As cloud security breaches due to configuration errors keep hitting the news headlines, the topic of security posture continues to get its fair share of attention in company board meetings. With information security leaders under pressure to report on cloud security, your job as the security architect balancing the needs of information security departments with the flexibility your developers need is not easy.
As you unravel the approach that works best for your security and developer teams, I want to share some novel capabilities and creative techniques that have helped CloudHealth Secure State’s users in managing cloud security and compliance risk more effectively.
5 ways to improve your cloud security posture
1. Real-time visibility into security risks
Last year, our research team ran a honeypot experiment to understand how long it takes an attacker to find vulnerable cloud assets on the internet. The team published their cloud access keys in a GitHub public repository. Within minutes of checking in code, we noticed the account get probed.
This incident and similar studies by other researchers have shown that attackers have become extremely sophisticated in leveraging automation to find vulnerable assets. When attackers can exploit your cloud assets and cost hundreds of thousands of dollars in damage within minutes, you must monitor your clouds on a real-time basis.
Unfortunately for security teams, even the most established cloud security solutions today rely on periodic cloud API scanning techniques to monitor assets. With scanning, your visibility into cloud vulnerabilities is limited to when you ran your last security scan. If you scan too frequently for faster detection, you risk hitting API rate limits and getting into a conflict with your developers who use the same APIs to provision and change resources. Scan less frequently and you give attackers the buffer time they need to find critical assets.
Figure 1: Comparison of API scanning vs. CloudHealth Secure State’s hybrid event-based detection technique
CloudHealth Secure State uses a smart combination of scanning and event detection techniques. By scanning APIs in the beginning, it builds an asset baseline to get an understanding of your cloud environment. Once that is done, the solution intelligently listens to events to detect changes and associated security risks. With a hybrid approach, you get the real-time visibility necessary to quickly respond to risks without bombarding your cloud environments with frequent API scans.
Are your public cloud providers' native security tools enough to keep your environment secure? Learn more in our article dedicated to the subject, or by comparing the security services offered by the big three cloud providers in our complete comparison guide.
2. Deployment context for investigating issues
A big challenge for many companies is that security teams and developers work in siloes. As a security architect, you’re often unaware of what developers deploy, and developers don't know what security practices to follow. And without context, it’s very difficult for you to act on alerts you receive. If something is misconfigured, would you modify the asset without consulting the developer? When you get thousands of such alerts, which one do you prioritize? Do you forward all of them to developers? If you do, you risk losing credibility. If you don’t, you pile on technical debt and increase security risk.
Figure 2: Security violation with deployment context reported by CloudHealth Secure State
This is the reason why deployment context is critical for cloud security teams. Imagine a scenario where you just received a notification that a developer has deployed an EC2 instance that’s publicly accessible. Is that a security risk? Potentially, but you don’t know for sure. You need additional details to investigate further.
As you analyze the issue, you find out that the instance administrative privileges to an S3 bucket with critical data. Now you know for sure that it’s a high-risk violation. An attacker can use brute force techniques to login to this instance and steal your data. With this context, you may want to either assign this instance to a different role that doesn't have the elevated privilege, or remove the 'AmazonS3FullAccess' policy from the assigned role. If this privilege is indeed required by an instance, you might consider using a different, non-public instance to perform these privileged tasks.
As we can see in this scenario, context is what makes a security alert actionable. CloudHealth Secure State provides deep insight into deployment context to security teams, making it easier for them to prioritize issues, reduce noise, and convince developers to fix security vulnerabilities.
3. “Fix it” button you’re not afraid to use
As your company’s cloud assets continue to grow, so does the risk of security breaches. To minimize risk, you need your teams to fix critical misconfiguration vulnerabilities before attackers can find them. With attackers leaning heavily on automation to scan vulnerabilities, security teams must also use automated remediation methods to manage and scale security.
However, finding the right auto-remediation technique is a significant challenge for security teams. Many have tried to build homegrown solutions based on serverless functions, but as the number of services secured and issues you want to fix increase, maintaining and scaling these solutions can be expensive.
At the same time, security teams are reluctant to try third-party solutions. Most of these solutions require that you grant them the write access to make changes in cloud, a risk that isn’t acceptable to security teams. Inability to scale without automation can result in inaction and increase security risk.
Figure 3: CloudHealth Secure State’s secure remediation approach
This is where CloudHealth Secure State allows you to abstract its SaaS monitoring framework from the remediation worker. By isolating the two, you can remediate issues automatically and scale security without elevating write privileges to the CloudHealth Secure State SaaS service. In case of an unfortunate incident in which the monitoring service is breached, your accounts will remain secure.
4. A method to continuously verify and provide proactive feedback
Usually, by the time developers get feedback about security vulnerabilities, it’s already too late. They’ve moved on to build something new and going back to review things can be frustrating.
Figure 4: Shift left cloud security
DevSecOps approaches recommend that you should proactively verify security in the CI/CD processes. It’s easier to fix a vulnerability when a developer is just building the stack, while the context is still fresh in their mind, and the changes are less disruptive.
CloudHealth Secure State’s real-time detection system APIs can be integrated with the CI/CD pipelines to verify configurations and compliance policies, while the team is still staging the deployment. Resolving misconfigurations based on proactive feedback can help your developers reduce the number of security risks introduced into production and make your life easier.
5. Search assistant that works for security teams
In May 2020, Salt, a popular framework for configuration management and remote orchestration, identified a critical security vulnerability in servers managed by their solutions. The vulnerability they reported was easily exploitable and could allow full remote code execution as root on servers if exposed. This notification led to a flurry of investigations across security teams as they wanted to find out which cloud environments in their companies were potentially at risk. Besides patching, they wanted to block access to Salt master ports and ensure that those hosts weren’t accessible on the internet.
Running security investigations is a critical part of what vulnerability management, security operations, and other teams do in information security. However, with workloads moving to cloud and with developers and IT teams controlling access to cloud accounts, it isn’t easy for security to search what assets exists, what are their dependencies, and how secure is the setup.
As a cloud security architect, CloudHealth Secure State helps you ensure that teams in the security department have deep visibility into cloud accounts and are fully equipped to run investigations. This means giving you a solution to visually search information, build custom rules that notify your teams every time something happens, and finally, take actions based on the situation. This is kin to giving you a personal search assistant that does things on your behalf in time of an emergency.
Figure 5: Visual search results for SALT ports within CloudHealth Secure State
So, in the Salt vulnerability scenario above, with CloudHealth Secure State’s easy search access, vulnerability management teams were able to quickly find which environments had Salt masters and if any of those servers had Salt ports open to the internet. This ensured that security teams were able to minimize risk in case of an emergency without having to contact individual account owner teams.
Step up your cloud security game
Whether you’re a new cloud security architect, or trying to step into the shoes of one, I hope these examples and techniques give you the inspiration to try new creative solutions to help your developers and information security teams.
If you would like to connect to a fellow cloud security architect or learn how CloudHealth Secure State can help you achieve these security outcomes, request a free demo of our platform.