Do you remember all the apprehension about cloud migration in the early days of cloud computing? Some of the concerns ran the full paranoia gamut from unreliability to massive overcharging for cloud services. Some concerns, such as the lack of security of the entire cloud infrastructure, rose to the level of conspiracy theories. It is nice to know that those myths are all behind us.
Or are they?
It seems that many of the earlier misconceptions have been replaced with new notions about the cloud. Some of the newer ideas focus on misconfigurations. Legitimately, recent posts about misconfiguration problems are cause for concern. However, this does not rectify the problem of some of the myths about cloud configurations.
Cloud Myth Busters
In an effort to remedy some of these myths, Tripwire has produced a white paper that seeks to debunk five common myths about cloud misconfigurations. To be clear, this does not mean that there is no such thing as a cloud misconfiguration. For example, the old style of thinking that a firewall should block various inbound connections while allowing unfettered outbound access opens up a network to some of the easiest-to-perform reconnaissance-based attacks. There have also been enough cases of unsecured storage leading to compromised systems to demonstrate that security is still a primary concern.
On Solid Ground
Many myths take flight and have a remarkable way of catching on. Of course, the best way to combat bad information is with the correct information, bringing the myth to a soft landing into the appropriate mud pile where it can sink into oblivion. As the paper points out, there are plenty of legitimate problems that cost many companies a lot of money. Considering the reality, it makes sense that it is time to stand on solid ground with our knowledge of misconfiguration problems.
Responsibility in the Cloud
One very common myth about the cloud is that the service provider is responsible for the customer’s security. This is true on a macro-level, where the service provider has the responsibility of securing its cloud infrastructure. The security of your corporate cloud is entirely your responsibility. The good news is that there are so many security offerings to choose from that there is no reason to get caught short on this characteristic of the cloud.
Many home-grown implementations of security often fail their intended purpose. The main part of the problem is the manual efforts of an often over-stretched security team, which leads to errors. Automated tools not only remove the burden of manual efforts, but they also add the benefit of objectivity to the process.
Cloud security is not fundamentally different from on-premises data security, yet it differs in the methods through which it is executed. The security controls used in cloud implementations are different, and the easy vastness of this type of environment can lead to a loss of visibility of one’s cloud space, resulting in overlooked areas and services.
The ability to extend a cloud footprint can offer the illusion of reduced downtime. However, just as execution weaknesses can lead to loss of visibility, distribution can actually lead to less reliability. Building for availability is different than merely casting a larger net.
Many cloud proponents will boast about the ability to get off the “upgrade treadmill,” instead having instant access to the latest and greatest program enhancements made possible by the cloud. While this is true in some senses, it truly depends on your organization’s comfort with “newness.” Just think of how often you have had the jarring experience of a surprise upgrade to your favorite phone app. On an organizational level, there is a lot of planning required before springing the freshest technology onto your staff.
As you can see, there are so many genuine concerns surrounding secure cloud configurations that there is no need to get caught up in the mythology. However, even debunking the myths doesn’t remove many of your security challenges. One of the best ways to remove the challenges is by using trusted vendors and products with proven track records of success.
How Tripwire Can Help in the Cloud
As stated in the white paper, that is where Tripwire Configuration Manager comes in. An automated SaaS tool, Tripwire Configuration Manager helps organizations to pinpoint misconfigurations, address human error and reduce workload. It does this by providing organizations with two points of visibility.
First, Tripwire Configuration Manager helps to ensure that organizations’ accounts are configured to a known good state. It does this by scanning organizations’ accounts and comparing the state of those accounts to the provider benchmarks developed by the Center for Internet Security. This functionality helps to ensure that organizations’ cloud accounts are securely set up at a level that lies below whatever services might be running in them.
Tripwire Configuration Manager subsequently displays this information in a dashboard that includes the cumulative benchmark for each cloud provider. The dashboard also presents organizations with a series of prioritized issues that might affect their cloud-based accounts along with a series of operational impacts that could result if the issues aren’t fixed. In many cases, Tripwire Configuration Manager’s dashboard offers the ability for organizations to rectify those issues using a “Fix Now” button within the platform. Otherwise, it provides organizations with instructions inside of the management console on how to fix those issues.
Second, Tripwire Configuration Manager ensures visibility over organizations’ cloud-based storage. It does this by grouping storage units into “public” and “private” designations with lots of attributes that yield insight into what types of access those resources actually provide. For instance, they reveal whether storage buckets are world-readable and world-writable as well as whether organizations created their own policy. Organizations can then use TCM to enforce the state of their storage configurations based upon their security requirements.
All this, and it takes just minutes to set up.
The purpose of Tripwire Configuration Manager is to help organizations know what to look for with their cloud-based accounts and to figure out how they measure up against industry security benchmarks.
If you are interested in learning more about how Tripwire can help your organization achieve security in the cloud by managing its cloud-based configurations, take a look here: https://www.tripwire.com/products/tripwire-configuration-manager