Cavirin Blog

Accountability vs. Compliance in the Cloud

Engineers don’t have time to translate their workloads into “audit speak.” Auditors can’t provide value in cloud-based engineering domains.

Organizations today spend upwards of 2 million dollars to accomplish critical compliance milestones such as FedRamp, and run at a minimum, hundreds of thousands annually just to stay in compliance with existing mandates for PCI DSS 3.2, ISO27001, SOX, NIST Cybersecurity Framework (CSF), HIPAA or Hitrust Common Security Framework, and Trust Services Principles or SOC 2 assurance. All of today’s regulatory and compliance frameworks include substantial coverage for information security management systems (ISMS). In addition, any lack of externally validated security architecture or compliance program is increasingly viewed as unethical and even criminal. 

With all this compliance, one might ask, “Where are companies wasting the most time? What are the greatest hidden costs? Which activities associated to audit bring the greatest actual security value?”

Unfortunately, the compliance areas that waste the most time (auditor to engineering conversation), have the highest hidden cost (business disruption), and those areas that could have, but likely didn't reap the most value (resilient configuration), are one and the same. 

Effective secure host and instance baseline configuration is still in the NSA top ten most important IT initiatives, and unfortunately is also the most wildly misrepresented control domain in preparing for and conducting an audit. Any web search on "exploits older than one year" returns a remarkable set of research concluding the same thing, that most exploited vulnerabilities today have existed on systems for more than a year, in many cases for more than three years. Returning to the recommendations of the NSA, a large number of the simple initiatives to become cyber secure were established at the moment an asset was released. Seven out of ten can be categorized as set and monitor, meaning they could be handled as a part of configuration management and policy.

  1. Control Administrative Privileges
  2. Limiting Workstation-to-Workstation Communication
  3. Antivirus File Reputation Services
  4. Anti-Exploitation
  5. Host Intrusion Prevention (HIPS) Systems
  6. Secure Baseline Configuration
  7. Web Domain Name System (DNS) Reputation
  8. Take Advantage of Software Improvements
  9. Segregate Networks and Functions
  10. Application Whitelisting

According to the CIS, Center for Internet Security, up to 80% of cyber-attacks could be prevented by:

  • Maintaining an inventory of authorized and unauthorized devices and software
  • Developing and managing secure configurations for all devices
  • Conducting continuous (automated) vulnerability assessment and remediation
  • Actively managing and controlling the use of administrative privileges

Even if that sounds completely reasonable, consider Gartner’s Strategic Planning Assumption which states that "through 2020, 80% of cloud breaches will be due to customer misconfiguration, mismanaged credentials or insider theft, not cloud provider vulnerabilities."

The mismanagement of recommended configuration is both in and beyond our locus of control, however, cloud breaches impact everyone’s brand. Laws put increasing responsibility for all consumers of the cloud to increase accountable oversight to their providers of cloud services, i.e dependency responsibilities. 

What’s a small company to do? What’s a big company to do? 

One answer might be to avoid complex or new environments such as Azure, Google Cloud, or Amazon Web Services (AWS). For most businesses, that’s no longer an option. It is nearly impossible to find a thriving company that’s not dependent upon some level of IAAS (infrastructure as a service), PAAS (platform as a service) or SAAS (software as a service), and it’s not practical to limit data centers from liberal or complete use of virtualization technology. 

Also, pretty much all of our network is transitioning to SDN (Software Defined Networking), so that’s the whole stack, in the cloud. (Gone are the days of having your hands in everything, unless your arms happen to be long enough to stretch into the clouds.) 

It's getting a lot harder to keep track of your data

Today’s MBA has to understand business as a service, and one of those critical services not yet mentioned is security. SecAAS, or security as a service, offers another way to extend security operations via compliance fabric or platform. Security too, must become a platform and foundation layer beneath SecOps, and must act as a force multiplier in the speed of DevOps.

Have you seen my thumb drive?

You're a company deploying AWS workloads two to three times a day and you get a matter of seconds to assess security at release.

An example of the solutions available to assist in determining security over cloud enabled systems is to leverage Open Vulnerability Assessment Language (OVAL) and The Security Content Automation Protocol (SCAP) from NIST. This too, can be time consuming. With over 75 CIS benchmarks, and 300+ DISA Security Technical Implementation Guides or STIGS, maintaining continuous visibility over configurations across On-Premise, Hybrid and Public Clouds is just not possible. Security operations requires a compliance platform and integrated reporting. It's just one more point of inevitable security tooling that's become a mandate of the day. So what do we need to automate? 

CIS Amazon Linux 2.0 Benchmark

CIS AMAZON LINUX BENCHMARK V2.0.0 provides prescriptive guidance for establishing a secure configuration posture for Amazon Linux systems running on AWS. At 282 pages in length, the task of interpreting and setting rules to meet the needs of your business environment is not resource or time effective.

To meet the challenges of DevOps, guidance like CIS prescriptive benchmarks, security operations requires a compliance platform that can quickly answer questions like:

"What are the top ten ways our configured enterprise is most likely to fail an audit?"

From the perspective of things that are BOTH most exploited and most audited, using a compliance platform such as the one offered by Cavirin allows for integration of best practice at DevOps speed of business required release. There's no other way to meet the challenge. Business compliance has to find and report against security best practice in real time. No one is waiting for security's blessing. They simply have to deploy. Additionally, just noting a problem is worthless. If the act of detection lacks the logic to also send notification with the exact steps to remediation, detection is a liability and waste of time.

Top ten ways to get exploited and fail audit

A full review of required security policy is larger than most people realize. In the case of Amazon Linux, for example, there are 215 recommended system automated policy checks, organized by over 50 control subjects, and associated to specific NIST 800-54 r4 control policies more than 1500 times. Security needs tools that can reliably and repeatedly do this work.

Categories in Benchmark and average priority across all related controls

With system information, it becomes relatively easy to see where configuration recommendations have the greatest potential to disrupt the most regulated areas of security and IT governance, not to mention bringing focus to the areas most often exploited by cyber attack.

Top Ten sum of audit impact score based on CIS Amazon Linux as associated to all NIST 800-53 controls

How do we prioritize and respond?

Risk Ranking Requires Classification Context - It's more than just the audit 

Much like the value of a home, an asset's risk and value is all about location, location, location, or in this case, understanding the neighborhood surrounding your data. 

Security needs to enforce asset classification. To effectively scope and prioritize mandated controls, all operations should be far down the path of asset classification. Whether government classified or non classified information, the strata of classification on assets is the key to setting priority and removing findings from relevant scope.

Imposing response rank, top ten address right away, then remaining high control groups, confirm assets align to risk tolerance

Some examples of classification used by Defense Information Systems Agency or DISA include:

  •  MAC-1_Classified - I - Mission Critical Classified
  •  MAC-1_Public - I - Mission Critical Public
  •  MAC-1_Sensitive - I - Mission Critical Sensitive
  •  MAC-2_Classified - II - Mission Support Classified
  •  MAC-2_Public - II - Mission Support Public
  •  MAC-2_Sensitive - II - Mission Support Sensitive
  •  MAC-3_Classified - III - Administrative Classified
  •  MAC-3_Public - III - Administrative Public

For non military and unclassified systems, a simpler approach might include such classifications as: 

 Level 1 - Workstation - Items in this profile intend to:

  • be practical and prudent;
  • provide a clear security benefit; and
  • not inhibit the utility of the technology beyond acceptable means.

Level 2 Workstation - This profile extends the "Level 1 - Workstation" profile. Items in this profile exhibit one or more of the following characteristics:

  • are intended for environments or use cases where security is paramount.
  • acts as defense in depth measure.
  • may negatively inhibit the utility or performance of the technology.

Level 1 Server - Items in this profile intend to:

  • be practical and prudent;
  • provide a clear security benefit; and
  • not inhibit the utility of the technology beyond acceptable means.

Level 2 Server  - This profile extends the "Level 1 - Server" profile. Items in this profile exhibit one or more of the following characteristics:

  • are intended for environments or use cases where security is paramount.
  • acts as defense in depth measure.
  • may negatively inhibit the utility or performance of the technology.

Level 1 Domain Controller - Items in this profile apply to Domain Controllers and intend to:

  • be practical and prudent;
  • provide a clear security benefit; and
  • not inhibit the utility of the technology beyond acceptable means.

Level 2 Domain Controller - This profile extends the "Level 1 - Domain Controller" profile. Items in this profile exhibit one or more of the following characteristics:

  • are intended for environments or use cases where security is paramount
  • acts as defense in depth measure
  • may negatively inhibit the utility or performance of the technology

Level 1 Member Server - Items in this profile apply to Member Servers and intend to:

  • be practical and prudent;
  • provide a clear security benefit; and
  • not inhibit the utility of the technology beyond acceptable means.

Items in this profile also apply to Member Servers that have the following Roles enabled:

  • AD Certificate Services
  • DHCP Server
  • DNS Server
  • File Server
  • Hyper-V
  • Network Policy and Access Services
  • Print Server
  • Remote Access Services
  • Remote Desktop Services
  • Web Server

Level 2 Member Server - This profile extends the "Level 1 - Member Server" profile. Items in this profile exhibit one or more of the following characteristics:

  1. are intended for environments or use cases where security is paramount
  2. acts as defense in depth measure
  3. may negatively inhibit the utility or performance of the technology

One final question: Isn't Compliance Fabric and Compliance Platform just another way to say GRC?

GRC tools provide the business view of Risk, Compliance & Security, whereas the compliance fabric solution supplies the evidence based operational and platform necessary to supply security operations with remediation work plans, as well as the necessary content for effective asset based vulnerability, risk, compliance programs.  

Cavirin offers industry leading Automated Assessment & Reporting (AAR); Automated Risk Analysis Platform (ARAP) and Compliance as a Service. ARAP together with AAR offers continuous risk visibility through scanning of corporate network, signaling issues and automatically discovering new IT assets. Effective auto discovery in On-Premise, Cloud and containerized infrastructures is the cornerstone of asset risk assessment. The auto – asset discovery ensures round the clock analysis, risk identification and reporting, greatly reducing the need for additional manned resources. Cavirin’s ARAP, AAR augments the standard GRC tool by replacing the manual and tedious process of information security baselines and through automated industry expert qualified interpretation and remediation guidance. Cavirin’s solution ties out the gap between written corporate policy and the configuration necessary to prove system policy alignment. 

Cavirin Security and Compliance actively contributes to all major standards and organizations responsible for the mapping of regulatory requirements and the most highly leveraged national and international standards. In addition to organic CIS Benchmarks and DISA STIG NIST based configuration hardening and change management, Cavirin has implemented all assessments with NIST Cybersecurity Framework (CSF) and NIST 800-53 r4 and Appendix J for Privacy. Clients who elect to use multiple policy packs, including ISO/IEC 27002:2013, will benefit by the extended use of multiple frameworks to align Information Security Programs and Policy.

About Cavirin

Cavirin is transforming the way IT security manages risk. Founded in 2012, Cavirin’s platform is a purpose-built agent-less solution that deploys quickly to on-premises, cloud, and containerized infrastructures, helping organizations reduce complexity, become more agile, and drive dramatic increases in efficiency with their risk and compliance programs. Leveraging continuous visibility and automated assessments, companies are empowered to make the right decisions faster. Cavirin’s Automated Risk Analysis Platform (ARAP) is a security and compliance fabric that provides continuous configuration evaluation with recommendations for alignment to industry standards and best practices, prioritizing systems and risk remediation efforts across complex hybrid IT infrastructures. Offering up-to-the-minute compliance assessments, Cavirin supplies audit ready evidence as measured by every major regulatory, and security best practice framework.

About Center for Internet Security

The Center for Internet Security, Inc. (CIS) is a 501c3 nonprofit organization focused on enhancing the cyber security readiness and response of public and private sector entities, with a commitment to excellence through collaboration. CIS provides resources that help partners achieve security goals through expert guidance and cost-effective solutions. 

Cavirin is proud to be a CIS Supporter

About DISA

DISA, a Combat Support Agency, provides, operates, and assures command and control, information sharing capabilities, and a globally accessible enterprise information infrastructure in direct support to joint warfighters, national level leaders, and other mission and coalition partners across the full spectrum of operations.

0
0
0
s2sdefault

Cavirin provides security management across physical, public, and hybrid clouds, supporting AWS, Microsoft Azure, Google Cloud Platform, VMware, KVM, and Docker.