- [Seph] While this isn't a security specific course, security should always be considered. Whether you're building a multi-tiered globally accessed application or you're discussing migration of your environments like we are here, security needs to always have a place in the conversation. With the migration discussion, our talking points aren't different from many of the topics that would normally be covered. Our focus is will likely be things you've heard before as we'll be talking about protecting your data in transit, protecting your data at rest, and protecting access to your data for use. And while these may not be new topics, it is important to understand them in the context of a multi-environment communication. When securing data in transit, our goal is to make sure we can communicate easily between environments while protecting the data. This is where you try to reduce the risk of unauthorized exposure by defining and enforcing requirements and implementing controls. You definitely want to make sure you have defined data protection in transit requirements and encryption standards based on data classification to meet your organizational, legal, and compliance requirements. Also enforce your defined encryption standards to ensure that meeting these requirements is not optional. Additionally, ensuring that there are tools and controls in place to help you with enforcement of your standards will go a long way towards helping you stay secure in transit. The first and one of the easiest things you can do is just to use authenticated network communication protocols. Using IPsec tunnels and transport layer security or TLS to encrypt in transit will go a long way to reduce the risk of data tampering or loss. Additionally, setting up automated tools to help identify when other issues or risk become apparent can also be very helpful. Using a tool or detection mechanism to automatically detect attempts to move data outside of defined environment boundaries can be very helpful in identifying any threats to your security and help prevent data exposure. With data at rest, encryption is really the biggest point here. You will really want to make sure you have established and enforced encryption methods in place for everywhere data is held in your environment. In addition to this, your key management solutions will play a big part in your encryption for your data. Depending on the services within AWS and your current environments resources that you're using, there are several options that you can look into for helping you to maintain data security at rest. For instance, many of the data store services with AWS have options that are simple to implement where you essentially turn on encryption for that service. For your current environment, if you are not already using an encryption key management solution, it will be important to evaluate and find a solution as soon as possible. And I know it can reduce the level of desired performance depending on the resources or AWS services you're using when you start to implement encryption mechanisms but that is why it's important to have these conversations early on so that any additional performance overhead encountered by your security measures can be considered for your migration expectations. When it comes to securing your data use while migrating, we're focusing on general data access and permissions. As with other areas of access control and permissions that we usually talk about with AWS, using a least-privilege access model is going to be a great mindset to keep. Users and applications should only have access to the specific data they need should be given access for only when they need it and should only be able to access how you want them to access it. Depending on the datastore options you have available to you, the level of granularity you're able to provide in terms of what each user can access will vary. It's just important to take the extra work to make sure that no one has access to more than they should or at least that they only have access to the appropriately classified data. For limiting when they should have access, using AWS services and automated mechanisms that allow you to limit time users have to access data will become very helpful. Sometimes, this can be done in a policy. Other times, you need to look at automation jobs or workers they can open and close connectivity methods to ensure that data is only accessed when necessary. And for limiting how you want users to access, that's when we go back to enforcement of the methods that you established when looking at protecting your data in transit. Making sure only secured connections and protocols are used helps to avoid the accidents that can occur when those become optional instead of required. Well, that's all that I have for you in terms of multi-environment security. I know this was all very broad and theoretical but a lot of the specifics will depend on what resources, tools, and services you have available to you and what features they provide in terms of security. Make sure you check the course notes for links to provide additional information around securing your environments and keep thinking about how those concepts can be implemented in your multi-environment setup as you're migrating. I'll see you later.
