be done,” the specialists said in a blog post.

To help its customers handle their increasingly complex cloud portfolios and avoid potential S3 security failures, AWS has introduced tools such as Access Control Lists and policies for customers to give the public or other AWS accounts access after they create S3 buckets.

In addition, the company has rolled out functionality that gives S3 customers an easy way to see which buckets are marked as publicly accessible. New S3 buckets are also private by default.

Read more about AWS

Read more on IT for government and public sector

Data Center
Data Management