AWS Security Management: In Need of Automation

By | December 27, 2015

A verson of this article originally appeared on TechTarget SearchAWS as Rely on cloud security policy — not tools — to protect AWS


Managing security policies and incidents on IaaS can be complex and challenging. Here’s what vendors are doing about it

2015-12-23_14-26-35Once enterprises move workloads to cloud infrastructure, they soon realize that the tools for enforcing security policy and managing incident response are inadequate. Configuration can be very confusing, with important details often spread across different management screens, resulting in complicated, multi-step processes required to build consistent policies across the cloud service stack. Although IaaS and its fully abstracted services bring several security benefits, like the ability to micro-segment networks and services with application-specific firewalls and granular access controls, central visibility and management of all resources and hardened infrastructure designed and operated by experts, using it securely requires ample planning, some new management processes and learning new tools.

The granularity of cloud resources, in which user privileges and resource access controls can be specified with incredible precision, is a mixed blessing. Although it allows much greater precision in defining and auditing security policies, the resulting complexity means cloud security is often poorly implemented, leaving unintended gaps and backdoors. Although not necessarily thinking about the operational details, cloud users remain concerned about security in general. For example, a survey by the Information Security Community on LinkedIn found the biggest perceived cloud security threats to be unauthorized access, hijacking of accounts or services, malicious insiders and insecure APIs. The same survey finds the most popular suggestion for closing the cloud security gap is for cloud services to provide the ability to set and enforce consistent security policies across clouds. Although, not specified, we presume this applies across both public and private clouds.

All of these needs and deficiencies can be addressed by existing cloud security management tools when properly configured, however it’s too easy to make mistakes. The good news is that cloud vendors see the problems and are addressing them with new services that promise to centralize, automate and simplify cloud security management.

Cloud-security-threats-survey

Survey by the Information Security Community on LinkedIn

Rundown of New Cloud Security Services

The virtual, ephemeral nature of cloud services is both a boon to security and source of management headaches. A benefit since it allows easily inserting security services and control points between every layer of the infrastructure. But the ease with which cloud instances can be deployed, moved and destroyed also makes it exceedingly difficult to keep track of the security policies and configuration applied to each one. This problem of management complexity and security compliance received major attention by the major events AWS and Microsoft held this fall to unveil new features and educate customers.

AWS

At this year’s re:Invent, AWS announced two new security services and enhancements to a third. Although one product was a straightforward Web application firewall (WAF) — useful, but hardly groundbreaking — the other two squarely tackled the problem of overly complex security administration. These compliment the existing AWS Trusted Advisor service that analyzes an environment to identify ways to improve performance, security and reliability and reduce cost.

AWS_Security-Tools

Key AWS Security Tools | Source: AWS

  • Amazon Inspector provides automated security compliance auditing by comparing the configuration of server instances, networks and storage against a knowledge base of hundred of rules, looking for violations of best practices and standards like PCI DSS. These include things like allowing remote root logins, unpatched software with known vulnerabilities or leaving network ports unnecessarily open. Inspector generates a prioritized report of each violation and suggested remediation steps. According to the product announcement, “The initial launch of Inspector will include the following sets of rules: Common Vulnerabilities and Exposures, Network Security Best Practices, Authentication Best Practices, Operating System Security Best Practices, Application Security Best Practices, PCI DSS 3.0 Assessment.”
  • AWS Config Rules is an enhancement to the Config service we mentioned in a previous article on AWS security auditing that adds templates and guidelines, using a mix of pre-built AWS best practices and a user’s custom rules, to flag errors in provisioning and configuring resources. The service continuously monitors the environment to ensure resources remain compliant. Example rules include mandating that volumes be encrypted, proper tagging of all EC2 instances or that CloudTrail (logging of API calls) be enabled on all resources.

Both Inspector and Config Rules are still in preview release, which limits deployment size and regions, with no indication of when they might be generally available.

AWS_Config-Rules_Supported-Resources

AWS Config Rules, Resources Supported | Source: AWS

Azure

One of the major announcements out of Microsoft’s Azurecon event was the Azure Security Center, a service that consolidates security management and monitoring under a single portal. For example, admins can quickly see if VM images and configurations are up to date, configured according to predefined standards or Microsoft guidelines and running necessary security software. From the same portal admins can also check on network and database settings like ensuring that virtual networks are members of the correct security groups and have properly set ACLs, or whether SQL databases are encrypted.

Security Center also draws upon data threat intelligence data Microsoft collects from all Azure deployments and notifies customers of unusual or threatening activity. For example, Microsoft has built a reputation database of known bad sites such as those part of botnet control networks. As an Azure blog post puts it, “The IP address of those bad actors is then used to help detect attacks against other customers. Azure Security Center can also analyze outbound traffic and leverages threat intelligence sourced from the Microsoft Digital Crimes Unit to detect when resources are communicating with malicious IP addresses like command and control centers. It can also alert you to suspicious actions on Virtual Machines that indicate an attack is in progress.”

Security Center is Microsoft’s platform for connecting third-party security products like next-generation firewalls, vulnerability monitors (IDS/IPS) and others from Azure’s ecosystem of service partners. Consolidating built-in and third-party security products under one umbrella simplifies both deployment and ongoing management.

Like the new AWS services, Security Center is currently a preview release and not ready for production workloads.

Google Cloud

Although not as ambitious as its competitor’s new services, Google has recently automated a key security task, vulnerability scanning, at least for its PaaS App Engine customers. According to documentation for the new Security Scanner, “It crawls your application, following all links within the scope of your starting URLs, and attempts to exercise as many user inputs and event handlers as possible.” Security Scanner can detect the following vulnerabilities: XSS (cross-site scripting), Flash injection, mixed content (fetching unencrypted HTTP content on an SSL HTTPS page) and usage of insecure JavaScript libraries.

Action Items

Cloud security management remains a challenge given the ability to deploy vast numbers of many different types of virtual resources. Yet recent announcements show that the major cloud services recognize the resulting complexity and are responding with better tools. AWS users should sign up for both the Inspector and Config Rules previews and build test environments up to the limitations of the respective beta programs. Since both AWS services rely on tags, users should be vigilant in categorizing resources with a consistent schema that maps to meaningful categories like business unit, primary owner, application, security level, stack tier, etc.

Likewise, Azure customers should become familiar with Security Center by viewing the online video training and tutorials and setting up some test resources to get hands-on experience with the new features.