Cloudsec Inspect Service Description
Scope
The Outpost24 Cloudsec Inspect is designed to conduct cloud configuration assessments in public clouds, such as AWS and Azure, and in private clouds such as OpenStack and VMware based.
Cloudsec Inspect complements the Outpost24 portfolio of products, as follows:
- NetSec -Vulnerability Management
- AppSec – Application Security
A cloud configuration assessment retrieves the configuration of cloud services by the APIs and compares to security best practices as drawn by industry standards, such as CIS benchmarks.
Furthermore, Cloudsec Inspect has the ability of regularly performing cloud configuration assessments by polling the cloud APIs every few minutes. In this case, Cloudsec Inspect may raise alerts when:
- There are configuration changes
- These changes do not comply with security best practices
Cloudsec Inspect access is provided with a license, as agreed in the customer contract, to evaluate the configuration of a set number of cloud assets, as follows:
- Instances
- Virtual Network firewalls, such as AWS Security Groups
- Storage
- Containers
This list is subject to change, due to support of new cloud services.
Customer Access
Cloudsec Inspect can be deployed as:
- SaaS
- Virtual Appliance deployed within public clouds or private clouds
In both cases, initial configuration of Cloudsec Inspect must be performed via the Web User Interface (UI). Customers will be required to access the Outpost24 Cloudsec Inspect using a TLS enabled browser.
Cloudsec Inspect must be configured with API keys that give Cloudsec Inspect access to the cloud configuration. The API keys should give access to:
- Retrieving the cloud configuration of the different cloud services, such as number of instances and all information about each instance
- (Optional) Scanning the instances and applications
- (Optional) Performing clones of the instances to scan instances through the patented technology Clone&Scan
For virtual appliances, please comply with the specifications that you can find on the requirements document.
Impact
Cloudsec Inspect was designed to use the cloud APIs in order to retrieve information and changes. The cost and performance of the API calls must be managed by the customer. The frequency of API calls may be configured.
Cloudsec Inspect runs with the API keys rights. It is up to the customer to restrict the rights of API keys to the assets and permissions.
Optionally, the scans and clone&scan may impact the performance of the instances and storage for the clones must be taken into account by the customer. The additional cost for performance and storage are customer’s responsibility.
Scope changes
Cloudsec Inspect is designed for a changing set of assets. As such, please refer to the license agreement to know the specific conditions of your contract.
Results
The results generated by Cloudsec Inspect can be accessed by the customer in the Cloudsec Inspect UI. The results may be exported in the form of reports.
The results and reports are tied to the customer account, and the customer can decide which people within their organization should have access to the results and reports, and what actions they can take in relation to it. Please note that the results and reports will contained detailed information about detected vulnerabilities, and it is recommended that the customer only approve access for authorized personnel.
Customer responsibilities
All users with access to the Outpost24 Cloudsec Inspect are responsible for ensuring they scan only Infrastructure which they own.
It is a customer’s responsibility to ensure that all login accounts have a secure password. This may also include integration into the customers own directory.
Customers will keep their virtual appliances updated with the latest versions, and support will only be provided for the previous 2 versions, as detailed in our support SLA.
When running the Outpost24 appliance, it is important to meet the minimum specification for resources required, as detailed by the scoping document.
Outpost24 responsibilities and support
Outpost24 will ensure the availability of the platform as stated in our support SLA.
Improvements and fixes to the platform will be released on as scheduled basis, with continual platform improvements. New Features for licensed Outpost24 products will be made available to all customers with a current license. Support for the Outpost24 platform is provided at https://outpost24.com/support and is covered by the Outpost24 support SLA.
Outpost24 will give notice of discontinued and end of life products and hardware, as defined in the support SLA.
Supporting documentation
License Agreement
Cloudsec Users guide
Cloudsec Specifications for virtual appliances
Cloudsec HowTo generate API keys for AWS and Azure
Cloudsec SLAs
O24 Terms and Conditions
Service Description Glossary
API – Application Programming Interface
API call – Individual invocation of the API
API Keys – Customer generated keys that give access to the cloud configuration
Cloud – Infrastructure as a Service as defined by the NIST
Directory – An external authentication method and directory of users, such as LDAP or Active Directory
Instance – A virtual machine in a cloud environment
Scans – Either a Vulnerability, Compliance of PCI ASV vulnerability scan.
Scanner – An Outpost24 appliance which will conduct vulnerability scanning