Cloud Network Security – What’s Possible Today
Cloud security is indispensable. It can also be extraordinarily complicated; fortunately, providers like AWS, GCP, and Azure have a wealth of tools that can help your organization automate security and compliance in the cloud.
Recently I’ve been writing about the evolution of cloud security best practices. These blogs have (hopefully) offered some guidance on 1) how to navigate the challenges agencies face migrating to the cloud, and 2) how to adopt existing standards for cloud policy. This third blog will familiarize you with the major cloud providers’ ready-made tools that will automate compliance for your organization and save you many IT headaches down the road.
In this third and final story of this series, we’ll zero in on how to automate compliance by leveraging resources from the three major cloud service providers (CSPs) – Microsoft Azure, Google Cloud Platform (GCP), and Amazon Web Services (AWS).
Many CSP Tools Available
AWS Conformance Packs
AWS Conformance Packs help agencies meet compliance with various regulations and standards. A conformance pack is a collection of AWS Config rules and remediation actions that can be easily deployed in an account or across an entire organization using AWS Organizations.
AWS Config provides a configuration management database for all of your AWS resources that tracks how these resources’ configurations change over time. The final component of a conformance pack is provided by AWS Systems Manager (SSM) or serverless Lambda functions, to automate the remediation of non-compliance configurations.
Here are some examples of AWS Config functionality:
- Configuration history of AWS resources - records details of changes to your AWS resources.
- Configuration history of software - records software configuration changes within your Amazon EC2 instances and servers running on-premises, as well as servers and Virtual Machines in environments provided by other cloud providers.
- Resource relationships tracking - discovers, maps, and tracks AWS resource relationships in your account.
- Configurable and customizable rules - pre-built rules for evaluating provisioning and configuring of your AWS resources as well as software within managed instances.
- Cloud Governance Dashboard - a visual dashboard to help you quickly spot non-compliant resources and take appropriate action.
- Multi-account, multi-region data aggregation - enables centralized auditing and governance.
- Extensibility – allows for publishing the configuration of third-party resources into AWS Config using AWS public APIs.
- Configuration snapshots - a point-in-time capture of all resources and their configurations.
AWS has developed and shared multiple Conformance Packs through a publicly available GitHub repository. Agencies can replicate that repository and deploy these conformance packs in their own accounts using CloudFormation, or customize them according to their own specific needs, to significantly improve their security posture.
For agencies using AWS, Conformance Packs are an effective way to introduce automation and strengthen cloud security and compliance over time because they can be fully automated and made continuous, with optional instrument/notification/reporting add-ons available.
GCP Security Foundations Blueprint
The goal of Google’s security foundations blueprint is to provide agencies with guidance and
accompanying automation that helps optimize the native controls and services to provide a secure starting point for Google Cloud deployments. The security foundations blueprint covers many of the functions agencies are currently focused on meeting compliance requirements for cloud network security, including:
- Google Cloud organization structure and policy
- Authentication and authorization
- Resource hierarchy and deployment
- Networking (segmentation and security)
- Key and secret management
- Detective controls
- Billing setup
- Creating and deploying secured applications
- General security guidance
The Azure Security Benchmark Foundation blueprint provides a set of baseline infrastructure patterns to help agencies build secure and compliant Azure environments. The blueprint helps IT teams deploy a cloud-based architecture that offers solutions to scenarios that have accreditation or compliance requirements. It deploys and configures network boundaries, monitoring, and other resources in alignment with the policies and other guardrails defined by customer requirements.
Microsoft worked closely with the Center for Internet Security (CIS) on its latest foundational blueprint for cloud network security. This latest blueprint was published in 2021 and enables cloud architects and central information technology groups to define a repeatable set of Azure resources that implement and adhere to an organization’s standards, patterns, and requirements. Services covered include:
- Access control - multifactor authentication and managing subscription roles on privileged and non-privileged accounts
- Vulnerability monitoring on virtual machines
- Monitoring storage accounts that allow insecure connections, unrestricted access, and those that limit access from trusted Microsoft services
SQL Server auditing and configuration
- Activity log monitoring
- Network monitoring where resources are deployed
- Recoverability of key vaults in the event of accidental deletion
- Encryption of web applications
Agencies using multiple CSP’s must decide when to embrace cloud-native solutions and/or when to standardize third-party products that provide consistent cloud-agnostic solutions. While all CSP’s offer cloud-native solutions for security assessments and threat intelligence, agencies often have existing licenses for legacy security tools and institutional expertise that will influence their product selection.
This leads to many agencies' decisions to standardize on third-party products for analysis of:
- Server OS vulnerabilities
- Container security
- Custom code vulnerability
- Intrusion detection
- Network threat intelligence
These tools are migrated to cloud hosting and used as a consistent approach to addressing cloud network security concerns. While third-party products require additional licensing costs, the benefits include reduced training costs and standardized usage guidelines – regardless of which CSP is hosting the workloads.
There are also several multi-cloud management products that are beginning to get traction for multi-cloud standards compliance. Historically, these products were focused on cost reporting, but some have expanded their capabilities to provide functionality for automated standards analysis and reporting. A select few have even embarked on the multi-cloud automated remediation of non-compliant resources.
The factors driving agency decisions on these tools are similar to traditional security tooling – paying a software licensing cost vs. increased complexity of having multiple CSP-specific tools to learn and manage. For the licensing fee, these third-party products improve the security posture and standards compliance across multiple cloud hosting environments.
The Right Partner to Configure and Execute
As you can see, the big CSPs are all offering impressive support for improving security in their cloud environments. But that might not necessarily address the needs of agencies with multi-cloud environments; even with the best blueprint, agencies need an experienced partner to help them choose the right standards and implement these standards in a prioritized fashion to fully realize the value of multi-cloud environments. This is especially critical now that agencies must meet multiple Biden Administration cybersecurity mandates by the end of FY 2024.
The combination of CSP tools and working with an experienced partner can quickly help an agency gain control and accelerate compliance. Compliance checks can be built-in, making it easy to comply with security benchmarks like CIS. Agencies can map security controls to standards like FISMA, HIPAA, and FedRAMP to reduce audit times and customize checks to address unique security challenges.
The STS approach works with existing agency systems to provide clients with a complete compliance picture. We can optimize the implementation of the CSP security aggregation tools (AWS Security Hub, Azure Security Center, and Google Cloud Security Command Center). We have a proven track record of CI/CD and configuration management workflow integrations to rapidly update and deploy security policies. And we give government agencies a single pane of glass insight into cloud misconfigurations by integrating multi-cloud software solutions.
With the right tools and the right partner, building a secure public sector cloud should take weeks, not months or years. No matter what your enterprise cloud environment is, we’ll provide the proactive guardrails to achieve an initial compliance baseline. Then we can add the automation to keep you compliant into the future.
Want to ace your FITARA scorecard?
Aaron Kilinski, Principal and Chief Technologist is a multi-disciplined and energetic innovator committed to delivering business results that leverage cutting-edge ideas and state-of-the-art technology to STS.