January 24, 2018 | Shekhar Londhe
The dynamic and agile nature of the cloud allows for the proliferation of resources spanning multiple layers of security. If not checked and fixed on regular basis, this can lead to escalated infrastructure costs, as well as expose the deployment to vulnerabilities with the ability to culminate into a major incident at any time.
For example, it’s not uncommon for a development environment created in the cloud to experience a massive amount of product deployments within just a few days. Depending on the complexity, these individual deployments can end up creating multiple resources.
Therefore, we must take into account the following considerations:
- Even if there are mechanisms to clean up such environments, by the time the developer is done implementing and testing their fix, the resources have already existed in the cloud for multiple days in a row. Creating such environments undoubtedly saves on costs and time compared to creating them on-premises, but it also means developers now must monitor a huge number of resources, as well as regularly check to ensure they are meeting compliance.
- With this extensive list of resources, manual audits (i.e. manually executing audit scripts) for security compliance contribute significantly to the overall deployment time and workload of the individual working completing the project. At times, the output generated by such audit scripts is unwieldy, potentially introducing errors.
- Automating audit checks can solve this problem partially. However, once a violation is detected, it must be fixed by manually executing a set of commands or through a script.
- Traditional monitoring tools may/may not work in the cloud.
- While the in-house security team updates security compliance policies on a regular basis and keeps them current, the managed services team is tasked with ensuring they always refer back to the most up-to-date iterations, and that the set of fixes for violations are in-line with updated compliance policies as well.
Each year, we see instances of security attacks in the cloud. These are highlighted in reports such as:
- Gartner Report on ‘How to make cloud IaaS workloads more secure’
- Symantec Internet Security Threat Report 2017
- Microsoft Security Intelligence Report 2017
- Alert Logic’s Cloud Security Report 2017
Most of these reports recommend the following steps to help avoid major security incidents:
- Reduce the attack surface
- Follow industry best practices and standards
- Regularly patch the infrastructure
There are a number of approaches that can be used to make infrastructures more resilient against security audit violations, while trying to achieve zero recovery time objective (RTO) of the services that are deployed on the infrastructure. Here are some examples:
- Monitoring mechanism – Native monitoring mechanisms allow for easy integration, have a smaller “footprint” and can collect larger data sets. This is why they are often preferred over third-party systems.
- Security policies – Having a well-maintained set of security policies that can be applied to different accounts with minimum or zero changes is critical to strengthen infrastructure. Once those policies are in place, the security team can easily push updates across all accounts to ensure compliance.
- Violation flagging – Based on a given security policy, any violations detected must be flagged as soon as they are injected into the system. However, detection and flagging are only one part of the process. To ensure they don’t transform into a full-blown security attack, the violations must be fixed.
The diagram Hybrid Security Audit Implementation shows the basic requirements that satisfy hybrid cloud security audit implementations. However, there are certain limitations. In terms of scaling the implementation, teams need to consider there may be different accounts operating on the same infrastructure (e.g. development, pre-production, production, etc.). A common issue among these implementations is that the manual update of security policies creates an operational bottleneck.
An improved model of security audit implementation relies on a single, updated repository for security policies, allowing different customers to leverage the set of security updates developed from global best practices and standards. The updated policies are seamlessly added into the single repository to use as per need. The diagram below, Automated Security Audit Implementation, demonstrates this improved model.
Here are some recommended articles on this topic:
- Secure Communication in Hybrid Cloud Deployments
- Automating the Provisioning of Secure Developer Environments on AWS
- Enhanced Security for Public Cloud Infrastructure
- Accelerated Cloud Adoption using DevSecOps
If your organization has faced issues executing infrastructure security audits or working towards compliance goals, it may be time to do update the way you manage your infrastructure security. REAN Cloud uses automation-based solutions to detect and fix these issues instantly.
To learn more, reach out to us at email@example.com