Amazon Web Services (AWS) has become the market leader of Cloud IaaS (Infrastructure as a Service). The flexible, secure and always available infrastructure promise is the main reason. AWS is responsible for protecting the global infrastructure and all of the services offered by the AWS cloud. This infrastructure includes hardware, software, networks and facilities that enable the availability and performance of AWS services. Enterprises, the AWS customers, must tackle the good configuration of their deployments as well as the absence of vulnerabilities on their servers.
Main issues on AWS for enterprises are:
- Developers who know and comply with AWS security best practices are a minority.
- The environment of AWS changes too quickly to be always up to date.
- Traditional security solutions (scanners, pentests, FIM ...) are no longer adapted to the pace of development of AWS.
Therefore, additional solutions are necessary to get better AWS security. We will see how the AWS solution - Amazon Inspector - can answer this question and what are the differences with Elastic Workload Protector (EWP). One of the other security solutions proposed by AWS - Trusted Advisor - will be developed in a next blog post.
Amazon Inspector analyzes the behavior of AWS user resources to identify potential security issues. Each resource can be separated from the others for a more accurate assessment. It will collect a set of data (network activities, files, OS configurations ...) which can be correlated, analyzed and compared with the AWS best security practices. Any issues deemed to be security issues are raised in order to step in as soon as possible. Amazon Inspector is based on the CVE database, referencing all the known vulnerabilities, CIS (Center for Internet Security) Benchmarks security practices and the "Runtime Behavior Analytics". It works with agents, which means that once installed, they have full access to customer's servers.
Elastic Workload Protector
Elastic Workload Protector is a vulnerability management solution which works on cloud infrastructures, traditional and hybrid. The solution will verify compliance with the best security practices recommended by the CIS, the Cloud Security Alliance and AWS. Any configurations presenting a potentially exploitable security threat will be immediately highlighted. Likewise, the integrated vulnerability scanner will analyze every day more than 60,000 known vulnerabilities through an enhanced database. It will also make OWASP assessments for web applications, analyze firewall rules and rely on PCI-DSS compliance to verify the cyber risk exposure. Complete and customized reports are based on the ANSSI security standards, OWASP and PCI-DSS standards. Operating without agent, all new machines launched into the existing infrastructure will automatically enter the scope of automatic and continuous analysis.
Amazon Inspector VS Elastic Workload Protector
Amazon Inspector works with agents. Agent-based and non-agent-based solutions are fundamentally different from each other in how they collect information and provide control over entities in your cloud environment (networks / security groups, servers, databases, etc.). By using Amazon Inspector, you install a small software agent in each of your servers. The agent is responsible for gathering relevant information from the server on which it is installed, sending information to a central control system.
Agentless solutions, on the other hand, communicate directly with the underlying cloud platform (AWS, Azure, OVH, OpenStack, CloudStack) through the API service provider to obtain information about servers, services, and check their security. No installation or modification of the resources of your environment is necessary. This is why agentless solutions are completely transparent for your applications and Cloud Workloads. The assessment scope is bigger than agent based solutions because it is not limited to servers or services where agents can be installed.
Agent-based solutions deeply analyze the resources in which they are installed but do not see all of the security services deployed in the cloud environment. Furthermore, the time of installation must be taken into account as well as the maintenance and management of agents. Agents can only be installed on a limited number of operating systems, leaving a part of the infrastructure unprotected.
Elastic Workload Protector is agentless. EWP tackles vulnerability detection and misconfigurations on servers as well, but on top of that can perform analysis on the whole IT infrastructure of the user. Indeed, it is not limited to AWS infrastructures as it can be deployed on multi cloud or hybrid environment. It includes more than 200 automatic security tests. EWP automatically alerts CISO from security vulnerabilities. Finally, its patented cloning technology allows to perform very thorough tests without affecting the performance of online applications.
Amazon Inspector supports a limited number of operating systems (Linux, Ubuntu, RedHat and some windows servers). This limits CIS assessments and good security practices to a part of the infrastructure. Elastic Workload Protector's scope of intervention is broader by supporting all operating systems.
These two complementary solutions answer the same need to secure resources on your AWS infrastructure. Note that the solution developed by the security experts of SecludIT since 2011, includes a broader set of tests, making the analysis more complete than Amazon Inspector. EWP is able to meet the new needs of the CISO in terms of continuous security and compliance with new regulations such as the GDPR.
To learn more about AWS infrastructure security, perform a free scan of your cloud environment.