At this point, every organization has a cloud strategy of some sort. But not everyone has the necessary cloud security strategy to go along with it. You can achieve comprehensive, effective cloud cybersecurity across infrastructure as a service (IaaS), platform as a service (PaaS), and DevOps if you deploy tools that seamlessly span these multiple computing environments.
If your organization is anything like the majority of modern enterprises and agencies, you are probably using some combination of physical, virtual, private cloud and public cloud computing. A heterogeneous approach like this can significantly improve the flexibility, affordability and efficiency of your IT resources, but it also complicates your cybersecurity posture if your toolset can’t keep up.
The Shared Responsibility Model
Even within the context of cloud native computing, organizations have a tendency to avoid vendor lock in by taking a multi vendor approach. Say your data is spread between a few popular public cloud platforms such as Amazon Web Services (AWS), Microsoft Azure and Google Cloud Platform (GCP). Is the onus on them to keep your data away from prying eyes? Or do you need to take responsibility for the security of your cloud hosted data? The answer is both. When organizations use public cloud storage, they’re agreeing to a shared responsibility model. This model clearly delineates the security controls you’re responsible for and those you aren’t. This clarity helps organizations better understand exactly what they need their cybersecurity tools to accomplish.
Organizations shifting their infrastructure to the cloud need to ensure their virtual images are configured according to their organization’s hardening guidelines. They also need to make sure the way their images are handled doesn’t introduce an unacceptable level of vulnerability risk. Using Tripwire solutions, customers can check the risk posture of each image as it comes alive by deploying the Tripwire Axon® platform on each cloud image. The agents can be deployed autonomously using the deployment tool (Puppet, Chef, Ansible, etc.) of your choice. Once the images come alive, the agents self register and test themselves for vulnerability and configuration compliance risk. This risk is then reported to the security team in the same interface as the on premise assets, providing the security team a single pane of glass to the risk. If the images are persistent, subsequent assessments can be triggered by a change or after a certain amount of time.
Instead of deploying infrastructure in the cloud, some development teams choose to use various PaaS offerings to build their applications. Tripwire’s Cloud Management Assessor, an add on to Tripwire® Enterprise, allows you to view the consoles experiencing change within your hybrid cloud environment. Through its clear and simple dashboard, you can drill down deeper for detailed change context. It can also show you how aligned your hybrid cloud accounts are with the Center for Internet Security (CIS) benchmarks. Deep reporting shows pass/ fail results for CIS benchmarks along with easy step by step remediation instructions. If a high risk change occurs, such as AWS S3 buckets or objects in Azure Blob storage becoming open to the public, Tripwire can alert the appropriate team and trigger the incident response process.
Monitoring DevOps Containers
A common goal for security professionals is to shift security further left in the development pipeline. One of the best ways to do this is to verify that which the developers are developing is secure. Tripwire can support this process by adding a security gate to the DevOps pipeline. When a developer is ready to commit a container or image, it can automatically be uploaded to Tripwire for DevOps to verify its vulnerability risk and configuration compliance. If the risk is acceptable (as defined by the organization’s security team), the container or image is allowed to proceed in the pipeline. If not, instructions are provided to the developer to remediate the risk and resubmit the container or image.
Tripwire solutions aren’t just for on premise systems—they have the flexibility to implement rigid security controls within your IaaS, PaaS and DevOps environments in addition to your traditional IT networks.