For enterprise businesses, one of the major pitfalls of of deploying their operating systems or containers to the cloud has been simplified so much that software developers are the ones frequently put in charge of migration projects rather than using system architects and administrators.
Often, many of these software developers just don’t have enough experience with security principles such as least privilege, file system rights, process separation, high availability, or network access controls. As a result of this, they often tend to produce brilliant functionality that helps solve their company’s problems, however all are just too easy for a malicious actor to penetrate their systems.
In most cases, the first step for enterprises to secure their cloud infrastructure is to define a cohesive strategy. This is a thorough process of identifying the unique risks and threats your business faces while planning a set of controls that will be used to defend it. To many, this process can seem a bit daunting at first, however, every company tends to have a few unique elements to consider, yet most companies are quite similar at their core.
Many companies will often opt for a more formalized framework such as NIST CSF, ISO 27001, COBIT, CIS 20, or several others. These popular frameworks define a minimum set of controls and act as a sort of pre-written strategy. Some like NIST CSF are more tailored to the cloud, yet all of these have the goal of being a comprehensive approach. However, you choose to define your cloud security strategy and the main point of this is to know what the end result should look like before you begin building. This cloud strategy will give you more confidence with your goals and help avoid distractions from the latest buzzwords floating in the news everyday or offered by vendors trying to sell into your company.
Your cloud security strategy is almost certain to include controls such as:
- Monitoring your users and their permissions.
- Monitoring anomalous behavior network traffic.
- Monitoring system (or container) processes, files, and user access.
- Checking configuration hardening and standardization from the container to the IaaS level.
AWS Security Best Practices Enterprise DevOps Teams Need to Implement
Since the cloud facilitates an ever-changing landscape and operates with great agility, organizations of all types and sizes must consider constructing their approach in a way that is comprehensive across all of their cloud operations. But, will also support flexibility to in order to support changing technology demands and their unique business needs.
First, this means knowing what is going on within their AWS environment, but then also having an accurate way to measure the importance or severity of those activities. The approach mandates an understanding of the continuous state of three critical aspects of AWS security management:
1. AWS Cloud Compliance: Being Compliant & Managing Compliance
Your organization must ensure that you are aware of all the many changes and updates to your cloud configuration that could adversely affect your company’s adherence to regulations and established best practices such as the CIS benchmark for AWS.
A typical approach to managing AWS cloud compliance is to apply a checklist formula. Standards and governance frameworks state controls that the IT infrastructure must adhere to, and AWS security and compliance teams implement corresponding controls and settings for this.
This process works in a static environment but it is just not that effective when it comes to the cloud. As a highly dynamic system, the configurations and settings of AWS accounts and resources will often change constantly, and workloads are regularly spun up and brought down. Having this type of agility is what sets the cloud apart and provides its major advantages for enterprises of all types and sizes. However, this also means that the AWS cloud compliance process demands automation and continuous monitoring for insights into controls, settings, and configurations in your AWS environments.
Having real-time awareness of many cloud events and changing behaviors is the key factor in maintaining compliance in AWS. Since configurations will often change dynamically in order to allow for user groups or connections to new data sources, there’s just really no constant state of the AWS environment.
To maintain compliance in AWS, an organization has to ensure that continuous awareness of every action that might affect your cloud configurations. There are one-size-fits-all types of occurrences, either; they happen at the application, ID, workload, and host layers of the cloud. This is where organizational and user data is being transacted, and because of the AWS Shared Responsibility Model, these are the domain of the customer.
A logical starting point is meeting the demands of the CIS Foundations Benchmark best practices. These are the guidelines from the Center for Internet Security (CIS) that outline the application of configurations to the layers within the AWS infrastructure. When these are used in conjunction with an AWS continuous monitoring tool that delivers insights into cloud configuration changes and anomalous activity, an enterprise security team can quickly identify where issues exist that would prevent them from being AWS compliant.
One must keep in mind that audits don’t investigate for present-state only; auditors are looking back at the historical impact of an organization’s security posture and the measures that have been used to ensure ongoing adherence to policies. Once out of compliance, the issue can be remediated, but if that particular setting is unknown, then you’re out of compliance until the audit reveals it.
If any auditors were to go on and determine that your AWS cloud environment isn’t compliant with popular standards such as PCI, SOC-2, or other cloud compliance frameworks that are related to your business, you could end up quickly losing your ability to operate as a business. Even though most organizations understand this, they most often still don’t have an organized approach for awareness. Automating the continuous activity in your AWS cloud will help to provide a framework that can enable your business to securely operate in compliance with AWS.
2. AWS Account Security & CloudTrail Analysis
Monitoring the activities of your AWS Accounts is critical to understanding who is using what, and the API calls that made to various AWS resources and helps detect any anomalous activity.
AWS is very specific to how security responsibility is distributed and should help to make the job of AWS customers easier since it’s more defined for them. However, maintaining awareness with an actionable security posture over their organization’s data, users, and resources will warrant a demand an effort that goes beyond just oversight of activities.
AWS provides a variety of cloud security-related tools that collect data about events and activities. These security tools will capture data but do not provide thorough analysis, nor do they compare actions to normalized behaviors in order to assess the severity of issues that can adversely affect an organization.
For a business to use CloudTrail effectively, you will need to first frame the data that’s most relevant to you. Many businesses often use CloudTrail logs as a storehouse to reference when something goes wrong. This then requires a deep forensic analysis of where and how issues happened in your environment. There’s nothing wrong with that, however this data is mostly after-the-fact and won’t necessarily help you get more intelligent about the AWS security and compliance for your organization. Threats cannot be averted unless you identify issues before they happen, and CloudTrail isn’t prepared to deliver that.
What organizations really need is deeper analysis of their CloudTrail logs. One of these tools is AWS CloudTrail, which is a service that collects important data about the activities of your AWS Accounts. CloudTrail logs provide your business with an overview of changes and updates in your environment, but not necessarily relevant to your actual environment until you are able to view them through deeper context of how these events have impacted your cloud configurations and user settings.
By integrating an AWS security solution with AWS CloudTrail and analyzing CloudTrail data, your business can then detect issues within AWS accounts, including:
- Irregular activity across AWS resources. This can be done in regions and/or accounts and can identify when new AWS S3 buckets are launched and when changes within those resources occur.
- Unusual changes to users, roles, and any other type of access to apps and resources. This includes changes to AWS security groups and when a multi-factor authentication (MFA) has been bypassed.
- All changes to AWS infrastructure services, which includes changes to access master keys, route table modifications, and anything related to network interfaces and AWS services. Any high-risk anomalies are presented to you with insights so that your DevOps and security teams can quickly investigate and fix any and all potential incidents.
3. AWS Monitoring & Host Intrusion Detection Needed to Discover Anomalies
Even after applying best practices for AWS cloud security and creating an organizational mindset around securing your Amazon Web Services, your business can only really know what’s happening inside of your environment if issues are identified at the point at which data is collected. This requires an agent operating in your workloads or containers, in order for insights to be discovered at the host-based level for your organization rather than at the network level.
Whether changes were intentionally made or were the result of a cyberattack, any configuration changes will open up your AWS cloud environment to potential bad actors and unforeseen threats. An anomaly-based host intrusion detection system will help you detect anomalies across all layers, which leaves no hidden space at the application and data layer for any and all bad actors to hide out in.
Organizations that apply effective AWS cloud security measures have continuous awareness of a number of cloud events and understand who has access (and what they have access to), the configurations and settings of cloud resources, and the connections among and between applications and data conductors like APIs.
When applying all the right security tools and skillset within their DevOps and AWS security teams, organizations of any type or size can gain immediate control over their AWS cloud environment through the lens of the security elements that have been outlined above.
Next Steps: Securing Your AWS Environment for 2020
Security controls will tend to move to a more granular approach at the server or container level rather than more traditional network aggregation points because of the shared responsibility model of the cloud. It is imperative that authentication is stronger, and systems hardened, opposed to relying on various edge controls that are used to protect a classic DMZ.
Lacework, a leading cloud security platform that provides a complete security solution for containers, workloads, and multi-cloud environments offers enterprise DevOps teams with a great way to fill this gap with their powerful Host Intrusion Detection System (HIDS). Lacework can operate at the system or container level to monitor access as well as looking for concerns in files, running processes, or network traffic. Since modern cloud environments are in a constant flux. Being able to deploy your cloud security platform automatically for full coverage and continuous AWS security monitoring is a critical feature.
Lacework has designed one of the industry’s easiest deployment models and has a very tight integration with major cloud providers including Amazon Web Services. Their AWS security solution leverages this integration to look for common errors in configuration and other security events that reveal problems aligning with many of the most popular CIS frameworks. Their security solution presents administrators with an accurate checklist of their cloud configuration settings that need to be reviewed.
For 2020 and beyond, any modern security strategy will need an advanced AWS security tool that focuses on the data from all of the controls into a single view. Undoubtedly, there will be much more data than any human can sort through. So, organizing and searching through this data must be highly sophisticated and automatic for DevSecOps teams to process and analyze. These features of sorting relevant data and surfacing important events is how the best AWS security solutions, like Lacework differentiate themselves from other tier-2 and tier-3 competitors in the market.
Even if your security system’s logs record every administrative action in AWS, it doesn’t do any good until these logs are collected and suspicious activity has been identified for your DevOps and security teams. Likewise, having a robust Host-based Intrusion Detection System (HIDS) using anomaly detection is much more powerful when its alerts are viewed as trends over time and correlated with system and CloudTrail logs so enterprise DevSecOps teams can see the entire story.
This process can also be aided by data enrichment, such as threat intelligence, which can quickly identify security events that match known bad actors and current events. Utilizing powerful machine learning can then crunch through gigabytes of data within minutes in order to detect patterns and relationships that very, very few humans would be able to find on their own.
With the use of advanced machine learning, organizations can profile the unique processes of your application to understand what normal behavior looks like for your AWS cloud environment and then go on to use this information to target suspicious events that ordinary signature-based rules would not be able to detect. All of this power then rolled up into an intuitive interface for security teams with one-click investigations.
For progressive, security-focused organizations, having a robust threat intelligence research team, well written alerting rules, an accurate and thorough machine learning system are the key things to look for when considering comprehensive AWS cloud security solution. These, amongst many other features are what Lacework’s complete security solution brings to the table, and they have many big name customers on their roster who would agree with immense value they bring to securing their AWS cloud environments too.