Security visibility in the cloud
Clouds, by their very nature, are … cloudy. What’s inside them is obscured. When you move your IT infrastructure, applications and data to the public cloud, you no longer have the same degree of visibility into their “inner workings” that you have in your on-premise network. Because we, as IT admins, tend to have a wide “control freak streak” in our natures, that makes us uncomfortable. You might say we have trust issues.
There is no denying, however, that the cloud is the way of the foreseeable future, whether or not we like it. Cloud computing has cost advantages, convenience advantages, and yes – it even has security advantages (along with some disadvantages). The challenge is to embrace those advantages, and to accept that we may have to give up a certain amount of visibility and control, while at the same time learning to leverage the tools that are available to help us maintain as much of both as we can, within the parameters of this new environment.
A successful transition of your IT assets to the cloud starts with selecting the right cloud provider. For a large number of organizations, that means one of the technology giants named by Gartner in last year’s Magic Quadrant for Cloud Infrastructure as a Service, Worldwide report as leaders in the IaaS space. In other words, Microsoft Azure or Amazon Web Service (AWS).
There are several reasons that these companies dominate the IaaS landscape. One important reason is that they are a known quantity to customers; they’ve been around for a long time, they’re financially solid and aren’t likely to go out of business anytime soon, we’ve used their software and/or services for years – we trust them, at least in some respects and to some degree.
Google’s Compute Engine has also gained a following due to some unique offerings such as its sustained usage discounts, preemptive VMs, and shared storage. However, in this article, I’ll be talking about Azure, as this is the IaaS service with which I’ve worked most and am most familiar.
Cloud providers recognize that many organizations have reservations about putting valuable resources and sensitive data in the public cloud, which means (in most cases) it traverses the very insecure Internet on a regular basis. Providers have taken steps not only to increase their security, but also to provide visibility into security events for their customers, and to be more forthcoming with information about their security measures in their documentation and marketing materials.
For example, Microsoft has established the Microsoft Trust Center web site, which I have had the opportunity to work on as a security writer. The Trust Center answers the most-asked questions from customers regarding what Microsoft does to protect your data in the cloud and to comply with regulatory and industry security requirements that may affect your company. The site goes into some detail about how each of its popular cloud services – from Azure to Visual Studio Team Service – is protected, the technologies and mechanisms (encryption, auditing and logging, threat management and so forth) that are used, and the compliance certifications and attestations that Microsoft’s cloud services can claim. The site also addresses privacy issues (such as the company’s privacy standards and how they respond to government requests), transparency regarding where your data is stored and how it’s used, security practices and processes (such as Red Teaming/penetration testing) and relevant news and resources to back up the information.
AWS has a Security site that documents some of the same sort of information about their security platform and processes.
Controlling your cloud
It’s good to read about all the measures that providers have in place to protect your assets from interception, unauthorized access, or loss, but it’s not enough for them to say, “We’ll take care of security, so don’t worry your pretty little heads.” We’re IT pros, so of course we’re going to worry, unless we can have visibility into the security state of our specific cloud resources – our little piece of that cloud pie.
We want to know about the security health status of our virtual machines, our virtual networks and our applications that run in the cloud. We want to be able to define security policies that reflect our company’s own unique security needs. We want to be able to identify potential and actual security vulnerabilities within our virtual networks and configure controls to plug the holes. We want recommendations as to how best to do that, and we want to be able to deploy third-party security solutions toward that end. We want to get alerts when and if a security threat, such as malware or a brute force attack against our virtual machines, occurs.
The good news is that cloud providers are listening to what customers want, and providing tools to give you more visibility and more control over security aspects of your cloud-based resources.
Microsoft Azure Security Center
In July 2016, Microsoft released the Azure Security Center (ASC) to general availability for customers after a lengthy preview period, during which it was tested by some major companies. The GA release added some new features, as well. The intent of ASC is to help Azure customers gain more control over and insight into cloud security and detect and respond quickly to attacks – all from one centralized portal.
When an attack occurs, ASC provides alerts that give you information about related events and which of your cloud resources are affected. Then it goes a step further and makes suggestions as to what you can do to fix the issues and recover from the attack. A problem that’s inherent in any threat detection system is false positives. Nobody wants to spend precious time responding to a reported threat, only to learn that the software was “overreacting” and there is no threat after all (as much of a relief as that might be). Microsoft has worked hard to reduce the incidence of false positives without missing the “real deal” when it happens.
Some of the new features in the GA release include log integration that makes it easier to get your security data into popular SIEM systems such as Splunk, email notifications of high severity security alerts, and a single view of related alerts that help to give you a broader perspective of the overall attack and the impact it had.
There is also support for more resource types. Microsoft has set out to be truly “inclusive,” as evidenced by moves such as providing Office software for iOS and Android mobile devices. You’ll see another manifestation of that in Azure, where you aren’t limited to Windows Server virtual machines; in fact, a growing number of Azure VMs are running Linux. ASC now has support for more distros, including Red Hat, Ubuntu, Debian, CentOS and SUSE.
As for the attacks that are detected, Microsoft security researchers are adding new capabilities on an ongoing basis. The threat landscape is changing all the time, and ASC is designed to be flexible and responsive to the emergence of new threats. Luckily they have access to large amounts of threat intelligence data collected all over the globe, across both their on-premise enterprise software and their cloud services. This means security data can be analyzed against data sets from multiple sources and when new attack trends are discovered, ASC can quickly update its algorithms. Continuous monitoring and detection tuning help you keep your Azure files safe.
If you have different resources in the Azure cloud that have different requirements in regard to security, no worries. ASC allows you to set security policies for different resource groups. These policies control the monitoring and security recommendations.
In addition to setting security policies, attack prevention, and threat detection, ASC makes it easy for you to deploy cloud security solutions from Microsoft’s partner companies, such as Next Generation Firewalls (NGFWs).
You can find out more about the Azure Security Center on Microsoft’s Azure web site.
Amazon’s AWS takes a slightly different route. Their CloudTrail service increases your visibility into security-related incidents and activities by logging actions taken by users, and this information can be sorted in various ways. Partner solutions such as Splunk, AlertLogic and Sumologic integrate with CloudTrail log files and can provide security analysis.
There are a number of third party security solutions available in the AWS Marketplace for threat management and intrusion detection in the AWS environment, such as Alert Logic’s Threat Manager for AWS, which monitors Windows and Linux instances of EC2 and gives you an Intrusion Detection System (IDS), internal and external vulnerability scanning and PCI scanning abilities via a Security-as-a-Service (SaaS) model.
You can find out more about AWS security on Amazon’s web site.
Trust is vital to the success of any relationship, and that includes your company’s relationship with its cloud provider. We trust when we are able to see and verify that the provider’s security processes are working, and that requires visibility into those processes. Major cloud providers are recognizing this need and giving customers more visibility into and control over cloud security resources, and in this article, we’ve provided an overview of how Microsoft and Amazon are doing this.