The move to the cloud—in many ways—is a return to the early days of computing. When I took my first computer class in 1978, we used an IBM system/360 system time share. We rented out time on a remote system, sent our jobs over a modem to a computer at a university and got back the results of the program run. Today, we’re using the cloud, which is just a fancy version of the old time-share systems. Unlike the old time share days, you have much more control over how those remote resources are used and configured. In fact, with the internet, you can make those resources available to anyone and everyone: on purpose or by accident. That’s the beauty and the danger. Cloud Management Consoles are your portal to the controls of the rocket ship to the clouds. You can set up many types of computing resources to run your jobs. They can be for your private use or something like a web server that’s open to the world. And it all comes down to what you choose and how you configure it. Controlling those configurations and ensuring they are configured correctly is a new area that Security and Change Management people should be just as concerned about as datacenter assets.
Reducing the risk of leaking information is paramount. Knowing what the configurations are set to, whether they are securely configured and whether they change, are even more important in the cloud environment.
That last point is very important. Is a change going to send your rocket to the wrong destination? You need the same level of security, compliance and operational controls in the cloud as you do in your on-prem environment. There are new types of service in the cloud, such as server-less applications and container tools. These all have configuration items that need to be securely configured and tracked for changes. The Cloud Management Console (CMC) controls, configures, reports on other cloud services like other SaaS products, PaaS or IaaS resources and indicates how they are utilized. The CMC has all of the configurations for which services, networking, routing, resources usage, access, etc. The wrong settings for any of those can expose your data or cost you far more money than you’re expecting (is your rocket ship burning too much fuel?). These configurations might not be on your premises anymore, but they are still your responsibility to set, manage and protect. The security of those settings and accounts are yours, not the cloud providers. All of the cloud providers have command line tools that allow you to safely query the management console for those configurations. The Tripwire CMA has a Custom Task that allows you to configure calls to AWS/Azure/GCP to baseline the output of those commands (For example: aws ec2 describe-network-acls --output json). This would create an Element in Tripwire for the Network ACL’s in AWS, and if those ACL’s change in the next interval, that difference would show up in Tripwire. And if integration to a ticketing system is in place, a ticket for that change can be found and reconciled. And if no ticket is found, marked as an incident to be reviewed. Having a baseline of those settings and tracking changes to them is as vital as doing file integrity monitoring in your datacenter. With a baseline of the settings, they can be tracked for changes and matched with a ticket to ensure the changes were authorized. Then test the changes against a policy (CIS or internal) to ensure that the configurations are in line with your policy and secure. This is what Tripwire does better than any other solution in the cloud and on-prem. The security providers do have their own security tools. You could take advantage of them, and you should. CloudTrails, for instances, tells you a lot about what’s happening in the environment and is very useful. But trying to take changes reported in that stream and do remediation with a ticketing system, or trying to figure out a history of changes to that object in AWS, is difficult. Several companies have tried this and come back to Tripwire to help solve these problems. Many companies are now using multiple public cloud services as well. You can’t use Amazon CloudTrails to watch your Azure environment. So instead of having very different products configured in different ways and trying to do security from those, they are using Tripwire across cloud platforms. Bringing baselines of various cloud consoles and SaaS products (AWS, Azure, GCP) and SaaS products (e.g. Salesforce.com,) into one place to report on compliance and change allows you to have visibility into the cloud configurations in one place, easily report on compliance with standards, show that you are tracking changes against tickets and know when configurations are modified. You can even compare configurations across management consoles. If you have dozens of AWS Management Consoles, are the IAM security settings the same across all of them? Are the CloudTrail settings the same and correct across all of them? Control of changes and correct configurations are all important for passing audits as well as securing your data in the cloud. You want to ensure that your rocket is heading in the right direction, that your fuel is burning at the proper rate and that all of the inspections pass before launching. Tripwire’s baselining solutions for the cloud (Tripwire Cloud Management Assessor) are as important now as they were in your datacenter because baselining is a basic control that still works and ensures your configurations are tracked and correct.
