How to Configure Cloud Resources to Avoid Data Security Breaches
Government IT operates in a climate of constant cyber-attack. In fiscal year 2020 there were 30,819 cybersecurity incident reports made by federal agencies, which equates to 84 per day. According to Microsoft’s 2021 Digital Defense Report, the government is one of the most targeted sectors, comprising 48% of nation-state threat activity.
These relentless attacks are a threat to the successful transition of federal IT resources to the cloud. For all its advantages, the move to the cloud does present security complications. Often it results in a larger attack surface. Additionally, many federal agencies transitioned assets to the cloud before there was a management structure to monitor and control how cloud resources should be provisioned, accessed, and defended.
Transitioning traditional data center environments to the cloud offers federal agencies huge advantages in performance and flexibility. Agency services can’t effectively scale or adopt new capabilities or meet Administration transformation goals without migrating to the cloud.
Simple Technology Solutions partners with federal agencies to make this transition safely. We establish cloud security policy and usage standards, and then operationalize these guidelines using code for maximum observability and reduced remediation timelines. Based on our experience, here are four recommendations for stronger cloud security based on our work with federal clients.
1. Automate New Resource Creation through Infrastructure as Code (IaC)
Given the complexity of deploying, maintaining, and replicating cloud infrastructure, STS has developed multiple IaC solutions using Terraform, AWS CloudFormation, and Azure DevOps. Using IaC, all production cloud resources can be created using pre-approved templates. This practice ensures that provisioned resources are already compliant with our pre-defined cloud standards at the time of deployment. It also allows us to detect and remediate configuration drift automatically by checking the current state of the resource against the defined state in the IaC template.
Using IaC many of the configuration steps involved in creating a new resource are masked, such as network settings. These steps are not necessary for deployment. By obfuscating these setting, mistakes are prevented and the resource is either deployed correctly or not at all.
For multiple clients our STS engineering team has developed AWS cloud native CloudFormation templates to launch and provision an EC2 instance, creating/attaching an EBS volume if needed. Once launched, we use SSM to deploy Bash and PowerShell scripts that would join the instance to a selected Active Directory domain’s organizational unit, apply specified tags to the instance, install necessary agents, and format the attached EBS volume.
Through automatic CloudFormation tagging, we used an AWS Lambda function that would automatically power down VMs not created using the IaC template. Our STS engineering team has also used Terraform to achieve similar goals in deploying resources such as Identity Access Management (IAM) roles, security groups, and AWS Lambda cloud governance functions.
2. Enforce Compliance with AWS Security Hub – Automated Governance
AWS Security Hub is a cloud security posture management service that performs security best practice checks, aggregates alerts, and enables automated remediation. Security Hub is used to automate security best practice checks, aggregate security alerts into a single place and format, and understand your overall security posture across all your AWS accounts.
STS simplifies the demands of managing various fleets of VMs and services in the cloud across different platforms. We have developed a library of automated solutions that is constantly growing as we perform more work on our federal contracts. STS has solutions for the challenge of maintaining device compliance across agency components, irrespective of whether that compliance comes from the Security Technical Implementation Guide (STIG), an application agent, or via patching.
Our team has developed Bash and PowerShell scripts to apply patches, and check, install, and configure various agents such for applications such as Splunk, CrowdStrike, McAfee, CloudWatch, Dynatrace, and Nessus. These scripts can be deployed and automated to run routinely and ensure consistent compliance using AWS Simple Systems Manager (SSM) or Ansible for more cloud platform agnostic deployments.
We have developed a golden image pipeline using AWS Image Builder to create, STIG, and share an encrypted golden image with multiple AWS accounts while also re-keying the image to be encrypted with specific keys found in the local account. By combining these compliance solutions within a deployment pipeline, we can launch a VM using a fully STIG’ed image, enforce software and configuration compliance based on the Center for Internet Security (CIS) baselines, and apply routine patches to create and maintain a fully compliant resource from provisioning to termination.
Automated governance, governance as code – whatever term you prefer, the implications for stronger cloud security are transformational.
3. Create Secure Logging Capabilities
Security logs contain valuable information that helps reduce exposure to intruders, malware, and data loss in an IT network. Secure and regular log collection is critical to understanding the nature of security incidents during both active investigations and post mortem analysis.
STS tracks changes to the cloud environment using solutions such as AWS CloudTrail and Azure Log Analytics. This ensures that all changes to the cloud backbone of a tenant’s environment are tracked and audited. This, paired with a minimum trust policy of user permissions and key encryption/storage (handled via a cloud-native solution such as Azure Key Vaults), ensures that all changes in the environment are tracked and users can only make changes they have been explicitly provisioned to make.
STS mitigates the risk of intrusion by using network flow logging across the cloud environment. STS implements cloud-standard solutions such as Virtual Private Cloud flow logging in AWS to ensure a robust implementation and low cost to end users. STS uses flow logging to detect unwanted traffic to the cloud environment and its encompassing resources. Flow logging and Nessus vulnerability assessment are used together to ensure that intrusions are detected fast, if not immediately repelled.
4. Cloud Security Support Services
The goal of information security auditing is two-fold – ensuring that IT guidelines are being followed and assessing an organization’s compliance posture. Compliance auditing and vulnerability assessment are top priorities at government agencies.
Our STS team is responsible for providing weekly compliance and vulnerability reports that cover all VM assets within each FISMA boundary we support. Our team uses Tenable Nessus Managers alongside Nessus Agents installed on each VM that are used to perform the assessment scans.
Tenable publishes plugins that are used by scans to check if a system is exposed to common vulnerability exploits, with vulnerabilities scored based on values and metrics found in the National Vulnerability Database. STS also has experience using other cloud native vulnerability assessment plugins like AWS Inspector. Tenable Nessus scans offer the added ability to select multiple STIGs and upload your own STIG to check system compliance against. Tenable Nessus scans also offer basic options for Database and Web Application vulnerability and compliance scanning, which our STS team has also used.
Once scans are provided to FISMA Security Officers, remediation timelines are set based on vulnerability and compliance impact scores.
Disaster recovery and backup planning are also critical to ensure continuity of operations and data preservation, especially when high-availability systems are at stake. Misconfigurations of resources can result in the need for a VM to be re-provisioned, and an issue in a CSP region or zone can mean time-consuming, costly migrations of servers to another region or zone.
STS can provide both functionalities across projects with minimal impact to customers by using cloud native solutions like Azure Site Recovery to provide VM recovery functionality and costs savings to our customers. STS schedules regular backups to preserve customer data and store the most recent backups in the event of a disaster situation. Both backup schedules and retention of backups are defined according to the needs of the customer.
By leveraging cloud native recovery services, STS can recover from a disaster situation with the worst-case scenario of hours’ worth of lost data, no matter when the disaster event occurs. STS can restore a virtual machine to a previous state in the event of a VM configuration issue or migrate it to a new cloud data center in the event of a CSP-centric disaster.
The four recommendations above are powerful and achievable ways to configure your cloud to avoid data security breaches. STS is at the front lines of the fight to secure federal infrastructure against cyber-attacks, and has successfully deployed these solutions for government clients. We can’t overstate how important automation is for avoiding data security breaches. Manual configuration of cloud resources is simply unsustainable - it’s too laborious and inevitably leads to mistakes.
How can you put these improvements to work for your agency? Contact us to start a conversation around your needs.