AWS, Azure and Google Cloud have disrupted the traditional infrastructure market. After realizing that security is a major roadblock to cloud adoption, they are putting money and effort to built-in security features. But hybrid setups remain a challenge for companies and there is a learning curve for security teams to be proficient on cloud. Find out how to choose the best toolset to secure your data in the cloud.
1. Cloud Providers ate hosting companies’
lunch, what’s next?
Security!
John Stock and Sergio Loureiro, Product Managers
1
2. Objective
2
• Short intro on Cloud (IaaS/PaaS) adoption
• Overview of cloud provider’ security tools
• How to build a SOC with cloud providers’ tools
• Benefits and cost analysis for cloud and hybrid infrastructures
• Action plan
3. Cloud Providers disrupted the hosting market
3
• These are technology companies
• They have the expertise
• Pay per use business model
• Very fast innovation cycle
• Tailored for DevOps
4. Reasons Security is next
4
Tackling challenges:
• Security is main obstacle to cloud adoption
• Shared responsibility is great but cloud providers get the headlines
Increasing revenues:
• Security is an upsell opportunity
• Cloud providers already have your data, applications and virtual machines (trust?),
so they leverage this
• Don’t leave the console!
7. Market success in spite of security FUD
7
source: https://www.rightscale.com/lp/state-of-the-cloud
Customer Security
Challenges
- Assess a different kind
of infrastructure
- Time consuming
permission process
- Evaluate configurations
for all instances and
storage
- Lack of expertise
8. DevOps paradigm shift helped
• Ops were not agile enough for Dev
• Infrastructure as code
• APIs for everything
• Need for automation
• Value does not come from infrastructure
9. Growth of Container Adoption with DevOps Trend
9
DevOps advantages
- Easy to package
- Small teams
- Scalability
- Agility
AWS and Azure have container services
source: https://www.docker.com/what-container
10. Traditional Security is disrupted by Cloud
• Shared responsibility
• New layer of configuration (and misconfigurations)
• Elasticity and Agile challenges
• Changing IPs for VMs
• License model
• Cloud Shadow IT
• New cloud services every week
• APIs for everything publicly accessible
11. Overview of AWS and Azure security capabilities
11
AWS
- Security Groups (firewall)
- Trusted Advisor (high level)
- Inspector (assessment)
- Key Management Service
- Identity and Access Management
- Macie (DLP)
- GuardDuty (threat detection)
- Shield (DoS)
- WAF (WAF)
Azure
- Azure Security Center
- Security Groups (firewall)
- Key Vault
- Endpoint Protection
- VM agent
- …
12. Challenges with AWS and Azure? 2 different approaches
12
AWS: you put all security services together Azure: Security Center wants to be your SOC
Google: Command Center me too (alpha)
13. IaaS Security = CSPM + CWSS + CWPP
13
• Cloud Security Posture Management
• Cloud Workload Security Service
• Cloud Workload Protection Platform
Some features available on CASB
(Cloud Access Security Brokers)
21. Let’s draw a SOC for a hybrid infrastructure
21
- 1st option: integrate your cloud SOC with
legacy bare metal, virtualized or other cloud?
- 2nd option: integrate your on premise SOC
with cloud
- This is a big difference between Azure and
AWS: With Azure security center you can
monitor non Azure assets (limited OS set)
22. Cost depends on where your data center of gravity is
• Cloud in most use cases boils down to outbound bandwidth consumption
• Storage and compute are cheap
• Cloud security services have a price tag (free tiers are limited, Azure is simple)
• Pricing models, e.g. pay per use vs licenses can play too
• Example of AWS Inspector for vulnerability assessment
• Migration costs
Questions
• Where are your data sources?
• And your security requirements?
23. Simplifying SOC -> SIEM -> Logs -> Bandwidth
AWS up to 10 TB
Azure up to 10TB $0.087
24. Benefits analysis
Pros cloud tools
• Cloud tools are deeply integrated
• Automation
Cons cloud tools
• Lock in risk (migrating data out of AWS and Azure will cost money)
• Hybrid setups (not supported by AWS, 2 SOCs?)
26. 1. Integration of tools – Get everything together
• Do your cost analysis
• Compare traditional security features for CWPP (competition for lunch)
• Marketplace tools are available
• Deployment model
• For CSPM start by CIS benchmarks: AWS, Azure, Docker and Kubernetes
• Do an assessment now!
27. 2. Continuous Workload Analytics – Shift left
• DevOps is changing when, who and how security management is done
• Using the IaaS Provider or Hypervisors APIs to integrate
• Auto-discovery for elastic scenarios, zero configuration
• Integration on CI/CD setups for DevOps, containers
• Real-time alerts on configuration issues
28. 3. Extend to new cloud services PaaS – Off the beaten track
• API discovery and check best practices for every service
• Not always possible to install agents
• Serverless or FaaS
• No best practices available
29. Conclusion
• Great to have more choice, innovation by cloud providers is welcome
• Integrated tools are better, don’t have to manage several point solutions
• Lock-in risk = cost you a lot to move data out
• Data sovereignty risk / compliance
• Hybrid use case is challenging for cloud providers
30. Full Stack Cyber Risk Assessment
30
Combines all 3 into one solution
Vulnerability Management
identifies vulnerabilities
Application Security
evaluates applications
Cloud & Container Security
assesses configurations and workloads
31. Supporting Material
• EWP web: https://outpost24.com/cloud-security
• EWP white paper - https://marketing.outpost24.com/cloud-security-whitepaper
• AWS best practices white paper - https://marketing.outpost24.com/aws-security-
whitepaper
Looking for more?
• CIS benchmarks for Amazon AWS 1.2.0 and Microsoft Azure 1.0.0
• Gartner Cloud Workload Protection Platform (CWPP) research
• Cloud Security Alliance Security Guidance version 4
Bio: PhD, 20 years on security, founder of SecludIt and CSA
Back in 2009 when I started using AWS, a lot of people did not believe that they could create a new market (IaaS) and disrupt the hosting market. Well, now we have the numbers.
The flexibility, agility and cost reduction are advantages that our customers keep telling us.
IaaS has been an enabler for innovation and AWS and Azure have been very successful so far.
Proud to be one of the first to put AWS on the headlines, but a lot of vulnerabilities we’ve found concerned misconfigurations by enterprises using AWS, such as leaving private data in public virtual machines (22%)
We’ve published a paper, the results are a bit old but the recommendations still apply.
Examples of customer misconfigurations putting AWS in the headlines, the low hanging fruit is usually S3 buckets with open permissions
Let’s stay out of the headlines and the FUD.
So, IaaS is a great value proposition. On the other hand, let’s focus on the customer security challenges to be addressed.
In parallel, we have been assisting to other wave of innovation around DevOps.
And cloud has enabled Dev to address Ops in a more agile way.
Cloud providers have been fueling all these new technological trends and transforming infrastructure in a commodity.
And that’s way they are moving from IaaS to PaaS and other opportunities such as security.
We have reviewed some of the trends beyond AWS and Azure success and why the cloud providers are now starting to provide security tools.
On the other hand, traditional security is disrupted by cloud
Misconfiguration will give access to data, every service can give access to your data
Just a short screenshot of Storage and Database options on AWS. There are many options and each one has a set of security best practices.
New security challenges for traditional solutions to be elastic and agile
And API bring added attack surface.
AWS and Azure are entering the security market with a bunch of tools with fancy names.
I do not have time to go into details on each one, I’ll focus more on workload security and configuration assessment (not network security, data security or compliance)
Most part of times these tools have less features but are deeply integrated and fully automated.
From a customer perspective what are the challenges?
AWS: more flexible, more mature tools but you’ve to construct everything and one price and pricing model per feature. For instance inspector is per #VMs and #assessments
Azure : everything integrated in the azure security center, hybrid as well and one bundled price for everything. Of course you can get your puzzle wrong but the frame is there with Azure.
Let’s step back and highlight the requirements for our SOC cloud. According to Gartner you need to take care of 3 things for full stack security.
We have been talking a lot about misconfigurations and that’s what the CSPM market is about. Helping customers get their cloud configurations right.
CWSS you have to check the configurations, example of your firewalls.
And with the shared responsibility model, you are still responsible for the workloads.
What does that means? The 3 approaches
Gartner covers the Core workload protection strategies
CIS addresses benchmarks for CSPM
To go deeper there is extensive research about cloud security
CSA covers Essential characteristics, PaaS and IaaS service models, and Public-Private-Hybrid deployment models
Outpost24 acquired SecludIT in January 2018, a cloud security pioneer and founding member of CSA
Zooming into the pyramid CWPP from Gartner
Critical stuff in the bottom of the pyramid
AWS and Azure have some solutions for each of these layers.
Here are some examples of controls of CIS AWS and CIS Azure
AWS and Azure do not implement everything
Getting a more concrete
Following the NIST framework, let’s now focus on how to build a
First procedure one-shot, then automation
So, you have to subscribe to the standard tier that has all this.
Basically you pay 14.6 dollars for each server per month and that’s all, databases and app services have a price too.
Once you’ve done this you have a dashboard with all the categories. Easy and while a lot of features are still in preview this gives us the azure vision.
You’ve hygiene that corresponds to CSPM and then threat protection and cloud defense for your workloads. With alerts, metrics.
Remember the puzzle, with AWS is up to you to build your SOC among these tools. So more flexible and more generic services (not only security) but customers have to build it.
I tried to give a plan step by step to help.
Trusted advisor is very simple, covers more than security, limited
Inspector run on some OS https://docs.aws.amazon.com/inspector/latest/userguide/inspector_supported_os_regions.html, for example 4 windows servers
Different pricing models:
trusted advisor premium on premium support plans,
inspector per agent – assessment, https://aws.amazon.com/inspector/pricing/
Cloudwatch depends on #metrics, #alarms, size of logs, Api, dashborads, #events
Guardduty depends on VPC flow log and DNS log analysis and AWS Cloudtrail event analysis ?!
If you are interest in features comparison and maybe considering Google, Gartner has a long study. I’ve been focusing on configuration assessment and workload assessment, so this boils down to the console and instance security
No big differences between Azure and AWS, the antimalware and the non-azure assets that can be monitored.
Google is lagging but data tools seems very promising
Sometimes enterprises have legacy
I know that not everybody agrees with the storage and compute being cheap, but having managed a small datacenter before and taking into account all the costs and specially if you have elastic consumption
With AWS is harder to make a cost analysis
Compliance requirements and data sovereignty are important factors that I did not tackle but with regions and data security tools today is possible to address these
To give you a starting point on the cost analysis and doing a big simplification
Inside can make a difference
AWS can be hard to estimate outside bandwidth
Security vendors like us will also put the TTP as a con. You’re not buying a anti-virus from Microsoft to protect Microsoft workloads right?
Cost planning with AWS is hard
Strange thing from AWS and Azure there is no straightforward way to assess for CIS AWS or Azure
Agents vs Virtual appliances for Azure and AWS for private workloads (data storage)
Automation SecDevOps
DevOps use case - application security
It is important to choose a security vendor that follows and adapt to new cloud services.
API vs not API checks
Full stack
CSA
Refer to our inclusion on the Gartner report on securing serverless PaaS
AWS Lambda started in 2014
Data sovereignty scenarios, data do not leave customer premises - Regional or country-specific clouds, data never leaves customer cloud account, etc.
New services not always covered, speed of innovation vs speed of security
Focus on identify -> measure / KPIs
Support hybrid infra
Full stack
Orchestration and integration CI/CD possible by API
Virtual appliances available for Azure and AWS for private assets (data sovereignty scenarios)
Managed Services, Snapshot and Professional Services plans available
3 backup questions:
-where to start?
-it seems that azure has a better approach, what do you think?
-devops shift left in all this? Serverless?
-I’m migrating to cloud. Most part of my data is on prem but this will change. I did not find the answer to my case?
Data sovereignty scenarios, data do not leave customer premises - Regional or country-specific clouds, data never leaves customer cloud account, etc.
Data sovereignty scenarios, data do not leave customer premises - Regional or country-specific clouds, data never leaves customer cloud account, etc.
Data sovereignty scenarios, data do not leave customer premises - Regional or country-specific clouds, data never leaves customer cloud account, etc.