With Great Power Comes Great Responsibility
Moving applications and infrastructure to the cloud offers a degree of flexibility and scalability that can be a boon to almost any organization. Having continuous software and asset availability in cloud environments with elastic, as-needed infrastructure is extremely valuable. Sharing security responsibilities with a cloud service provider can even unburden security and IT teams to a degree.
However, that same powerful elasticity of cloud environments and the ephemeral nature of the assets that can spin up and down present new challenges for organizations trying to ensure the secure configuration and integrity of those assets. Security teams still need to fortify ephemeral cloud infrastructures for effective security, continuous compliance, and reliable IT operations.
So, what are some of the new problems they face, and how can Tripwire Enterprise (TE) help?
As a cloud environment responds to resource demand, there can be large spikes of new assets to monitor. This occurs when updated systems are deployed to take the place of existing infrastructure or when a failure states trigger new builds. In the case of an elastic asset, which only exists to handle a temporarily increased burden, the total lifecycle can be very short.
If you’re reliant on scheduled tasks to scan critical files or validate secure configuration, you might have trouble catching these short-lived assets before they spin down. Rolling updates are a great way to maintain a consistent, immutable infrastructure while staying on top of new patches and installed package updates.
As large numbers of new assets come online to take over for the systems that are being decommissioned, it’s important to know that everything is rolling out with a secure configuration and your baseline for critical files is captured. If automation in your environment responds to an unwanted change or newly discovered vulnerability by triggering a new build, you can also see a large influx of assets spinning up.
TE’s new Automated Onboarding capability makes it possible for users to configure the templates of their ephemeral assets to be automatically scanned as they register with the TE Console. Using Axon Agent Tagging, you can designate the specific systems that should have rules run on them at the moment of registration, so you can choose which systems need to be scanned immediately and which systems should only be scanned during a scheduled window. Auto-onboarded Nodes which fall into the scope of your policies will have a score available as soon as their initial scan completes, allowing you to see your compliance state and score as soon as your systems come online and complete their first scan.
What goes up must come down!
In all of the scenarios where automatically deployed assets spin up in the cloud, you must also consider the automated process of decommissioning them. If automation was required to handle the incoming systems, it is going to be just as necessary to handle their removal.
TE Automated Offboarding enables the process of decommissioning existing Nodes from TE. Using newly available Tasks in TE, users can choose how long an Axon agent can be out of communication with the TE Console before they are Unlicensed or ultimately Deleted.
You can even choose to only use this feature for Unlicensing, leaving the Nodes and data in place to be removed by administrators if your change management processes require it. On the other hand, if you’re sending all of your data to Tripwire Connect (Tripwire’s reporting and analytic platform) for long-term reporting and you need to aggressively clean up large numbers of assets, you may prefer to go right to the Delete feature.
Using these new Tasks, you can specify the groups of Nodes that offboarding should apply to and even set different time limits for different groups of assets.
When you’re dealing with static, long-lived assets, it’s possible to create highly detailed rationale for waivers to apply to particular systems that fail a given compliance check. You may also have a business requirement or mitigating factor to explain the failure. In the case of dynamic, ephemeral assets, you may be able to define a waiver rationale for a group or class of assets but not in a way specific to the asset itself since it may not even exist yet at the time that you’re creating the documentation.
In a cloud environment, there needs to be a way to document the business requirements or mitigating factors that would make an asset eligible for a compliance waiver and have that waiver apply to those asset Secure Configuration scan results as soon as they come online.
We’ve added the ability to define the scope of a compliance waiver by Node Groups in TE. As soon as an asset spins up and is categorized or tagged into the appropriate groups in TE, the waivers that apply to that Node Group will apply automatically. The Policy Score for the newly created asset will reflect those waivers.
A Working Example
Eric Pattenden is the Tripwire Resident Engineer for one of our customers with a cloud environment that required all of these features to successfully monitor their ephemeral assets:
“In my situation the delivered TE automation features were critical for TE to accommodate a truly dynamic cloud environment. The cloud architecture at my customer is designed to do the following:
- Create assets in bulk quantities (hundreds or more) as needed
- Destroy assets in bulk quantities (hundreds or more) when no longer needed
- Create, destroy, and recreate assets for the same business purpose in response to patching or application needs
Previously, we faced challenges in TE when processing large quantities of assets compared to what a single TE console can support. TE node cleanup performed manually or via a custom script proved not to be a long-term, reliable solution. Newly introduced auto-onboard and auto-offboard features have enabled TE to manage the high number of registrations via timely and frequent removal of assets that have been destroyed in the cloud.
Despite the high turnover of assets in the TE console itself, we have been able to retain the node data via scheduled export to Tripwire Connect for storage and reporting.
The most recent feature of adding automated waivers has made the use of waivers possible where it was not previously practical. The team required a solution that was hands-off, as the end users would not be able to keep up with adding waivers to assets individually given the volume.”
– Eric Pattenden, Eastern Region Professional Services Engineer, Tripwire, Inc
How’s It going so far?
We worked closely with users that have highly dynamic environments to make sure our new ephemeral asset handling features would address their needs and fill in some of the gaps in the ways older versions of TE responded to the speed of a cloud environment. So far, we’ve seen some good results, but we’d like to hear from more of you!
If you’re taking advantage of Automated Onboarding, Automated Offboarding, or Dynamic Waivers in the newer versions of TE (8.8.1, 8.8.2, 8.8.3), please drop by the Tripwire Forums and leave a comment here:
Automated Axon Onboarding and Offboarding in TE – How’s it going?