Image

Control 1 / Control 2 – Inventory of all Hardware and Software Assets
This is actually easier in the cloud than it is on-premise. There is no need to run discovery scans on the network. Simply match up the host lists via the API against what you think you have and you’re done! This can be automated in a log collection tool so as soon as something does not line up, the team can be notified to act accordingly. With cloud providers billing for the time. A server is live, this can save the organization a lot of money!Control 3 – Continuous Vulnerability Assessment and Remediation
Traditional vulnerability assessment is done through scans. There are a few challenges here. These are as follows:- Amazon, Microsoft, Google don’t want their datacenters being scanned by every single one of their customers all the time. That’s way too much network traffic.
- Cloud assets can sometimes only be up for a short period of time. If they miss the window, what do you do? How can an asset go by without being scanned?
- When an asset is first provisioned, the vulnerability state needs to be checked prior to it being allowed on the network. If the cloud team has to wait for credentials and a scan to be provisioned, it can take too long.
Control 4 – Controlled Use of Administrative Privileges
The best approach is to adopt a Zero Trust model. Essentially, organizations refuse to trust anything inside or outside the network outright. Such a model places the onus on IT and security teams to verify everything that’s trying to connect, especially anything seeking administrative privileges. Once trust has been established, the organization can grant access.Control 5 – Maintaining Secure Configurations
Every large organization is going to have a set of hardening standards, and it’s great that tools like Puppet and Chef can provision the systems with those hardening standards. But who is verifying and auditing them? We trust, but we also need to verify. Any good auditor will tell you that there needs to be segregation of duties for this verification step. The other aspect to this is the nature of the development pipeline. Changes should only take place earlier on the pipeline and not on the production instance. If a change is detected on the production instance, it should be scrapped, and a new replacement system should come online.Deploying Tripwire in a Zero-Trust Model
The above guidance should be considered from within a Zero Trust model, meaning that no user should be allowed to access those systems. The only account that should be making changes is the provisioning tool like Puppet or Chef. Additionally, organizations should consider automating many facets of their model in order to improve its efficacy. How can organizations meet these cloud security best practices? Fortunately, this is where Tripwire can help. Tripwire’s solutions can be deployed in a Zero Trust model and dynamically tell you how a system is configured, what the vulnerability risk is, and if something changed that shouldn’t have. All of this without manual user intervention! You might be wondering: what about if something changes in an S3 bucket or Azure Blob? It’s way too easy to accidentally change the permissions and not know it even happened, after all. These configurations need to be monitored. The beauty of Tripwire’s solutions is that as soon as a system comes online or goes away, the security posture gets verified. Information can be sent to multiple dashboards to which cloud teams are accustomed like Splunk and QRadar. Then when the system is torn down, it is automatically deprovisioned, with the data retained for audit purposes. If a change happens while that system is in production, the security team and cloud teams can be notified right away. To wrap up, you need to remember two principles when looking for a cloud security solution:- Automation – Ensure that your security solutions can evolve with a move to the cloud. If your organization isn’t already doing something in the cloud, double check, because it probably is.
- Vendor Consolidation – Some vendors handle cloud only, while some handle on-premise only. The key is going using a vendor that can handle both.