"I hate cloud security." Part 2 of 3: Compliance for cloud toddlers
May 6, 2020
In a previous post, I talked about why we do hate cloud security.
The cloud, of course, represents an almost perfect democratization of technology, and cloud resources are often not secure by default, nor is it typically easy to understand what needs to be done to secure them.
In Step 1 of this series, I discussed the importance of knowing your entire estate. In Part 2 below, I outline measures for measuring and reporting on your compliance.
Part 2 of 3 - Measuring your Compliance
Congratulations on your cloud estate! You are the master of your see, virtually omniscient. You've "discovered" your wealth of cloud servers and services (at least for today), scanned them with impunity, and it's not even lunchtime. Go reward yourself with a juice box and a couple of atta-boys or atta-girls in the mirror. I'll wait.
Now that you've got a grip on your company's cloud presence, it's time to get down to the serious business of measuring and reporting on compliance.
There are the two traditional paths you can take, buy or build, or of course a hybrid of the two. Regardless of which you choose, you'll find some comfort in the fact that it’s not a whole new world, and no one is going to ask you to sing Disney show tunes. Your cloud compliance regime should feel like a natural extension of on-premise security.
Cloud means many things to many people. I'm going to focus here on IaaS (Infrastructure as a Service) and PaaS (Platform as a Service). SaaS would be the third leg of the stool, but the SaaS vendor is going to manage the security for you, except for identity and privileged access.
Smart toddlers will know that IaaS is the cloud equivalent of a datacenter, and is made up of virtual machines(VMs). Depending on how you count, cloud VMs are maybe the fourth wave in server evolution, right after VMs in data centers, and right before containers in the cloud. Simply, you can think of IaaS as just more servers to be managed, and apply traditional tools as well as their cloud analogues. Vulnerability management, patch management, configuration compliance and privileged access management all apply here.
Some considerations:
- An agent based approach is the right way to go for most tooling, as you will likely not have permanent IPv4 space to scan, as you would in a data center
- You likely won't have the same type of firewall or network segmentation as you might have in an on prem datacenter. There are analogues in the cloud, so take the time to understand them.
PaaS to me is the most exciting part of the cloud.
New capabilities for storage and compute that enable hyperscale service delivery are now on tap for toddlers and experts alike. And of course, looking at news articles about breaches and compromised data, we quickly see that services such as ElasticSearch, S3, and Azure Web Apps all have attributes that need to be locked down, as do most other cloud services. Sometimes it's as simple as limiting public access, and in other cases a little more effort may be required.
Key thoughts:
- Don't become a statistic. Understand the service, its default security posture, and the key attributes required to protect it.
- Take advantage of administrative and security feeds like CloudWatch or Azure Monitor.
- Keep up with changes. It's a fast moving space, and may require security posture changes.
For both areas, it's important, of course, to keep your asset inventory up to date, and scan for compliance regularly, as I mentioned in the last installment. Clever toddlers take care of their toys. This means both scanning with credentials where appropriate, but also playing the role of bad guy and casing your cloud from the outside regularly with a scanning tool. What scales well for you, scales equally well for crooks and hackers. What the bad guys could do, how they could they escalate privileges, and what data is at risk are all good questions to ask yourself as you're choosing tools and designing your approach.
One last point before closing: root level access management is absolutely critical for your cloud account. Consider how you're going to manage and protect access to your cloud. There are many options, and I recommend you treat it with the same care as you would a domain administrator account.
Next up, Part 3 - Cleaning Up to Prevent
