When it comes to cloud security the real issue is not the platforms, but rather a lack of processes for implementing and maintained best cloud security processes. Whenever there is a breach involving a public cloud the issue almost invariably winds up being caused by a developer that forgot to implement one control or another.This Barracuda blog post by @MVizard explores the new @AWS Security Hub and its role in the shared responsibility model in cloud security. Click To Tweet
Developers are, of course, understandably excited about public clouds because they allow them to build and deploy applications without having to wait for internal IT organizations to provision IT infrastructure. The trouble is that developers are not usually aware of every control that should be implemented to ensure security. Before anyone realizes that, cybercriminals are exfiltrating massive amounts of data regardless because the developer didn’t fully appreciate the inherent shared responsibility model for security when employing public clouds. Cloud service providers can secure the underlying infrastructure, but it’s up to developers and internal IT organizations to make sure the applications deployed on that cloud are secure.
The one thing that cloud service providers can do, however, is make it simpler for IT organizations to enforce the controls they do have in place for cloud applications. Of course, anything that can’t be seen is going to be difficult to manage and secure. With that issue in mind Amazon Web Services (AWS) this week at the AWS re:Invent 2018 conference unfurled a pair of services designed to simplify the management of cybersecurity and compliance on the AWS cloud..@Barracuda is one of the first vendors to integrate their solutions with @AWS Security Hub. More info in this blog post by @MVizardClick To Tweet
AWS Control Tower creates an automated landing zone for the setup and governance of a secure, compliant multi-account environment, while AWS Security Hub provides a method for managing security and compliance across an AWS environment. Cybersecurity vendors that have integrated their offerings with AWS Security Hub include Alert Logic, Armor, Barracuda Networks, Check Point, Cloud Custodian, CrowdStrike, CyberArk, Demisto, F5, Fortinet, GuardiCore, IBM, McAfee, Palo Alto Networks, Qualys, Rapid7, Splunk, Sophos, Sumo Logic, Symantec, Tenable, Trend Micro, Turbot, and Twistlock.
AWS CEO Andy Jassy during a keynote this week described both services as methods for not just managing compliance and cybersecurity, but also implementing best practices for both that effectively set up guardrails for developers on the AWS cloud.
“Customers really want more prescriptive guidance,” says Jassy. “This is going to radically change how easy it is to look across your estate to see what’s happening cybersecurity wise in AWS.”
In the age of the cloud, developers are being held more accountable than ever for implementing security controls. Known as DevSecOps, the basic idea is to make implementing security controls part of the gates that developers need to pass as they build applications using a continuous integration/continuous development (CI/CD) framework. The rise of DevSecOps should make applications more secure, but developers are humans and there will always be mistakes. Cybersecurity teams need to embrace frameworks that enable them to verify cybersecurity policies have been implemented at the same rate of speed developers are now deploying applications. That’s especially critical in cloud computing environments where the rate of application deployment is typically several orders of magnitude greater than an on-premises IT environment.
Of course, AWS is not the only cloud service being employed these days. Many cybersecurity teams will need to find a way to achieve the capabilities provided by AWS Security Hub across multiple clouds. That will require some ability to programmatically consume services such as AWS Security Hub via an application programming interface (API). Regardless of the path chosen, however, the one thing that is clear is that implementing a shared security model in the cloud is about to finally become substantially simpler than it is today.
Learn more about AWS at – https://amzn.to/2RiLQte.
Mike Vizard has covered IT for more than 25 years, and has edited or contributed to a number of tech publications including InfoWorld, eWeek, CRN, Baseline, ComputerWorld, TMCNet and Digital Review. He currently blogs for IT Business Edge and contributes to CIOinsight, The Channel Insider, Programmableweb and Slashdot. Mike also blogs about emerging cloud technology for SmarterMSP.