Sysdig Secure – When cloud provider security services are not enough
The benefits of cloud computing are causing the adoption of cloud services by companies of all sizes to increase each year. The reduction of operating costs, time to market, ease of use, and reliability are some of the most significant benefits. However, the shared responsibility model must be taken into consideration. Cloud breaches are already everywhere and it doesn’t look like they’re going to slow down anytime soon.
Cloud provider security services are increasing but it’s become evident that such tools can’t cover the needs to respond to these threats. After all, their main business is to provide cloud computing, network, or storage services. They are not a security provider.
Let’s imagine a potential scenario. You are in the very beginning of your cloud adoption journey, and only have a couple of IaaS or SaaS services running. You can easily implement security policies with tools provided by public cloud providers.
AWS Security Hub, AWS GuardDuty, Azure Security Center, Azure Defender, or Google Security Command Center act as a safeguard to alert us of suspicious behavior. But as the number of services you consume from the cloud providers increases, the need to put security as a first-class citizen becomes more apparent. We may find that these tools are not enough to secure our cloud environment.
If you missed our content on how Sysdig Secure provides better visibility, context, and real-time cloud threat detection, you can visit these articles:
|GUIDE: Security And Monitoring On Azure Container Services||Read more|
|Amazon S3 security with AWS CloudTrail and Falco||Read more|
|Detect suspicious activity in GCP using audit logs||Read more|
|Securing Amazon EKS Anywhere with Sysdig||Read more|
|Securing AWS IAM with Sysdig Secure||Read more|
|Securing containers on Amazon ECS Anywhere||Read more|
When using cloud provider security tools isn’t enough
Before deciding if the security tools provided by cloud providers meet our needs, we must explore the functionalities that each one of them offers.
If a first-class vulnerability scanner is mandatory for our company (you have to meet compliance requirements, leverage dockerfile best practices, or simply want to apply the shift left security principle) you are going to need a third-party solution designed specifically for this purpose. Most vulnerability scanners offered by cloud providers have few configuration options and, in some case such as AWS, their checks are based on a subset of Common Vulnerabilities and Exposures.
Of course, we don’t want to stop you from doing your own investigation, so we’re going to share some of the most popular cloud provider security services from the three major public cloud providers:
|CI/CD||CodePipeline, OpsWorks, CodeBuild, CodeDeploy||Azure Automation
|GCP Deployment Manager|
|Provisioning templates||CloudFormation||Azure Resource Manager||Cloud Deployment Manager|
|Service Catalog||AWS Service Catalog||Azure Managed Applications||Google Cloud Platform Service Broker|
|Security Assessment||Inspector||Security Center – Resource Security Hygiene||Cloud Security Command Center|
|Serverless Code||Lambda||Azure Functions||Cloud Functions|
|Insights||Systems Manager||Monitor||Stackdriver Monitoring|
|DLP||Macie||Azure OMS, Security Center||Cloud DLP|
|Anomaly Detection||GuardDuty||Stream Analytics||Cloud Dataflow|
|Vulnerability Scan||Inspector||Security Center||Scanner|
|MFA||Multi-Factor Auth||Azure MFA||Cloud Identity Aware Proxy|
|Web App FW||WAF||Application Gateway|
|IAM||AWS Identity & Access Management Cognito||Azure AD/IAM||Cloud Identity and Access Management|
|Key Management||KMS||Azure Key Vault||Cloud KMS|
|Log Management||CloudTrail||Log Analytics||Stackdriver|
|Compliance||CloudHSM||Azure Trust Center and Key Vault||GCP Security|
|Service Catalog||Service Catalog||Managed Applications||Service Catalog|
|SIEM||CloudWatch||Azure Portal and Azure Monitor||Stackdriver Monitoring/Logging|
|Config Assessment||Trusted Advisor||Azure Advisor|
If you feel a little overwhelmed by the table, here’s the good news: there are several factors that will determine which type of tool is best for your environment.
We propose a few questions to help you find out if cloud provider security services are enough for you, or whether a third-party tool will best fit your needs.
Do you still have physical data centers?
To manage security risks both on-prem and cloud, you can use cloud service providers, like Amazon GuardDuty, Azure Advanced Threat Protection, or Security Command Center. Unfortunately, those services typically only work in cloud environments or they are looking for a way to migrate you to them. You can’t use the native encryption of a cloud data security service to encrypt data you have stored locally, for example.
Another example could be the use of cloud-based firewall services to secure applications running locally, but only if you set up a very cumbersome and expensive architecture that would allow you to integrate those apps with firewall services.
For this reason, companies that have a large on-prem and public cloud presence opt to use third-party solutions. In this scenario, the cloud providers’ security tools are not enough because the providers offer greater parity in securing both the cloud and on-prem worlds.
Do you work in multi-cloud environments?
Cloud operator teams managing multi-cloud environments need to be in control of their resources, assessing the neverending number of issues and vulnerabilities that show up everyday.
These teams need to check the insights of the different security monitoring tools each cloud provider offers continuously. The bad news here is that those cloud provider security services are often not designed to work with each other. AWS Security Hub, for example, doesn’t integrate with Microsoft Azure or Google Cloud Platform, and Azure Security Center doesn’t integrate with GCP or AWS. It is possible, however, to create complex integrations, manually, that help IT teams ingest security data from one cloud provider into another cloud provider’s security monitoring tool.
But, because of its complexity, it’s usually not worth it. Instead, if you’re going to bother to build your own integrations, you may as well go best-of-breed.
Is your cloud journey still uncertain?
We are talking about the high availability, fault tolerance, and elasticity needs of your cloud security.
Have you noticed how more and more use cases are being added to your security strategy? You need to consider your cloud security needs and how you expect them to grow over time. When you scale in cloud environments, your scope and exposure will grow. There will be the need to analyze risks automatically and to have control over everything that happens.
An ad-hoc solution will be necessary to allow the information from multiple cloud provider tools to be correlated.
Let’s call it a people problem
CloudTrail is a very powerful service. When you enable it, you have all the logs stored in one place and in the event of an incident, just query with the Athena service and you can find what you were looking for.
However, how do you know what to look for?
Sometimes you end up looking for a needle in a haystack. The ideal scenario is that you develop some type of action, like triggering a function, notification, or alarm, and build a response based on things that you see, thus making them actionable. If you don’t have time, or if you don’t have enough engineers with the necessary knowledge to do it, then it’s better to use a security tool that offers you pre-configured actions.
Any of the cloud provider security services that service providers offer us will need some customization, since it is quite unlikely that enabling the service will work perfectly for our use case.
Full view of compliance
For some people, the AWS Security Hub or AWS Audit Manager are like compliance types of tools. These tools check our environment against specific security standards, such as PCI DSS, GDPR, etc. They also show us what the fundamental security best practices of AWS and CIS benchmarks are. It gives us a score of, relative to that legal framework or set of good practices, how well we are doing.Do you have on-prem infrastructure? How would you do this in your local datacenter?
You are losing this security control on your premises – if you have it – because the AWS Security Hub only works with the AWS Cloud infrastructure.
Azure, for its part, does the same with the Security Center. It is very valuable to understand what your posture is at a moment, from a legal framework perspective or a set of security good practices. If you only have a cloud environment, you will be able to take advantage of tools like this one. Otherwise, you need an extra tool.
Filling the gaps that CSPs leave empty
We’re not saying that cloud providers are bad for this, it’s just that their business is about offering cloud computing services. If we think about all the options, we realize that their lists embrace a broad spectrum of potential services to deliver.
At some point, they have to draw the line and say, “these are the services that we offer.” Sure, it won’t be perfect for everyone, but it’s likely they cover 75% of possible use cases.
The security tools that cloud providers offer us are easy to manage. They have native interaction with all compute layers, which is awesome. But they also force us to stick to that cloud provider because you are customizing the security service with their tools. We don’t like to work twice, right?
Some of these security solutions offered by cloud providers have their limitations. This may not be important to you depending on where you are in your cloud journey, maybe the default options are fine.
However, as your cloud adoption matures and you think about moving to other cloud providers, get into the multi-cloud environment game. You’re going to need a solution that talks to all clouds. Make sure this tool fills in the gaps not covered by the cloud providers.
Scale up your cloud security with the CNAPP framework.
The Gartner Innovation Insight for Cloud-Native Application Protection Platforms report covers the Cloud Native Application Protection Platform (CNAPP) framework and offers practical recommendations and best practices to secure your cloud native workloads and applications – from development to production – with an integrated approach. Download the report now!
Sysdig solutions maximize performance and availability by monitoring and troubleshooting cloud infrastructure and services for AWS, GCP, Azure, hybrid cloud, and multi cloud environments. You’ll be set in only a few minutes. Try it today!