Cavirin Blog

Control Your Cloud

This is the sixth blog in a series detailing workload best practices.

The first blog, 'Securing Modern Workloads', is available here

The second blog, 'Control Your Cloud', is available here

The third blog, 'Agility in Security', is available here

The fourth blog, 'Work Everywhere with Hybrid Solutions', is available here

The fifth blog, 'Security as you Go', is available here

-------------------

You have often heard about companies budgeting for compliance certifications. Each year, businesses budget for audits and achieving vertical specific compliance certification and authority to operate. These budgets are non-trivial and usually are spent in short-periods of time rather than throughout the year.

There is a confusion over agility and reality.


Businesses demand a rapid pace (agility) but at the same time must deal with compliance (reality).


A typical scenario is that during audits, the budgets are spent in a hurry to ensure that security controls are in place and not to miss the compliance certificate. This approach is potentially flawed. Compliance should be treated as a by-product of security. Good security measures and spending ensure that you have the necessary controls in place and those controls are functioning as intended. Such security measures help you get compliance certificates. Additionally, it ensures a uniform security posture throughout the year and not spikes at audit times to avoid fines and problems.

Your hybrid cloud strategy demands that you pay attention not only to on-premise workloads but also to your extended or shadowed datacenters.


You quickly tend to acquire cloud-specific tools (agility) and then invest in staff to maintain two set of tools (reality).


The applications and tools that you use for on-premise workloads may not deal with the realities of cloud. The flux and dynamicity of the cloud demands tools that can match the realities of hybrid workloads. Today your compute/storage/networking resources are fragmented between cloud and on-premise. This is your new reality. Your legacy as well as modern applications have security requirements and it is pointless to maintain footprint specific tools anymore. You benefit from streamlining your tools that work seamlessly on both the footprints.

You have convinced the management to transform your security tools and processes to match cloud and on-premise needs and you are ready to evaluate your options.


You may quickly pick some choices (agility) but you need to ensure that these tools work with a spectrum of options (reality).


 

Courtesy - https://www.youtube.com/watch?v=KuOy63yzc8c

In brief, if you are on the bottom left of the spectrum, you don’t have much to do about the data that these security tools churn on daily basis. But, if you are on the top right corner, it depends upon your maturity level to consume data from security tools. You should carefully pick tools that provide you choices and options that match your top right corner spectrum capabilities. If the tools that you choose just provide measurement capabilities and do not have alerting, remediating and preventing capabilities, perhaps you might want to search for other options.

To conclude, you find that agility in business is a good thing but you need to carefully deal with realities specially when it comes to security and compliance. Treat compliance as a by-product of good security practices and products and carefully evaluate potential options and methodologies.

 

 

 

 

Last week, Mary Meeker and her team at Kleiner Perkins published their yearly internet opus.  For those keeping track, it is now at 355 slides!  Though much of it focuses on the continuing evolution of commerce, media and gaming, as well as China and India, there are some excellent nuggets on the cloud and security.  Her analysis plays well into Cavirin’s strategy and product direction.

We live in an increasingly multi-cloud world.  Amazon with AWS got off to an early start, but Microsoft’s Azure, by virtue of its strong enterprise footprint, is gaining ground quickly.  Whereas companies leveraging AWS remained constant at 57% between 2016 and 2017, Azure use grew from 20% to 34%.   And not to be dismissed is GCP, growing from 10% to 15% and benefitting from strong enterprise focus as evidenced at this year’s Google Next conference. Beyond this baseline, AWS will experience even greater competition in the future, as only 27% of organizations who don’t currently use AWS are experimenting with or planning to use the platform in the future.   This grows to 33% for Azure and 30% for GCP.   Cavirin natively supports the three major cloud service providers (CSPs), and delivers consistent analysis between these and any on-premise deployments.

 

Three reasons for multi-cloud adoption include services supported, cost leverage, and resiliency. Each year, Gartner releases a report on the 200+ features that an enterprise is likely to request, and in 2016, AWS supported 92% of those deemed required. Azure was 2nd at 88%, and Google 3rd at 70%. However, this is expected to change in 2017, in the same way that Azure was only at 75% in 2014.  Much has also been written about AWS cost surprises, and analyst firms all state that an enterprise will have better leverage by engaging multiple CSPs, now that they offer the necessary footprint and service automation.  Finally, AWS has experienced several widely-publicized outages, and tools now exist for the effective deployment of an enterprise’s applications over multiple providers. In fact, an article just yesterday in NYT's Dealbook, "Fear of a Monopoly Will Help Amazon's Cloud Rivals," addressed some of these very points.

In parallel with multi-cloud adoption, the report cited the leading concerns regarding cloud migration.  Between 2012 and 2015, data security dropped from 42% to 35%.  Though still in the lead, this decrease reflects and increased understanding by the enterprise and better communication by the CSPs as to what is termed the ‘Shared Responsibility Model.’ In the same period, compliance/governance grew to 2nd place from 21% to 27%, expected as more enterprises move critical and compliant workloads to the cloud. Cavirin directly helps address these concerns. For example, not only does the platform support the basic AWS hardening benchmarks, but for PCI, it supports the AWS PCI DSS Quick Start.  In 3rd place is fear of lock-in, growing from 7% to 22%.  This most directly relates to the earlier points on cost leverage and resiliency, reflecting movement (or desired movement) to a multi-cloud architecture.

Learn more about Cavirin’s continuous security for hybrid environments today!

Control Your Cloud

This is the fifth blog in a series detailing workload best practices.

The first blog, 'Securing Modern Workloads', is available here

The second blog, 'Control Your Cloud', is available here

The third blog, 'Agility in Security', is available here

The fourth blog, 'Work Everywhere with Hybrid Solutions', is available here

-------------------

Extrapolating the cloud mindset, security as you go sounds promising. You could start small, sampling a fraction of your workloads, and then scale to accommodate everything that matters to you. The cloud gives you the flexibility to expand your resources as you need them. Your security tools should follow the same trait.

Automatically scaling your security tools help you to maintain their availability and allows you to scale your security tools as you need them without incurring significant costs. Let us understand this with an example. Security tools typically begin with a set of pre-requisite hardware configuration spec. This hardware specification is usually defined by the vendor at an optimum support level. But, you may not need it all the time. There are certain spikes (CPU, Memory or Network) at some stage of the security workflow in your tool. For example, if you are running an anti-virus tool, the resource requirements are high during a full system scan and low when you are just scanning for deltas. This did not “cost” you money if you kept running your anti-virus appliance in your own data center at the same resource allotment levels. But, in the cloud, if you choose a “bigger” instance size, you pay more whether you use it or not.

So, your security tools for the cloud should be “cloud-aware” and be accommodative of the assigned resources. The ability for your security tools to get started with a minimum required hardware specification and then scale out as needed is an important consideration to keep the costs low and maintain your security posture irrespective of your workload fleet size. Scaling vertically may be prudent in certain scenarios but mostly scaling out is preferred. You should prefer tools that can scale out over scale up. Additionally, there are other performance enhancing techniques such as using caches instead of reading data from the databases every time for compute intensive or IO intensive results. Such measures avoid scaling up your security tools and benefit from scale-out operations.

 

Control Your Cloud

As a follow-up to our blog on how Cavirin can help combat WannaCry and other ransomware, this blog provides additional detail on our Network Policy Pack.

As a customer, you have seen several use cases that Cavirin helps you address in your hybrid cloud environment. This ranges from several CIS benchmarks to regulatory requirement such as PCI.

Today, we are pleased to announce the availability of Network Security Policies specifically designed for your AWS environment. These network policies are around the best practice that:


“Ensure no security group allows ingress from 0.0.0.0 or from the world on any port”


This policy pack contains all IANA registered ports and protocols.

Basically, you can use this policy pack to address below security requirements:

  1. Ensure that SSH connections are not open to the world
  2. Ensure that DB ports are not open to the world
  3. Ensure that any other random critical ports are not open to the world

Stopping port scans / blocking access are very important for upkeep of your infrastructure. If you have ports opened for world access, any known vulnerabilities in particular services could potentially be exploited to gain control. Additionally, removing unfettered connectivity to remote console services, such as RDP/SSH, reduces a server's exposure to risk and further reduces the overall attack surface area.

Scanning your security groups is pretty straight forward in Cavirin’s platform. Just select the region(s) that you want to scan and it automatically sweeps through your entire list of security groups.

Currently, by default, the policy pack contains *6221 ports*. These are the ports which are currently allocated by IANA. The only exceptions are port 80 and port 443 to allow web server traffic.

Control Your Cloud

CIS Security Benchmark for Kubernetes is out. Grab your copy at https://learn.cisecurity.org/benchmarks.

Keen to give back to the Kubernetes community and to bring security visibility and agility in Kubernetes deployments, I started the CIS project for developing a security benchmark approximately 10 weeks back. It is humbling to see that in a short time period of 10-weeks, the community came together to document more than 100 recommendations detailed enough for you to take prescriptive actions towards securing your Kubernetes deployments.

When I look back, I was told that Kubernetes security configuration is hugely fragmented and it is a self-dissolving daunting task to document the controls and cover in a benchmark like document. The fragmented offering is just too big a beast to pet. I disagreed and committed.

Here are some interesting thoughts and stats around the 106 recommendations that we have in the benchmark today.

Control Your Cloud

By now, anyone with any connection to security is aware of the WannaCry ransomware attack, and it says something, that on the Wiki entry, it is already listed amongst major incidents with Anthem, Sony Pictures, and the US Election.   As a quick review, the attack, leveraging the leaked NSA tool EternalBlue, took advantage of vulnerabilities in Microsoft’s SMB implementation.   The company issued a critical security bulletin, MS17-010 (CVE-2017-0144) on March 14, 2017, along with a patch for new versions of the OS.  Note that this was a 1-day exploit, and not a zero-day exploit since it was announced and patched.   But the issue is that older versions of the OS were still vulnerable, not every organization is on top of patches, and in some countries, the high percentage of bootleg software effectively disconnected the user from patching.  Nonetheless, Cavirin can play an integral role in helping to identify and remediate these types of vulnerabilities.

First off, Cavirin’s partner SecPod included the notification in its March 16, 2017 SCAP Feed Release.  This was two days after the Microsoft announcement.  This is automatically included in Cavirin’s Patches & Vulnerabilities policy pack, which continually updates the live deployment.   Based on this notification, the customer may quickly scan their environment and identify vulnerable resources.   They may then manually patch their workloads, or may have in place an automated mechanism (i.e., Chef, Ansible) to pull down the Microsoft patch and update their systems.

Cavirin provides security management across physical, public, and hybrid clouds, supporting AWS, Microsoft Azure, Google Cloud Platform, VMware, KVM, and Docker.

 

Address

5201 Great America Pkwy Suite 419  Santa Clara, CA 95054

- 1-408-200-3544

  sales@cavirin.com

  press@cavirin.com

  info@cavirin.com

Cavirin US Location