How many of you use AWS or another cloud hosting provider such as Microsoft Azure or Google Cloud? The question is of course rhetorical due to the limited medium that is the blog, but in any case my experience tells me that a vast majority of readers do.
So common is the migration to the cloud and operating of hybrid networks, where infrastructure and services are hosted between in-house data centres and cloud, that the expectations of what can be achieved in the cloud has increased to. Take for example, system hardening or secure build development and usage.
A large proportion of in-house networks will either have to perform system hardening as part of a regulatory or compliance standard; or will simply do it out of sensible prudence. Cloud hosted devices are no longer an exception, with many now seeking to extend or maintain their good practices in the cloud.
CIS Benchmarks for AWS
CIS (Center for Internet Security) is a great resource for gold or secure operating system, application and network device builds. Made up of both security professionals and well-respected industry organisations such as OWASP and ISACA.
They publish what are known as benchmarks for a whole variety of devices and applications. From Microsoft Windows operating systems, to mobile devices, to database applications and of course cloud platforms such as Amazon's famous AWS.
AWS have taken this one step further by developing pre-packaged operating system and virtual machine builds using their quick start feature, which already inherit all of the recommendations by the CIS benchmark for that particular device. Deployment is a simple as ticking a CIS benchmark box and creating the virtual machine as you would normally.
It certainly beats the 158 pages worth of CIS benchmark reading for AWS and the 800+ page CIS benchmark for Microsoft Windows 2016.
Of course once you have built a CIS benchmark compliant virtual machine you will want to monitor its ongoing compliance level, as that compliance could be compromised by changes you make to it's configuration.
AWS will only provide you with the build and not the on-going validation, think of this like an improvement to a home. A qualified labourer will be able to add a new roof to your home in a standard compliant with local regulations, however that labourer will not be able to guarantee its ongoing compliance when you start to make modifications.
Instead, consider automated re-evaluation of compliance against the CIS benchmark.
There are a number of solutions on the market which can be used to assess a multitude of devices against the published CIS benchmarks, returning to you a score; and areas of non-compliance which you can address to improve that score. Furthermore, some of these solutions are specifically designed with cloud infrastructure and hybrid networks in mind.
Take for example, NNT's Change Tracker software. It can assess a device, application or operating system against CIS benchmarks in minutes using an agent. That agent can be rolled into a AWS quick start package so that it is automatically deployed and registered against the central NNT Change Tracker console.
With respect to scaling capacity and DevOps environments, the agent can even disassociate itself with the central console when it has been in an offline state for longer than a determined and customisable value.
As most of these such solutions are priced per agent, this automatic enrollment and decommissioning can provide much welcomed cost savings.
If you would like to speak to one of our consultants about NNT Change Tracker and how it might be able to help your organisation improve their security posture, you canbook an online meeting with us today.