How can security teams handle hybrid cloud infrastructure security?
I really love innovation, and when there is a new service that helps me in my everyday job, I'm delighted! Competition among cloud providers, such as AWS, Azure, and Google Cloud is a great thing and brings us easy to use and packaged services. For example, using AWS Elastic Map Reduce is much easier to set up, maintain and use, compared with deploying Hadoop Clusters. Serverless anyone?
Now, being a security freak, I am always thinking on how to ensure a secure migration to these new services (actually this is my job :-) ). Talking with customers that are migrating some or everything of their legacy IT to the cloud, the same kind of questions from security teams always pops-up:
- I do not know about this new cloud service that developers (sorry DevOps) are using, but is it my responsibility to secure it?
- Different teams are using different cloud providers, how can I handle all of them?
When we started, back in 2010, it was much more comfortable, only AWS, mainly S3 and EC2, so cloud infrastructure security was no big deal. Then, there was the phase when we had very different services from different cloud providers, and DevOps chose their favorite. That was when the challenge began. Today we are assisting at consolidation of services, and we will reach a commoditization of services as we had seen with running virtual machines and object storage. But, still new cloud services every day.
How can we handle cloud infrastructure security with different clouds?
A good starting point are the CIS benchmarks, we have one for AWS, other for Azure and they cover the commodity services with simple guidelines. This leaves us with two challenges:
- What about the new, "on edge" cloud services? New technology may bring new attack surface and are less understood by security teams.
- How to handle different cloud providers with different security best practices?
Challenge 1 is not always comfortable with cutting-edge documentation and some limitations, but coming up with solutions for our customers is awesome. For example, the CIS Azure Benchmark came out the end of February 2018, and we implemented it by the May release.
Concerning the second challenge, since the beginning of Elastic Workload Protector (EWP), we spend a significant amount of time to group security best practices in categories.
This helps a lot when you have different cloud providers with different denominations and different coverage. Second, it is easy to produce a database security report for the database guys, a network one for the network guys and so on.
Today, I'm proud to announce that EWP supports Google Cloud Platform (beta), so I did a little exercise to show you how to map our generic categories on the Google cloud services.
I hope this helps the security teams that need to handle AWS, Azure and GCP at the same time, (and maybe still coping with a VMware and Hyper-V legacy IT). Enjoy having a single pane of glass for all your cloud infrastructure security with vulnerability and configuration management!