BACKGROUND OF SECURITY ISSUES IN TRADITIONAL CI/CD
It’s an all too familiar news story or cross-office conversation – one cloud security incident, usually arising from a poorly implemented cloud compliance policy can send a company into a quagmire of confusion, customer frustration, reputation damage, or worse, job loss.
In the past couple of years, I’ve seen the story played out multiple times. From encryption key exposure to voter records leaks on public S3 buckets, amongst a plethora of pain from user accounts and API lockdown failures to cross-site scripting vulnerabilities in alleged “unhackable sites”.
Moreover, most of us have, at one point or another, heard statements like “security is everyone’s responsibility” and “let’s shift security to the left” mostly from InfoSec agents who seem to preach with the full-force frantic reverence of a climate change sceptic.
However, there is no denying that now, more than ever, compliance is crucial to survival. Further to this, it’s the perceived mystery surrounding compliance which tends to lead many organisations down the winding garden path of reactive security tooling which, in turn, tends to lead to widespread confusion amongst Stakeholders and overspend by teams on overly complicated, event-driven “proactive” (reactive in disguise) threat detection services that tout fanciful phrases like:
- “set and forget”
- “feature-rich”
- “Industry leading”
- “Patented threat detection”.
And of course, they all feature a magical algorithm to solve everything from proactive packet monitoring to data and log aggregation and forensic insights that prevent any unwanted nasties from causing you or your organisation anything other than an entirely stress-free day.
It is then no surprise that the world of Cloud Compliance is leaving many IT leaders wondering which way is up, let alone what public or hybrid cloud offering to adopt while trying to maintain a safe and compliant environment. Although many organisations have embraced fully fledged cloud adoption frameworks, it is still widely assumed that storing business data in a public cloud is not without risks, especially if your team is new to the cloud environment and all the beautiful tooling that goes with it.
Although some service providers have tools and processes in place to help you secure your cloud infrastructure, ensuring security in the cloud is often substantially different to what you and your team may be used to from an on-premise perspective.
Now add in the added threat landscape of multiple cloud providers; private, public, distributed, and edge, and the state of security becomes much more complex. There’s a much higher risk of mistakes and failures – which may or may not cause your place of work to end up on the nine o’clock news.
Essentially, how can you be sure that your security and compliance standards will be met before you move workloads and data to a public cloud?
UNDERSTANDING THE SOLUTION
First things first: take a security-first approach. This aims to achieve a state of continuous cloud compliance, which will lower costs, minimise risks, and reduce the complexity of your cloud operations.
A security-first model leverages tools and automation that:
- Monitors security threats through real-time discovery.
- Understands security threats through deep insights.
- Acts on threats through automated policies, processes, and controls.
- Measures security and compliance results with robust reporting capabilities.
A multi-cloud platform that continuously monitors and manages cloud security against your set policies and compliance standards provides:
- A complete and unified view of all cloud accounts.
- Generation of regular compliance reports.
- Identification, prioritisation, and remediation of compliance risks.
- End-to-end lifecycle compliance monitoring.
- Audit reports that demonstrate round-the-clock security management and compliance.
In this example, we will focus on AWS utilising features that are readily available to anyone and, more importantly, relatively inexpensive and non-complex.
DEPLOYING THE SOLUTION TO YOUR ENVIRONMENT
Obtain compliance by ensuring you maintain a policy that addresses information security for all personnel:
- Security policies should be documented and shared with all the personnel.
- AWS inventory and account information should be updated regularly.
- Have an incident response plan ready before a breach.
- Put 24-7 monitoring in place to enable rapid response.
Several AWS native tools can assist in advanced, proactive threat detection and remediation. We start by combining a few of these to provide automated cloud health checks and remedial action to pre-defined events.
Combining AWS Config, Cloudwatch and Lambda creates an event-driven controls framework that gives your team ‘set-and-forget’ pro-active security as well as an automated remedial action, when say, an S3 Bucket or its objects are changed from Private to Public (or, if say, someone accidentally or maliciously turns of AWS CloudTrail).
5 SIMPLE STEPS TO YOUR SET-AND-FORGET AWS COMPLIANCE FOR S3
- Enable AWS Config to monitor Amazon S3 bucket, ACL’s and policies for compliance violations (you can set your own custom Config rules, but generic is okay for us).
- Create an IAM Role and Policy that grants Lambda function permissions to read S3 bucket policies and send alerts through SNS.
- Create and configure a CloudWatch Events rule that triggers the Lambda function when AWS Config detects an S3 bucket ACL or policy violation.
- Create a Lambda function that uses the IAM role to review S3 bucket ACLs and policies, correct the ACLs, and notify your team of out-of-compliance policies.
- Verify the monitoring solution by attempting to change an S3 bucket from Private to Public.
Feel free to use this CloudFormation Template to deploy the solution directly into your AWS account today.
IN CLOSING…
You now have essential compliance and event-driven security automation in place for S3. Go forth and extrapolate further!
If you would like to find out more about how Cevo can help you and your team achieve proactive security in your cloud environment, please get in touch.
