By Tim Woods, vice president of technology alliances at FireMon
Dow Jones recently made news by releasing an open source vulnerability scanner (called “Hammer”) that, according to the company, can find and, in some cases, automatically fix security vulnerabilities in IT assets deployed on Amazon Web Services (AWS). This announcement was positioned as a way to improve enterprises’ ability to securely deploy applications and other IT assets on AWS.
While any effort to improve security in any environment is laudable, vulnerability scanning and management is only one part of the AWS security puzzle. To date, virtually every breach on AWS and other cloud environments has been due to configuration errors that exposed data or allowed entry to unauthorized people. Vulnerability scanners alone will not solve this problem (particularly since they tend to miss many vulnerabilities in the first place). To improve cloud security, they must also be combined with fully orchestrated and automated vulnerability management processes, continuous compliance testing and change management, to ensure that company security policies are constantly and accurately enforced in the cloud through continuously validated configurations. In other words, they need cloud security orchestration and automation.
There’s More to Orchestration and Automation Than IR
Say the words “orchestration and automation” to most people in the cybersecurity field, and they will immediately jump to incident response (IR). Indeed, orchestration and automation’s initial sweet spot has been in IR, but the concept can be applied to myriad security functions, which is good news in light of today’s cybersecurity skills shortage. Our discussion in this article is focused on how to orchestrate and automate cloud security.
The first step to ensuring cloud security is to understand the goals: identify weak spots, simulate attacks, simulate patches, perform compliance checks and make changes to the cloud environment, all with zero human touch (there is, after all, a skills shortage). As we see from this laundry list, the aforementioned vulnerability scanning tool only performs a small subset of the overall goals. To achieve all of them requires a trifecta of competencies: vulnerability management, continuous compliance and control change management. Let’s take a look at each of these:
Vulnerability management can be condensed to two core activities: attack simulation and patch simulation. Attack simulation combines vulnerabilities with your security controls and policies. By understanding what’s allowed by your policies and how a vulnerability could be accessed, you know how a vulnerability could turn into an exploit.
Patch simulation is the photographic negative of attack simulation (oops — I just dated myself). You don’t want to randomly patch every vulnerability you find. Instead, you want to take a strategic approach and examine different options, so you can understand if a specific patch could drastically reduce vulnerabilities elsewhere and maximize risk reduction. Patch simulation done effectively makes patching focused, targeted and strategic.
Attack simulation and patch simulation will provide the data you need to make informed decisions, which is the foundation of cloud security orchestration and automation.
The first thing to know about compliance is that it does not just pertain to regulatory compliance. It also pertains to the security intentions and goals of the enterprise, which are often even more important than avoiding the dreaded point-in-time audit.
A critical feature of any continuous security program is continuous compliance, which can only be realized through orchestration and automation. Compliance controls cannot be scattered around the organization, and we all know that applications don’t sit still. To achieve continuous compliance, controls need to be centralized so they can be created, changed and applied in a single coherent way, and then monitored against benchmarks in real time. Real time is the key: Understanding your state of compliance cannot take hours or days — it must be immediate, or it will be ineffective against the current attack surface landscape.
Control Change Management
Now that we’ve simulated attacks, surveyed our patch options and checked compliance, we are ready to make changes to the cloud infrastructure. Again, control changes lend themselves to orchestration and automation.
First, it’s important to examine how controls are deployed, and this is actually a deceptive area. Many people assume that if you simply have your cloud provider host your traditional firewall, you can manage cloud controls in the same way that you manage them on-premises, with firewalls protecting the “front door” to your cloud assets. Unfortunately, this ignores the fundamentally different structure of cloud infrastructure.
AWS, for example, uses Amazon Security Groups to hold cloud security controls. Each security group serves as a virtual firewall for every instance of every asset you have in the cloud — not just at the front door of your entire infrastructure. Having the ability to hold command over security rules directly in the security groups provides a far greater degree of security than is possible by simply deploying a firewall at the front door, where a single unused or overly permissive rule can allow harmful access to all of your assets. Being able to orchestrate and automate the management of controls across Amazon Security Groups (and analogous bodies within competing cloud platforms) completes the trifecta of cloud security competencies.
Bringing It All Together
As we can see, there is far more to cloud security than vulnerability scanning and automated patching. To achieve true cloud security, it is critical to have orchestration and automation capabilities in place that can pull together disparate sources, simulate attacks, model patching options, perform sub-second compliance checks and implement changes. These capabilities will not only reduce the risk of existing cloud assets; they will also open a world of possibilities for expanding the use of cloud infrastructure as part of enterprise computing strategy.
Tim Woods brings more than 20 years of systems engineering leadership experience to his role as VP of technology alliances at FireMon, where he has global responsibility for developing and growing the relationships with FireMon’s technology partners. Tim’s personal passion is educating others on new and emerging technologies with a desire to build strong organizational security postures.