Bernard Pietraga

Thoughts on security benchmarks: cloud vs external providers

Thoughts on security benchmarks: cloud vendors vs external providers

A bit on my background. I’m a Site Reliability Engineer and co-founder of consulting agency. I’m focusing on Site Reliability, Security Engineering, and Infrastructure Automation. I have worked on Linux hardening, improving cloud security posture for companies around the world.

I have seen cases where the tools utilized by security teams weren’t used to their full potential, just to solve simple problems. Mentioned tools cost hundreds of thousands of dollars in licensing fees yearly. Things that could be addressed by simple checks provided as a cheaper product in cloud provider offering or open-source tools. Currently, the market for security add-ons to cloud and container infrastructure is rapidly expanding. Many claims made by advertisers need to be taken with a grain of salt.

DISCLAIMER: I do not advocate canceling the use of external security providers. My point is that the tools need to be chosen wisely with a clear goal in mind and tested. Proper security tools definitely will help you keep a reasonable security posture. If it is possible, look for open-source solutions first. I do encourage you to do proper research or hire someone competent to do so. Mentioned companies here hire smart folks and solve complex problems. The question is if they solve problems you are focusing on. This just touches a small subset of security tools’ functionality. This article doesn’t cover Intrusion Detection or other imporatant things. This article also doesn’t debate the AWS CIS and Foundational Best Practices but rather uses them as an example.

Why it is important to have compliance checks for the cloud?

Compliance checks are important for the cloud because they ensure that data is being stored and accessed in a way that meets the reasonable requirements of the organization. The proper policies can guide engineers to properly configure cloud resources and thus protect the privacy of the data and ensure that it is being used in a way that is authorized by the company. They are not a silver bullet solution, just one preventative measure. By default, the cloud provider-issued ones are not great, but definitely better than nothing. NSA also issues reasonable guidainces for the cloud. Consider swiss cheese model.

Security/Compliance checks example

Often security engineers expect tools with accessible UI which provides a dashboard and alerting functionality on cloud misconfiguration. I will focus on this case, to keep the scope of this article confined.

A great example of this is security checks and tools which provide audit reports. I will focus on AWS as it is the most common cloud provider, but things presented here could be replicated for Google Cloud and Azure.

Now, something which will require a bit of research from your side. You can just skim through policy names or read exactly what they do. Keep an eye for Cloud provider best practices and their provided checks, and compare them with external cloud provider solutions.

Let’s start specifying the problem:

  • We want to have a compliance check platform for generic AWS configuration checks. To start this will be CIS Benchmark and AWS Foundational Best Practices, which will inform us of non-compliant or misconfigured resources. An example could be a non-encrypted cloud storage bucket like S3. This should cover public best practices s by cloud pro
  • We should have to alert with information about our findings.

Take a look at the CIS benchmark. It provides a set of secuirty standards for Cloud Security.
Next is link to official CIS AWS Foundations Benchmark controls. For start lets also take a look at The AWS Foundational Security Best Practices

This benchmark controls alongside with AWS Config and AWS Audit Manager could provide you with compliance check for the above benchmarks. Both tools are part of AWS Security Hub platform.

Here you can find list of AWS Config Managed Rules

AWS issues documentaion and set of rules named: AWS Foundational Security Best Pratices. They can be enabled ihe AWS Security Hub.

Let’s compare it with checks provided by Security Companies

Security Companies love to provide 1 to 1 comparison or matrixes presenting the offering and comparing it to other solutions. I recommend taking a different approach. Just take a look at the documentation.

Let’s take a look at Bridgecrew. They do have a verbose security offering, but for the scope of this article, let’s just focus on the AWS security policies they check. Here is the link to Bridgecrew AWS Policy Index. Take your time and compare it to AWS CIS Benchmark + AWS Best Practices mentioned before. Did you find some similarities?

Now let’s take a look at Lacework and their Advanced Suppression – Tag Martix They are clear about the CIS benchmark as the policies include AWS_CIS_ in the prefix which is plus, but let’s take a look at the rules starting with LW_AWS_ or LW_S3_. Compare them again with AWS Foundational Security Best Pratices. Did you notice something?

Deployment of proabably cheaper solution

Now lets take a look how we could deploy it:

  • You could code terraform yourself enabling using examples from securityhub_standards_subscription.
  • We could use the open-source terraform module from Cloudposse. They are nice folks and their repos are acutally monitored by Bridgecrew.
    • Cloudposse made free Terraform module for AWS Security Hub. Mentioned default rules can be found here in GitHub.
    • AWS Config is neccessary component of AWS Security Hub, it can be managed by terraform resource here or another Cloudposse module terraform-aws-config.
    • Note that I’m not the biggest fan of their module structuring convention of Cloudposse which differs from Hashicorp standard (which is reasonable and embedded in most of the available open-source modules). But using this one can help you bring up the whole setup for one account quickly and it is hard to complain about hard work someone did and gave out for free.
  • You could use AWS Cloudformation or CLI if we are want to.
  • You can just use AWS Console UI to enable AWS Security Hub. AWS Config is part of the bundle. AWS Audit Manager will be used reports.

What we got?

We have replicated the subset of security compliance checks functionality provided by cloud security providers. Of course, alerting is missing, but it can be solved by AWS provided Lambda function.

What about Kubernetes?

Falco has also Kubernetes and AWS Cloudtrail rules for you open-source already.

I’m looking for SIEM

Check out open-source Wazzuh.

But what if I don’t trust Cloud Provider to monitor Cloud Provider?

Well, from my experience already, a lot of the security companies utilize the cloud to perform analytics and then alert them. I do not have links to back it up, so take it with a grain of salt as everything you read on the internet. You can just stop using the cloud altogether.

Is it enough?

Of course not. Security is a complex field, this is just one detached example. We are not touching attack vectors, just take a look at Mittre Att&ck, and other important topics. This is just an example comparison. Having even the best security checks doesn’t replace infrastructure and application hardening.

What about SOC 2, PCI compliance, NIST, etc.

The majority of mentioned compliance standards are also already covered by cloud provider documentation. Do your research, and think what are your goals and requirements.

Watch out for host/agent configurations with too many priviliges

Some SIEM and Threat Detection solutions give agents additional permissions that they should not have. This creates a backdoor on the machines it runs. Verify the program capabilities before you run it. A good example of it is remote threat mitigation with spawns direct shell from UI to the machine. It means that whoever controls the tool, controls your machines.

Do you have questions?

Reach out to me on About Me page.