Thoughts on security benchmarks: cloud vs external providers
A bit about my background. I’m a Site Reliability Engineer and co-founder of a consultancy. I’m focused on site reliability, security engineering and infrastructure automation. I have worked on Linux hardening and improving cloud security posture for companies around the world.
I’ve seen cases where the tools security teams use aren’t being used to their full potential, just to solve simple problems. These tools cost hundreds of thousands of dollars a year in licensing fees. Things that could be addressed by simple checks offered as a cheaper product in cloud provider offerings or open source tools. The market for security add-ons to cloud and container infrastructure is currently growing rapidly. Many claims made by advertisers need to be taken with a pinch of salt.
DISCLAIMER: I am not advocating the abandonment of external security providers. My point is that the tools need to be chosen wisely, with a clear objective in mind, and tested. The right security tools will definitely help you maintain a reasonable security posture. If possible, look for open source solutions first. I encourage you to do proper research or hire someone competent to do so. The companies mentioned here hire smart people and solve complex problems. The question is whether they are solving the problems you are focused on. This only touches on a small subset of what security tools can do. This article doesn’t cover intrusion detection or other important things. This article also doesn’t discuss AWS CIS and Foundational Best Practices, but rather uses them as an example.
Why are compliance checks important for the cloud?
Compliance controls are important for the cloud because they ensure that data is stored and accessed in a way that meets the reasonable needs of the organisation. The right policies can guide engineers to configure cloud resources correctly, protecting the privacy of data and ensuring that it is used in a way that is authorised by the organisation. They are not a silver bullet, just a preventative measure. By default, the ones provided by cloud providers are not great, but they are certainly better than nothing. NSA also issues reasonable guidainces for the cloud. Consider swiss cheese model.
Security/Compliance checks example
Often, security engineers expect tools with an accessible UI that provides a dashboard and alerting functionality for cloud misconfigurations. I will focus on this case to limit the scope of this article.
A good example of this is tools that provide security checks and audit reports. I will focus on AWS as it is the most common cloud provider, but the things presented here could be replicated for Google Cloud and Azure.
Now for something that will require a bit of research on your part. You can just skim through the policy names or read up on exactly what they do. Pay attention to the cloud provider’s best practices and the checks they provide, and compare them to external cloud provider solutions.
Let’s start by specifying the problem:
- We want to have a compliance checking platform for generic AWS configuration checks. To start with, we will use CIS Benchmark and AWS Foundational Best Practices to inform us of non-compliant or misconfigured resources. An example could be an unencrypted cloud storage bucket such as S3. This should cover public best practices from cloud professionals.
- We should have to alert with information about our findings.
Take a look at the CIS benchmark. It provides a set of secuirty standards for Cloud Security.
Next is link to official CIS AWS Foundations Benchmark controls. For start lets also take a look at The AWS Foundational Security Best Practices
This benchmark controls alongside with AWS Config and AWS Audit Manager could provide you with compliance check for the above benchmarks. Both tools are part of AWS Security Hub platform.
Here you can find list of AWS Config Managed Rules
AWS issues documentaion and set of rules named: AWS Foundational Security Best Pratices. They can be enabled ihe AWS Security Hub.
Let’s compare it with checks provided by Security Companies
Security companies love to provide 1:1 comparisons or matrices that show the offering and compare it to other solutions. I recommend a different approach. Look at the documentation.
Let’s take a look at Bridgecrew. They do have a verbose security offering, but for the scope of this article, let’s just focus on the AWS security policies they check. Here is the link to Bridgecrew AWS Policy Index. Take your time and compare it to AWS CIS Benchmark + AWS Best Practices mentioned before. Did you find some similarities?
Now let’s take a look at Lacework and their Advanced Suppression – Tag Martix They are clear about the CIS benchmark as the policies include
AWS_CIS_ in the prefix which is plus, but let’s take a look at the rules starting with
LW_S3_. Compare them again with AWS Foundational Security Best Pratices. Did you notice something?
Deployment of proabably cheaper solution
Now lets take a look how we could deploy it:
- You could code terraform yourself enabling using examples from securityhub_standards_subscription.
- We could use the open-source terraform module from Cloudposse. They are nice folks and their repos are acutally monitored by Bridgecrew.
- Cloudposse made free Terraform module for AWS Security Hub. Mentioned default rules can be found here in GitHub.
- AWS Config is neccessary component of AWS Security Hub, it can be managed by terraform resource here or another Cloudposse module terraform-aws-config.
- Note that I’m not the biggest fan of their module structuring convention of Cloudposse which differs from Hashicorp standard (which is reasonable and embedded in most of the available open-source modules). But using this one can help you bring up the whole setup for one account quickly and it is hard to complain about hard work someone did and gave out for free.
- You could use AWS Cloudformation or CLI if we are want to.
- You can just use AWS Console UI to enable AWS Security Hub. AWS Config is part of the bundle. AWS Audit Manager will be used reports.
What we got?
We have replicated the subset of security compliance checking functionality provided by cloud security providers. Of course, alerting is missing, but this can be solved using the Lambda function provided by AWS.
What about Kubernetes?
Falco has also Kubernetes and AWS Cloudtrail rules for you open-source already.
I’m looking for SIEM
Check out open-source Wazzuh.
But what if I don’t trust the cloud provider to monitor the own infrastructure?
Well, in my experience, a lot of the security companies are using the cloud to do analysis and then alert. I have no links to back this up, so take it with a grain of salt like everything you read on the internet. You can just stop using the cloud altogether.
Is it enough?
Of course not. Security is a complex field, this is just one detached example. We are not touching attack vectors, just take a look at Mittre Att&ck, and other important topics. This is just an example comparison. Having even the best security checks doesn’t replace infrastructure and application hardening.
What about SOC 2, PCI compliance, NIST, etc.
Most of the compliance standards mentioned will already be covered by the cloud provider’s documentation. Do your research and think about your objectives and requirements.
Watch out for host/agent configurations with too many priviliges
Some SIEM and threat detection solutions give agents additional permissions that they should not have. This creates a backdoor on the machines it runs on. Check the capabilities of the program before running it. A good example of this is remote threat mitigation, which spawns a shell directly from the user interface to the machine. This means that whoever controls the tool controls your machines.
Do you have questions?
Reach out to me on About Me page.