Cloud computing is now ubiquitous throughout the software development industry. There are many cloud service providers offering everything from ‘bare-metal’ virtual servers to complete server-less computing platforms. The speed by which computing resources can be reserved and instantiated is a major contributing factor to the success of DevOps, where repeatability and automation is central. However, cloud-based computing comes with a significant security risk if not properly defined, governed and audited. This blog post introduces these risks and provides guidance on how to establish a set of security policies and practices for cloud resource utilization.
Cloud Resource Policies and Standards
Development and security teams do not speak the same language, nor are they motivated in the same way. For development teams the core drivers are system requirements, whereas for the security team the primary motivator is identification and control of risk. These and other disciplines must work jointly to create and deploy effective and secure applications. They are often hampered, however, by an understanding of what is needed for a secure cloud-enabled system and how to implement those policies. There are several challenges, therefore, regarding the translation of security needs from one group to another.
The key challenge is to define security policies for cloud resource use in such a way as to facilitate an implementable (and auditable) practice. But before we can define a set of security polices for cloud-based computing we must first understand the shared responsibility model (1). Simply put, this is the agreement that cloud service providers define for the use of those resources and where each party’s responsibility begins and ends. For the cloud-provider that is ‘security of the cloud’ – which means the physical security of equipment, facilities, power, and personnel who maintain the underlying infrastructure of the service. For the development team this is ‘security in the cloud’ – which translates to all security requirements for applications, data, and network configuration. It is very important to distinguish which security policies relate to on-premise computing vs. cloud-based computing because of this model. Therefore, some of the existing security policies will be relevant and others will need to be enhanced or modified to support the different cloud usage models.
Cloud Usage Models
There are multiple ways to use cloud computing. These include infrastructure-as-a-service (IaaS), where the provider establishes a set of virtual servers, storage, and networking, but leaves all of the software installation and configuration to the user. The next level is platform-as-a-service (PaaS) where the cloud-provider creates a computing platform, such as a web-application stack of server, data store, and supporting components, that the development team leverages for their solution. Yet another approach is software-as-a-service (SaaS) where the entire software product is offered from a cloud-based platform; no direct installation is required. There are many other cloud-resources that are available to development teams (e.g. function-as-a-service – FaaS – for event driven server-less computing) that again require special consideration for security risks.
Fortunately for development and security teams a baseline set of standards have been published by the Center for Internet Security that extends a common set of best-practice security policies into the cloud computing environment. These are presented as a series of risks and controls for commonly encountered security issues in cloud-based environments. For example, the configuration of a network firewall in AWS by default opens the SSH communication port 22 to the world (e.g. 0.0.0.0/0, ::/0 in ipv4 and ipv6 format respectively). Clearly this is a significant risk to any computing environment, but as recently seen with the CapitalOne data breach, improper establishment of security policies in cloud environments can lead to exposure of protected information.
Beyond the need for a baseline security policy set, each corporate security group will have specific needs for the organization. These additional policies must be defined and treated in the same manner as any other corporate policy. For example, if the organization is under the General Data Protection Rules (GDPR) established in the European Union (EU), then the policies that are created for data storage and backup in the cloud must reflect those regulatory requirements. To be compliant, each security policy and control that is defined by the security team must be implemented by the development and operations support teams. This is a very time consuming and labor intensive task for many organizations. Clearly DevOps automation will be very helpful in this regard.
Cloud Compliance Automation
All major cloud-service providers offer a well-documented and defined API for access to their service platform. Many development teams are, or would like, to leverage these access points to automate the creation and configuration of cloud-resources. This access is usually configured to implement a secure access policy where only granted permissions can be employed (such as server creation/destruction. As noted above, this indicates that some form of identity management must be implemented according to security policy. However, after the establishment of these resources it is up to the security team to periodically audit the various platforms for continued conformance to the defined policies. Here is where compliance automation can be most effective.
There are several tools available to automatically verify the configuration state of cloud-based resources, especially for the PaaS and IaaS usage models. Evaluation of established policies is defined by a ‘profile’ that represents a set of well-defined comparisons for configuration. For example, using the InSpec profile provided by the CIS team verifies that the above-mentioned default network access group security vulnerability has been removed:
control 'cis-aws-foundations-4.4' title 'Ensure the default security group of every VPC restricts all traffic' aws_vpcs.vpc_ids.each do |vpc| describe aws_security_group(group_name: 'default', vpc_id: vpc) do its('inbound_rules') { should be_empty } its('outbound_rules') { should be_empty } end end
Through the use of security policy automated audit built into the CI/CD DevOps pipeline, the security team can be better informed of policy violations, frequency, and time for remediation metrics. This type of report is also very helpful to external auditors when the organization moves to obtain certain levels of certification, such as HiTrust for life-science and healthcare organizations.
Cloud Resource Governance and Oversight
Finally, it is important for every organization that intends to have extensive use of cloud-based resources that there is a mechanism for periodic evaluation of cloud resource policies. From time to time new capabilities are offered by cloud-providers and existing capabilities undergo significant changes. The establishment of a governance and oversight body is therefore necessary to ensure that policies stay current with the growing cloud-resource computing needs of development teams.
In addition to periodic review of cloud security policies, it is a best-practice to ensure that there are minimal, but necessary, controls placed on development team use of cloud-resources. This is for several reasons, first to reduce costs from frivolous or lazy instantiation of resources that are then not used or forgotten. Second, there must be controls around what kinds of cloud resources are to be made available, and from what vendor. Finally, as a cost control mechanism a periodic audit of how teams are using cloud resources should be conducted.
As discussed in this post, there are three aspects to establishing a cloud-resource utilization security policy and set of practices. First is to define the appropriate set of baseline polices, standards, guidelines and practices that are to be enforced for all teams using specific utilization models. Second is to automate the audit of these resources to ensure that the security team is aware of policy violations and to provide a mechanism for rapid resolution of the issue. Finally, it is important to establish governance and oversight of teams to avoid costly mistakes when it comes to over or improper use of cloud-resources.
Links: