Securing the cloud: Visibility, compliance and vulnerability management
In this Help Net Security podcast recorded at Black Hat USA 2019, Hari Srinivasan, Director of Product Management for Qualys, talks about the basics of securing your cloud.
Here’s a transcript of the podcast for your convenience.
Hello and welcome to today’s podcast.
A bunch of questions are being thrown again about cloud security. Is the cloud inherently secure? Isn’t it too chaotic and elastic that implementing a security strategy is really tough?
My name is Hari Srinivasan. I’m a director of Product Management for cloud and virtualization security with Qualys. In this podcast I’m going to take you through the basics, like shared security responsibility and basic hygiene you could start following to secure your clouds and keep them in check.
Shared security responsibility model
Let’s start with the shared security responsibility model. I know we have talked about this a lot and this is probably the 10th to 12th year in which cloud is existing after AWS launched its public cloud services. So, what’s our role in the shared security responsibility model?
The main idea here is that the cloud provider holds the keys to the kingdom. They provide you the mechanism to kind of host your workloads there but you, as in the consumer or the user, are responsible for securing the data and the workload which you are utilizing in the cloud. As much as they provide security, you also hold a shared responsibility in that security to keeping your data secure.
Visibility
Let’s start peeling the layers starting with visibility. As my CEO Philippe Courtot says: “As we know, it is difficult, if not impossible, to secure what we do not know or cannot see.” That’s so true. Visibility is key.
The ability to know what devices you have in your on-premise data center was easy. I would not say easy, but it was achievable. But when it comes to the cloud, visibility is key. Things change more rapidly, you need to gain an understanding of what resources you’re using in the cloud. It’s not just about the server. It’s about the other resources, including networks and users who are there in the cloud, which all need to be known.
As organizations and enterprises migrate some or all of their workloads, depending upon their strategy to the public cloud, they have a need to get a ubiquitous view of the entire infrastructure, be it on-premise, be it on their endpoints with just laptops and servers or people used to access things, and cloud. And of course, with all the whole industrial revolution 3.0 happening with IoT and IIoT coming into play. Those all also become a part of your IT infrastructure. So, getting a global visibility of your changed or renewed IT is extremely important.
Global IT Asset Discovery and Inventory app
Qualys recently announced an asset management product which provides you with the visibility of your global IT. Interestingly, visibility is free. As my CEO says: “If you cannot see, you cannot secure.” So, let’s start getting visibility into these assets.
Let’s start with the cloud, in this context. Connect to your cloud accounts, identify how many accounts you have.
- What do you have in those accounts?
- What are the different types of resources?
- Which Infrastructure as a Service are you using?
- Which Platform as a Service pieces are you using?
- What are the Software as a Service utilities you’re directly consuming from the cloud?
And do not forget, you also have the infrastructure element wherein you onboard your users. You use the networks, you use torrent services – you need to gain visibility among all of them.
Vulnerability management
Now let’s trace the basics: vulnerability management. It is extremely important to make sure that your assets and cloud are kept in check in terms of vulnerabilities.
What is more important is the communication which kind of happens from outside to inside the cloud via those parameter or end servers. You need to know about them. You need to know about what is there in the parameter. You need to know about whether they are secure. Are they prone to some vulnerabilities? Maybe they are prone to remote attacks.
Compliance
The next thing is compliance. Comply to at least the CIS benchmark level, if not for your regulatory standards or your company standards. If you start off with at least matching it up to the CIS level, you are secure by default to a great extent.
This is no different than what you do on your on-premise. Just the context changes. When I say context changes, I’m saying that the CIS benchmarks, which are available for your cloud frameworks or infrastructural resources. Those foundation benchmarks need to also be present or checked up on in addition to that of the benchmarks which you hold for your host and the application routes that aren’t under.
Standardizing on CIS is the start point, then start with applying your industry mandatory regulatory compliance checks. Maybe HIPAA, maybe PCI, maybe SOX. Take a look at all of those things.
A bunch of these functionalities are available with Qualys. Qualys, with its vulnerability management and compliance solution, provides you with the ability to secure your cloud resources similar to that of your data center, but in context of the cloud, so you know who’s the owner of that particular resource and where it is located and what’s its origins like.
Cloud trail
When you think about the cloud, any kind of action, it is better to be logged or monitored. Maybe not for immediate utilization, but maybe for forensics. Breaches do keep happening. So, enabling a cloud trail for logging and monitoring in clouds like AWS or a stacked driver in Google, is extremely important to make sure that you understand what’s going on in a cloud. And as you onboard users, as you bring in more people to be cloud savvy and bringing more applications to be boarded on to the cloud environment, ensure that you have a strict entry point of low privilege IM users.
Check for their permissions and policies, utilize cloud provider native solutions like AWS access adviser, to know if there are excessive permissions given to some of the users or some of the apps which use those roads.
The basics
Start with the basics, ensuring you have the standard operating procedures like vulnerability management, both internal and the parameter, policy compliance. Specifically start at least with CIS at all the layers, host application and also your foundation benchmarks for your resources, and in addition to application security. Follow basic practices of enabling logging and auditing the users which you onboard on the cloud, before you all get more sophisticated with real time alerts, machine learning and artificial intelligence-based anomalous activity detection or maybe even automated remediations.
So, if you are using Qualys or you are new to Qualys, get to know that Qualys provides a ubiquitous visibility across a hybrid IT.