Cloud Controls to Major Tom: A Quick Guide to Configuration as a Security Measure
June 13, 2019
Regardless of the type of cloud service offering you choose, IaaS, PaaS, or SaaS, there remain universal security risks that you must always manage, including risks of over-privileged access, a broad surface area, vulnerable code, or the improper use and storage of secrets. For each of these risks, there will be controls that you must manage and controls that others manage. To gain confidence in these delegated security responsibilities review your cloud service providers’ trust centers that provides insights into their compliance with applicable security standards.
Many traditional security and networking tools do not have the ability to inspect the configurations of cloud deployments. Cloud-aware tools often integrate directly into your cloud subscription and leverage service provider APIs to access and query configuration and activity information about your cloud infrastructure. Multi-cloud support by a single tool can be challenging as well because the APIs differ between the major cloud providers and capabilities available on one may not be available on another. Lacework’s cloud security platform is an example of a product that automates threat defense, intrusion detection and compliance for multi-cloud workloads and containers. Below are examples of areas where cloud misconfigurations could result in vulnerabilities and how cloud-aware tooling like Lacework can help.
Cloud Configuration Management
Cloud misconfigurations can result in severe vulnerabilities that put your entire infrastructure at risk. Cloud-aware tools detect scan your CSP configuration against a security standard or best practice and instruct you with appropriate remediation instructions. For example, Lacework integrates directly into your AWS, Azure, or GCP cloud deployments and audits your cloud configuration against the CIS benchmark standard. Lacework generated reports rank findings by severity and categorize by service (e.g., IAM, EC2, and CloudTrail). To aid with remediation the reports hyperlink directly to the relevant section in your AWS management console. For example, by default AWS security groups permit connections to SSH (TCP port 22) from anywhere which conflicts with CIS Benchmark recommendation. Lacework identifies this as a compliance violation and includes links to both the offending resource as well as the specific CIS Benchmark recommendation.
Host Intrusion Detection
Host intrusion detection system (HIDS) agents provide local security monitoring of an instance and look for abnormal behavior. For example, after you deploy a Lacework agent on your Linux host it will begin profile the machine behavior and record outbound connections, DNS lookups, running processes, filesystem changes, and resource utilization. Using this information Lacework assembles a baseline of expected behavior and then alerts when a variance is detected. This approach differs from other HIDS software that relies on signatures or other static rulesets and is designed to effectively operate in highly dynamic cloud environments (e.g., Kubernetes and containers). The Lacework agent also records file system activity, such as when files change or new applications have been installed on a host or within a container. File integrity monitoring is an important detective control that helps identify attacks that evade other techniques by looking for evidence left on the server left after an attack.
Ensure that your vulnerability scanning tools appropriately recognize your environment. For example, the Lacework compliance audit integrates with your AWS, Azure, or GCP subscription to validate that it meets the CIS benchmark security standards and alerts on instances of non-compliance. Lacework also includes some service-specific security recommendations, like for Amazon S3 storage.
Authentication and Authorization
Enumerate roles and look for over-privileged access not just for your IaaS hosts and devices but for your SaaS and PaaS deployments and cloud management consoles as well. Lacework collects information from its agent and directly from your cloud provider to identify privileged access. For example, the Lacework compliance audit will warn you if your cloud environment permits the use of root, while the Lacework agent will alert when the root account (or sudo) is used. It presents this information in a security graph showing each process and under what identity and privilege it was run which makes it easier to follow the trail of user activity.
Leverage Cloud Configuration Technologies
Cloud configurations consist of complex relationships between virtualized objects that represent computing, network, and storage resources. Tooling that recognizes and interprets specific cloud infrastructures and their configurations can help defenders track incident data across these virtualized environments. For example, Lacework alerts include not only the machine’s IP address but also its external IP address, hostname, and cloud-specific information including the cloud account, virtual cloud computing ID, zone, and more. These additional parameters make it much faster to discover the source of a problem.
Additionally, look for security standards created specifically for AWS, Azure, and GCP that define secure cloud configurations for their specific environments. For example, to appropriately secure Amazon AWS you should enable AWS Config and AWS CloudTrail and on Azure, it is recommended to enroll in Azure Security Center. Look to your cloud service provider as well as third party security standards like the CIS Benchmarks as starting points to ensure that your cloud foundation is configured securely per best practice.
Enable the logging of security events in your cloud subscription. In some cases, this might mean the additional configuration of cloud provider-specific features, like AWS CloudTrail. Cloud-aware security software like Lacework ingests and analyzes the logs from your cloud service provider and alerts on interesting events, for example, when a cloud security policy changes.
Containers provide huge benefits for optimizing resource and load demands. Containers and microservices dynamically spin up new resources or turn off unneeded resources continuously depending on load demand which makes static rules difficult to implement and keep current. Ensure that your security tools recognize these new and evolving technologies and adapt accordingly. For example, Lacework activity graphs dynamically update as your Kubernetes, container and cloud environments change and highlight variance over time which could indicate suspicious or attack behavior.
Automate when you can
In addition to the management consoles, cloud service providers expose their services through unique interfaces and most publish APIs to manage their configurations. Review the software development kits (SDK) and look for security controls that you can leverage and automate. These automated controls will scale better and are less prone to error than manual controls and your risk of misconfiguration will drop.
Cloud service providers constant release new services and features that expand their products and it is important to ensure your organization understands the security implications of these features and configures them correctly to avoid unwanted vulnerabilities. Many of these new features include security improvements that help protect, detect, and respond to threats in your cloud deployment. Complement these features with cloud-aware tools to ensure that your security controls remain effective across your virtualized infrastructures. And lastly, don’t forget to regularly review and update your auditing tools to reflect changes that could put your configuration at risk.