When people think about Security Instrumentation, they often think about measuring, managing, communicating, and improving network, endpoint, and email security controls. But what they may not know is that Security Instrumentation is just as valuable for cloud security. In fact, a great number of Verodin customers operate entirely in the cloud.
Cloud security isn’t like security in our local data centers. Unfortunately, within the cloud we can get easy stuff wrong. What’s more frightening is that we generally don’t know we’re getting it wrong because of a lack of validation and measurement. Simple misconfigurations have been responsible for a sizable portion of the breaches that we see in the cloud. Because of the flat and virtual nature of the cloud, a few simple software misconfigurations can put your assets with sensitive data outside the firewall, for example. In traditional data centers, a mistake like that is generally harder to make. Here are some basics we’re still missing in cloud security that don’t pass the “duh test.”
- We’re not validating that cloud traffic is following the expected path.
- We’re not validating that security policies are being enforced.
- If we’re one of the lucky ones, maybe we do a cloud security assessment quarterly or even annually. This is on par with checking the gauges in your car only once a year. That’s probably not a great plan for your car, and it’s just as bad for cloud security.
Three core cloud security issues often overlooked:
- Misconfigurations (e.g., S3 buckets, Azure Storage) accidentally expose data directly to the public. It’s like driving a car where, instead of you and all your passengers being inside, protected by seatbelts, airbags, and other safety measures, you’re all on roof and the brakes don’t work. When we bring new data sources online, we can leave them vulnerable to exposure on the Internet.
- New instances being brought up are not set to the correct policy, thus bypassing security controls and inspection such as the NG Firewalls and WAFs. These types of mistakes are like a bunch of new drivers being given licenses to drive, only to end up driving in the wrong direction on one-way streets and never stopping when the police try to pull them over.
- Business zones that we don’t expect to be directly accessing the Internet are, in fact, doing just that. In keeping with our automobile analogies, this is pretty much like letting your dog drive as he chases rabbits through a park in your new sedan. Policy-defined traffic paths can be misconfigured, making things like command and control, as well as data exfiltration from the cloud, more tenable.
At a high level, the cloud is divided into just a few general layers, as shown in the illustration below.
- Internet Layer: Traffic flows from the internet through preventative controls, performing firewall policy and inspection on Firewalls while WAFs check the content of the incoming requests
- Web Layer: The primary layer where applications are served.
- Business Layer: A logical layer that is generally not accessible to the public.
- Data Layer: The actual data that is supposed to be locked down so only specific applications can access it.
Security Instrumentation is used across all these layers to continuously evaluate environmental drift, ensuring the firewalls, WAFs, IPS, DLP, endpoint, and related security controls are working as expected in all directions. Security Instrumentation also evaluates the network segmentation to continuously measure connectivity, directionality, and other variables that often lead to compromises in flat, virtual cloud environments.
Amazon AWS Cloud
While multiple cloud providers are supported by Verodin, a common Verodin Security Instrumentation Platform, or SIP, deployment scenario is within Amazon’s AWS Cloud (as pictured below). Verodin SIP Actors are engineered to be deployed inside and outside of the AWS Cloud, enabling bidirectional communication for test behaviors. The test behaviors help to validate North-South and East-West traffic around your cybersecurity tools, validate network segmentation, validate endpoint security, and provide proof regarding security effectiveness in the face of inbound attacks, data leakage, privilege escalation, etc. One of the most important details to note is that SIP Actors only communicate with each other. This results in a safe approach to validating security tools that can operate within your production AWS Cloud environment.
The example below shows a Verodin SIP Actor on the Internet. This can be any location outside of your specific AWS Cloud instance as long as it is separated by the AWS, WAF, and Load Balancers. Each application in the Virtual Private Cloud (VPC) can run a SIP Actor. A Verodin SIP Actor can also spin up elastically as new dedicated VPC instances are created.
Verodin SIP Actors can also be deployed in the DMZ VPC – where you will likely be hosting web servers and other publicly-facing systems – and your Secure VPC – where you will be maintaining backend systems such as databases, authentication systems, and security management solutions like SIEMs.
Even the Verodin SIP Director can be installed within the AWS VPC. The Verodin SIP Director is a security effectiveness brain that allows you to operate the SIP Actors and integrates with your security management stack including SIEMs, firewall manages, IPS manages, DLP mangers, endpoint security mangers, and so on. The Verodin SIPDirector provides evidence-based reporting on how exactly your security tools respond to behavioral tests. It also provides perspective analytics on how to better configure your security tools (rules, signatures, etc.), and provides you with a mechanism to automate the security tool validation process.
Most security issues – cloud and otherwise – happen because we are not continuously validating that our security controls, segmentation, and the like are operating as we intend. The key to improving security in the cloud is continuous environmental drift validation – that is to say, continuously validating that changes in any of the cloud network layers and/or security controls don’t have any unforeseen and negative impacts on security. By applying continuous environmental drift validation, you can validate the traffic paths, ensure that inspection and policy enforcement is happening, confirm that public and private layers stay separate, and ensure your data is protected.
Find out how the Verodin Security Instrumentation Platform can help you with your cloud security.