Cloud Article Anthology, vol. 1Advice, Trends and Insights from Five Experts

2Cloud Article Anthology, vol. 1

In a previous blog, I discussed securing AWS man-agement configurations by combating six common threats with a focus on using both the Center for Internet Security (CIS) Amazon Web Services Foundations benchmark policy along with general security best practices.

Now I’d like to do the same thing for Microsoft Azure. I had the privilege of being involved in the development of the CIS Microsoft Foundations Benchmark, which was published in early 2018. During that process, I learned a great deal about the security aspects of Azure. Many of the same cloud security fundamentals we discussed previ-ously also apply to other cloud environments, so we’re going to use that best practice cloud security knowledge we learned in the last blog and apply it to Microsoft Azure.

1. Identity Management with Azure Active DirectoryLike before, it’s crucial that multi-factor authen-tication is being used wherever possible in order to combat attacks from phishing and lost or

Article 1: Eight Cloud Security Best Practice Fundamentals for Microsoft AzureBen Layer

compromised credentials. At a minimum, any Azure Active Directory user with an administrative role or the ability to create and alter resources should have multi-factor authentication enabled. Enable password policy settings to ensure com-plex passwords.

It’s easy to lose track of which permissions exist within custom roles. Audit any custom role defi-nitions to ensure that none contain unnecessary administrative permissions that could be instead assigned via default roles.

Ensure that no unneeded guest users are created in the Azure Active Directory. For any that are necessary, ensure that the user setting for limiting guest permissions is set as well as the setting to not allow guests to invite additional users.

If you are using Active Directory Federation Services in order to allow a user to sign into Azure-AD based services with their on-premises password, it is critical that you are also auditing your on-premises Active Directory for security

and compliance with vulnerability assessment and monitoring tools.

2. The Microsoft Azure Security CenterA number of security features are available within the Microsoft Azure Security Center for us to take advantage of, and Microsoft has automated the discovery and implementation of a good deal of it.

It is important to enable virtual machine security data collection by default via the automatic pro-visioning of monitoring agent function. Once the monitoring agent is enabled, you should ensure that all recommendation settings in the security policy are enabled. These recommendations cover a myriad of security settings, such as when operating system patches are required or when encryption has not been enabled.

You should make a habit of reviewing the Recommendations tab within the Security Center blade in order to ensure no active security tasks exist and that any recommendations have been considered and implemented where possible.

3Cloud Article Anthology, vol. 1

Ensure that a current security contact email and phone number have been set in the Security Center Policy. This ensures that Microsoft has an accurate contact within your organization for any security related incidents.

Lastly, consider upgrading from the Free Azure security tier to the Standard tier for enhanced security options. This does come at a cost, but it allows threat detection on virtual machines and databases.

3. Networking with Microsoft SQL ServerIt’s critical to limit exposure to brute force attacks by limiting access to SSH and RDP in your Network Security Groups. This advice is the same no matter the platform; don’t open ports 22 or 3389 to the open internet.

If you are running Microsoft SQL Server, there is a separate SQL Server Firewall mechanism that exists outside of the Network Security Groups function. You should audit the SQL Server Firewall to ensure that you have not allowed access to the

open internet or to network blocks that do not require access.

It still makes sense to make use of operating system firewalls within virtual machines to provide defense in depth in case of accidental Network Security Group misconfiguration or a platform error.

It is also a good idea to perform vulnerability scans against your infrastructure. These can be done without notifying Microsoft as long as they follow the Pentest Rules of Engagement. You can assess your Azure infrastructure for network- and host-based vulnerabilities with a vulnerability management product like Tripwire® IP360™.

4. Logging with Ample Storage RetentionThere are multiple logging capabilities within Microsoft Azure, and it is important to utilize them for security auditing and compliance. Ensure that you have enabled Activity Log storage, which we will further use to create monitoring alerts for var-ious behaviors. (See below.)

Additionally, each Network Security Group should have flow logging enabled, and each SQL Server Database should have database auditing enabled. Each of these logging capabilities utilizes a storage account. For each logging function, you should create a storage account that is encrypted at rest via the “Storage Service Encryption” setting and in transit via the “Secure Transfer Required” setting.

It also recommended that you enable log storage retention for greater than 90 days or set retention to unlimited if possible for each logging case.

5. Monitoring with Activity Log AlertsThe Activity Log enables us to perform monitoring for a variety of security relevant events. Alerts allow us to ensure that the appropriate parties are notified of behavior that could be suspicious if it has not been approved, such as the changing of security settings.

Article 1: Eight Cloud Security Best Practice Fundamentals for Microsoft Azure (cont.)

4Cloud Article Anthology, vol. 1

Activity Log Alerts should be created for the fol-lowing events:

» Create Policy Assignment

» Create or Update Network Security Group

» Delete Network Security Group

» Create or Update Network Security Group Rule

» Delete Network Security Group Rule

» Create or Update SQL Server Firewall Rule

» Delete SQL Server Firewall Rule

» Create or Update Security Solution

» Delete Security Solution

» Update Security Policy

6. Cloud Storage Account SecurityWe previously mentioned ensuring that logs are stored in storage accounts with SSL and Disk Encryption. Where possible, you should configure every storage account to use blob encryption, file encryption, and secure transfer.

Storage Account keys should be periodically regenerated to mitigate the risk of compromised access keys. Shared Access Signatures should be used only with secure transfer and should have expiration times of eight hours or less so that access is not granted indefinitely.

Any public access of Blob or file containers should be carefully audited to ensure it is only used in cases such as public web sites.

7. Virtual Machine Security DataOne unique facet of Azure virtual machine security is the virtual machine agent that gathers security data as mentioned above. Keeping the agent run-ning ensures a proper overview of your assets.

However most importantly, securing virtual machines in the cloud works much the same as on the premises and has been discussed at length. Ensure you have the latest operating system and software patches and are running endpoint protection. Ensure you are using disk encryp-tion to encrypt files at rest in case of storage compromise.

8. Microsoft SQL Server Azure IntegrationFinally, one of the main selling points of Azure is the integration with Microsoft SQL Server. At a minimum, it is important to set your SQL Server Firewall with the tightest policy possible and to enable audit logs for insight into security breaches or possible misuse of information.

The Microsoft SQL Server threat detection capa-bility within Azure can detect SQL injection, SQL injection vulnerabilities, and other anomalies. This is a paid feature, but it can enable further defense in depth and should be enabled if possible. Ensure that you are sending alerts to a security contact and service owners if you do enable threat detection.

This best practice advice is a baseline that applies to any project implemented within Microsoft Azure and can be expanded on and tailored to individual installations. Most of the recommendations here can be expanded on by referring to the Center for Internet Security Microsoft Azure Foundations Benchmark.

Article 1: Eight Cloud Security Best Practice Fundamentals for Microsoft Azure (cont.)

5Cloud Article Anthology, vol. 1

Article 1: Eight Cloud Security Best Practice Fundamentals for Microsoft Azure (cont.)

Tripwire Cloud Management AssessorTripwire Cloud Management Assessor is an inte-gration for Tripwire® Enterprise that helps you determine the security state of your Microsoft Azure, Amazon Web Services, and Google Cloud Platform deployments by collecting and analyzing cloud account configuration data. You can monitor your Azure Resource Manager, or AWS and Google Cloud consoles for configuration changes right alongside the security monitoring of cloud and on-premises assets.

To learn more about Tripwire’s Cloud Management Assessor, click here.

6Cloud Article Anthology, vol. 1

The 2017 Deep Root Analytics incident that exposed the sensitive data of 198 million Americans, or almost all registered voters at the time, should remind us of the risks associated with storing information in the cloud. Perhaps the most alarming part is that this leak of 1.1 terabytes of personal data was avoidable. It was simple negligence. The data repository was in an AWS S3 bucket that had its access set to public, so anyone could find it—and download much of it—by navigat-ing to an Amazon subdomain.

We all know that the misconfiguration of an S3 bucket is a common mistake. That’s because organizations oftentimes overlook IaaS systems like AWS. But such negligence isn’t defensible over the long term. Indeed, the Deep Root Analytics leak emphasizes the importance of organizations adopting a strategy that can help them avoid this type of costly misstep by focusing on properly con-figuring their AWS assets.

The AWS platform itself has strong security thanks to extensive investments by Amazon. Even then, the strongest defenses are vulnerable to attack by

resourceful bad actors. As we saw back in 2016 in the Dyn DDoS attack, a large-scale attack can still overwhelm the sophisticated security protocols of AWS.

Let’s keep this in mind as we set the record straight on the shared responsibility model. Specifically, it’s important to clarify what organi-zations and CSPs are responsible for protecting under this framework.

Understanding the Shared Responsibility ModelUnder a shared responsibility model, both the vendor and the customer are responsible for securing the cloud. The vendor, Amazon, is responsible for the security “of the cloud,” i.e. its infrastructure that includes hosting facilities, hardware and software. Amazon’s responsibility includes protection against intrusion and detecting fraud and abuse.

The customer, in turn, is responsible for the security “in” the cloud, i.e. the organization’s own content, applications using AWS and identity

Article 2: How to Secure Your Information on AWS: 10 Best PracticesDavid Bisson

access management as well as its internal infra-structure like firewalls and network.

How to Secure Your Data on the AWS PlatformNow that we understand the shared responsibility model, let’s focus in and see what organizations can do to full their responsibility for security “in” the cloud. The best practices discussed below can serve as a starting point in this regard.

1. Enable CloudTrail across all AWS and turn on CloudTrail log validation. Enabling CloudTrail allows logs to be generated. Here, the API call history provides access to data like resource changes. With CloudTrail log validation on, you can thus identify any changes to log files after delivery to the S3 bucket.

2. Enable CloudTrail S3 buckets access logging. These buckets contain log data that CloudTrail captures. Enabling access logging will allow you to track access and identify potential attempts at unauthorized access.

3. Enable flow logging for Virtual Private Cloud (VPC). These flow logs allow you to monitor net-work traffic that crosses the VPC, alerting you

7Cloud Article Anthology, vol. 1

of anomalous activity like unusually high levels of data transfers.

4. Provision access to groups or roles using identity and access management (IAM) policies. By attaching the IAM policies to groups or roles instead of individual users, you minimize the risk of unintentionally giving excessive permissions and privileges to a user as well as improve the efficiency of permission management.

5. Restrict access to the CloudTrail bucket logs and use multi-factor authentication for bucket deletion. Unrestricted access, even to admin-istrators, increases the risk of unauthorized access in case of stolen credentials following to a phishing attack. If the AWS account becomes compromised, multi-factor authentication will make it more difficult for hackers to delete evidence of their actions and so conceal their presence.

6. Encrypt log files at rest. Only users who have permission to access the S3 buckets with the logs should have decryption permission in addi-tion to access to the CloudTrail logs.

7. Regularly rotate IAM access keys. Rotating the keys and setting a standard password expira-tion policy helps prevent access due to a lost or stolen key.

8. Restrict access to commonly used ports, such as FTP, MongoDB, MSSQL, SMTP, etc., to required entities only.

9. Don’t use access keys with root accounts. Doing so can easily compromise the account and open access to all AWS services in the event of a lost or stolen key. Create role-based accounts instead and avoid using root user accounts altogether.

10. Terminate unused keys and disable inactive users and accounts. Both unused access keys and inactive accounts increase the threat sur-face and the risk of compromise.

If you’re using custom applications in AWS, you also need to follow best practices for custom application security. Don’t leave any loopholes for bad actors to exploit or for your IT team to over-look. Organizations don’t need to make mistakes when it comes to securing their AWS assets. Moreover, in the wake of GDPR and other data

protection regulations, no organization can afford the implications of not paying attention to their security policies and practices.

Editors note: Tripwire has announced that it has joined the global partner program for Amazon Web Services (AWS). As a new Advanced Technology Partner of the AWS Partner Network (APN), Tripwire has now made its vulnerability manage-ment solution, Tripwire® IP360™, available on the AWS Marketplace. Learn more here.

Article 2: How to Secure Your Information on AWS: 10 Best Practices (cont.)

8Cloud Article Anthology, vol. 1

We’ve previously discussed best practices for securing Microsoft Azure and Amazon Web Services but, this time, we are going to turn our attention to Google Cloud Platform. Google Cloud Platform (GCP) is growing at an impressive 83 percent year over year but generally receives less focus than AWS and Azure.

We can use some of our best practice cloud secu-rity knowledge to outline some fundamental steps for keeping Google Cloud Platform secure.

1. Identity and Access ManagementA general rule of thumb is to use managed corpo-rate credentials for your Google Cloud Platform accounts instead of personal Gmail accounts. This helps ensure complete visibility and control of the account, as well as continuity of service in the event of personnel changes.

Additionally, as always, your GCP credentials should have multi-factor authentication enabled to combat the threat of breached or weak credentials.

Google allows for multiple projects within GCP with separate access control and billing account-ability. Using multiple separate projects can help segment your resources, so that the compromise of one machine or account does not put resources in another project in jeopardy.

2. Network SecurityA first priority should be the removal of the “default” Virtual Private Cloud (VPC) network. Creating your own network will give greater awareness of just what exactly you are allowing in and out of your VPC network. The default network allows access to some internal GCP networks, as well as global SSH and RDP access.

It is critical to limit your exposure to brute force attacks. Limit attack surface area by removing global SSH and RDP access. When you define your own VPC network, take care to not allow access to port 22 or 3389 from the open internet (0.0.0.0).

Article 3: A Google Cloud Platform Primer with Security FundamentalsBen Layer

It is always wise to use traditional network secu-rity best practices in your deployments in order to prevent and detect attacks or breaches. Perform frequent vulnerability audits on your cloud net-work and assets with a vulnerability management product.

3. LoggingIt is important to create a comprehensive logging policy within your cloud platform to help with auditing and compliance.

Access logging should be enabled on storage buckets so that you have an easily accessible log of object access. Administrator audit logs are created by default, but you should enable Data Access logs for Data Writes in all services.

The Stackdriver logging mechanism only stores logs for a limited time. You should create a log export sink with no filter in order to archive all logs for an extended period.

More information on logging configuration can be found here.

9Cloud Article Anthology, vol. 1

4. DatabaseGoogle Cloud Platform provides the ability to create managed MySQL and PostgreSQL database instances in which Google takes care of security patches; however, there are still configuration options which should be set if you are using the database feature.

By default, SSL is not required. All databases should be configured to require SSL connections to foil snooping and man-in-the-middle attacks.

When starting a new MySQL database, it is pos-sible to create it without a root (admin) password. You absolutely must enable a root password for all MySQL databases.

As in the networking section, again you should not allow ingress to your databases from the global internet. Do not allow 0.0.0.0 or /0 when creating authorized networks for your databases. Similarly, MySQL should not allow root users to connect from 0.0.0.0.

5. StorageWe would be remiss not to mention paying atten-tion to storage bucket access after so many news reports of online storage data dumps. The Google Cloud Platform Console does not present obvi-ous warnings when buckets have anonymous or public access, so it is important to monitor these settings. Ensure neither allUsers nor allAuthen-ticatedUsers has access on buckets or objects where it is not needed. In this case, “allAuthenti-catedUsers” means anyone with a Google account, which is equivalent to everyone.

You may also consider enabling object versioning to protect yourself from unintended overwrites.

6. Virtual MachinesOne unique Google Cloud Platform function is the interactive serial port capability, but unfortunately, the interactive serial console does not support IP-based access restriction and allows connec-tions from any IP address. This function should remain disabled, as it allows for brute force login attacks.

Securing virtual machines in the cloud requires many of the same controls as in your local environment. Run network security scans, anti-malware apps, and keep track of changes with file integrity monitoring and change management.

7. Google App EngineGoogle Cloud Platform provides the Cloud Security Scanner which provides detection of common vulnerabilities such as cross site scripting (XSS), flash injection, and insecure library usage. These free scans of your App engine websites can be run both before and after you enter production, so it is an easy win on your road to increasing security in your DevOps process.

Are you working with Google Cloud Platform?These fundamentals apply to any project imple-mented within Google Cloud Platform and can be expanded on and tailored to individual instal-lations. More information can be found in the Center for Internet Security Google Cloud Platform Foundation Benchmark. The CIS benchmark

Article 3: A Google Cloud Platform Primer with Security Fundamentals (cont.)

10Cloud Article Anthology, vol. 1

provides guidance on best practice configurations for your Google Cloud Platform environment.

Tripwire has recently released version 4.2.0 of the Cloud Management Assessor, an integration for Tripwire Enterprise which helps you monitor the security state of your Google Cloud Platform, Amazon Web Services, or Microsoft Azure deployments by collecting and analyzing cloud configuration data. You can monitor your Google, AWS, or Azure accounts for configuration changes right alongside the security monitoring of cloud and on-premises assets.

To learn more about Tripwire’s Cloud Management Assessor, click here.

Article 3: A Google Cloud Platform Primer with Security Fundamentals (cont.)

11Cloud Article Anthology, vol. 1

About a decade ago, organizations were hesitant to adopt cloud solutions, with many citing security concerns.

Fast forward to 2019, and 81% of organizations have a multi-cloud strategy, spurred on by the desire for increased flexibility, usage-based spending and desire to respond to market oppor-tunity with greater agility. In fact, organizations are embracing cloud solutions so much so that Gartner predicts that by 2022, the public cloud services market will grow by 17.5% in 2019 alone; by 2022, the total market will be $331.2B.

According to the Gartner report, of the different segments within the cloud services market, Platform-as-a-service (PaaS) and Infrastructure-as-a-Service (IaaS) are growing the fastest. IaaS is projected to reach $38.9B in 2019, up from $30.5B in 2018—a 27.5% growth. Similarly, PaaS is projected to grow by 21.8%. This appears to be a sustained trend as more than a third of all orga-nizations regard cloud investment as a top three investment priority. However, due to organizational structures, many times the cybersecurity team

does not have exclusive responsibility for driving the adoption of cloud solutions or DevOps tools and are often not engaged in deciding which cloud solutions or DevOps solutions to adopt and deploy.

A recent GitLab study showed that while 69% of developers recognize that they are expected to write secure code, 49% of security professionals say it is a challenge getting developers to make vulnerability remediation a priority. Thus, many IT cybersecurity departments struggle to ensure that cloud adoption is not undertaken at the expense of security. This common dynamic leads to security gaps in organizations.

For example, Vitagene, Inc. a DNA-testing service exposed thousands of client health reports online for years. This breach involved 3,000 user records that were publicly available on AWS for several years. These user records included information such as date of birth, gene-based health informa-tion and medical conditions. These kinds of highly personal information can be used for identity theft and blackmail. Interestingly, Vitagene did not detect this breach itself, and external access was

Article 4: Best Practices for IT Security Teams in the Age of CloudOnyeka Jones

only remediated after it was notified. Unfortunately, this story is not unique. This case, sadly, is one of the thousands of security breaches that result from misconfigured cloud servers and accounts.

Given the trends in cloud adoption, it is clear that there is no going back on cloud adoption; there-fore, organizations need to adapt their approach to security and adopt solutions that will help them secure their hybrid enterprise.

Although organizations are adopting cloud solu-tions at a growing pace, with 30% of organizations expected to adopt a cloud-only approach for new software, many organizations still have on-prem assets to manage. So many organizations, despite their adoption of cloud solutions, are effectively hybrid enterprises with both on-prem and cloud assets to secure. This leads to a situation of expanding threat attack surface area and increas-ing risks to manage. Many organizations have tried to address this risk, albeit with limited success, by trying to apply the old principles of vulnerability management to these new environments.

12Cloud Article Anthology, vol. 1

However, to successfully secure the hybrid enter-prise, organizations need to abide by the following best practices.

1. Vulnerability Scanning for Cloud EnvironmentsVulnerability scans can identify known vulner-abilities, misconfigured assets, un-inventoried endpoints, slips in compliance and many other net-work instances which hackers see as an invitation.

Agent and agentless scanning are two valid approaches for vulnerability scans. Agents can provide access to environments, including some cloud environments, where remote network scan-ning is difficult or prohibited. They also reduce the requirement to maintain and track endpoint cre-dentials required for agentless scanning, and they may provide better tracking in a dynamic IP envi-ronment. Conversely, agentless scans can identify information that isn’t stored on network devices, like SSL certificates.

However, it’s not a matter of choosing one over the other. The strongest vulnerability management strategy will employ both types of vulnerability assessment. Therefore, you’ll want a solution that builds agents into the deployment pipeline for virtual images. That means a robust vulnerability management solution will already be present when an image spins up to feed scan results back to your device profiler. It’s crucial that your vulnerability management solution delivers your scan results in order of priority so you know which vulnerabilities to tackle first.

2. Secure Configuration for Cloud AssetsAs mentioned earlier, 81% of organizations have a multi-cloud strategy. This is an intentional cloud adoption strategy to prevent inordinate dependency on any one vendor, to take advantage of unique fea-tures and to prevent data loss or downtime.

However, as a result of using multiple IaaS and PaaS solutions, it becomes increasingly difficult to manage the security of these cloud accounts. This

can quickly lead to misconfigured cloud accounts or misconfigured storage buckets.

Additionally, for organizations who have invested in aligning their on-prem environment to compliance regulations or standards like CIS, it is similarly important that these controls are extended into the cloud. It is therefore crucial that you utilize a solution that can not only assess your cloud envi-ronment for vulnerabilities but can also assess those cloud environments for compliance to stan-dards like the CIS policy.

Furthermore, you’ll also want a solution that ensures that all cloud management accounts on the different cloud platforms are securely configured.

3. Managed Security ServicesUnfortunately, as cloud adoption increases and the attack surface area broadens, the technical skills gap continues to grow. Organizations are increasingly challenged with hiring, retaining and training cybersecurity professionals. Recent surveys show that there will be 3.5 million unfilled

Article 4: Best Practices for IT Security Teams in the Age of Cloud (cont.)

13Cloud Article Anthology, vol. 1

cybersecurity positions globally by 2021. To help combat the growing attack surface area and growing cyber risk with the adoption of cloud, it is important that organizations extend their security teams with managed security service. A managed security service can help to grow your vulnerability maturity, provide the expertise to secure cloud environments and insulate your organization from the technical skills gap.

Tripwire has robust solutions to help you extend the same security in your on-prem environment to the cloud. Our Cloud Management Assessor helps organizations ensure that their AWS, Azure and Google cloud storage accounts are securely con-figured and in compliance with the CIS policy.

Our vulnerability management solutions, Tripwire IP360 and Tripwire for DevOps, provide end-to-end vulnerability assessment for images and containers pre-deployment and in production. Our solution will also build agents into the deployment pipeline for virtual images.

Lastly, to help you address the technical skills gap, we offer managed security services—Tripwire ExpertOpsSM—for vulnerability management, secure configuration management and file integ-rity monitoring.

With these solutions in place, your organization will be ready to mitigate the risk that arises in an increasingly cloud-first world.

Article 4: Best Practices for IT Security Teams in the Age of Cloud (cont.)

14Vulnerability Management Article Anthology, vol. 3

The cloud is a tremendous convenience for enter-prises. Running a data center is expensive – doing so not only requires buying a lot of servers, cable and networking appliances but also electricity, labor costs, cooling and physical space.

Services like Amazon’s AWS, Microsoft’s Azure, Oracle’s Cloud and Google’s Cloud Platform give businesses the benefits of having a data center without the expensive overhead and related hassles. Imagine how much more expensive it would be to launch a Software as a Service (SaaS) product if establishing the backend had to be done without the help of third-party cloud services?

Cloud services and the internet offer tremen-dous cost savings, efficiency and functionality. Unfortunately, putting your data on the internet exposes it to greater cybersecurity risks. It’s cer-tainly possible to security-harden cloud services to make them a lot less vulnerable to cyber attack.

But when Amazon or Google owns the infrastruc-ture and your enterprise owns the data, who is responsible for keeping your cloud security?

What are we protecting in the cloud?The Information Systems Audit and Control Association’s (ISACA) Control Objectives for Information and Related Technologies (COBIT) framework defines the following as essential IT resources:

» People

» Information

» Applications

» Infrastructure

A cloud provider, such as Azure or AWS, typically provides infrastructure as a service (IaaS) and platform as a service (PaaS). The infrastructure is the physical components of computers, networks and networking appliances. The platform is all of that plus middleware components, such as data-bases. If the application you’re running is yours, the SaaS aspect is your responsibility.

Article 5: Who Is Responsible for Your Cloud Security?Kim Crawley

The shared cloud security modelAmazon’s AWS is a leader in cloud services. AWS’ initiatives help to set trends in the cloud services industry. AWS features what Amazon calls a Shared Responsibility Model.

Here’s what they say on the official AWS policy site:

AWS responsibility ‘Security of the Cloud’—AWS is responsible for protecting the infrastructure that runs all of the services offered in the AWS Cloud. This infrastructure is composed of the hardware, software, network-ing, and facilities that run AWS Cloud services.

Customer responsibility ‘Security in the Cloud’—Customer responsibility will be determined by the AWS Cloud services that a customer selects. This determines the amount of configuration work the customer must per-form as part of their security responsibilities. For example, services such as Amazon Elastic Compute Cloud (Amazon EC2), Amazon Virtual Private Cloud (Amazon VPC), and Amazon S3 are categorized as Infrastructure as a Service

15Cloud Article Anthology, vol. 1

(IaaS) and, as such, require the customer to perform all of the necessary security configuration and management tasks. If a customer deploys an Amazon EC2 instance, they are responsible for management of the guest operating system (including updates and security patches), any application software or utilities installed by the customer on the instances, and the configu-ration of the AWS-provided firewall (called a security group) on each instance.

So, in a nutshell, AWS will make sure that only authorized parties have physical access to their data centers. AWS will keep the pertinent network security appliances running, such as IPS devices, IDS devices and firewalls. They also monitor logs for security alerts and address any related issues of the security of the network itself.

If there’s a vulnerability in your code (which doesn’t belong to Amazon) and a cyber attacker exploits it, that’s on you.

AWS will let you know if there’s a security incident and will address the infrastructure related issues for you. Software-related compliance and incident matters are your responsibility as the customer who owns the product which is running in AWS’ cloud. Access management pertaining to your application is up to you to protect.

What’s next to help you secure your cloud environment?You’re responsible for the security of your software in the cloud, but you don’t have to do it alone. Securing your applications is a lot of work—it’s a 24/7 job!

You should consider deploying a third-party cloud security solution. Configuration management, vul-nerability management and log management can be better handled with the help of a company that has specific expertise with these security services. Don’t try this at home, kids!

I also strongly recommend that you download Tripwire’s free whitepaper on Securing AWS Cloud Management Configurations, especially if you’re considering AWS as your cloud provider.

To learn more about staying secure in the cloud, find out what 18 experts advise for effective and secure cloud migration, here.

Article 5: Who Is Responsible for Your Cloud Security? (cont.)

16Cloud Article Anthology, vol. 1

About the Authors

Ben LayerBen Layer is a Principal Software Engineer at Tripwire. He’s a security industry veteran, with 20 years of experience in research, product design and development. Ben has worked in multiple areas of the security space, including vulnerability management, network security, threat intelligence and malware analysis. He is passionate about creating cutting edge solutions to real world problems.

David BissonDavid Bisson is an infosec news junkie and secu-rity journalist. He works as Contributing Editor for IBM’s Security Intelligence, Associate Editor for Tripwire’s “The State of Security” blog, and Contributing Writer for Gemalto, Venafi, Zix Corp, Bora Design and others.

17Cloud Article Anthology, vol. 1

About the Authors

Onyeka JonesOnyeka Jones is a product manager at Tripwire. As the product manager focused on healthcare solutions, she has a deep understanding of the IT security challenges in the healthcare industry.

Kim CrawleyKim Crawley spent years working in general Tier 2 consumer tech support, most of which as a rep-resentative of Windstream, a secondary American ISP. Malware-related tickets intrigued her, and her knowledge grew from fixing malware problems on thousands of client PCs. Her curiosity led her to research malware as a hobby, which grew into an interest in all things information security related. By 2011, she was already ghostwriting study material for the InfoSec Institute’s CISSP and CEH certification exam preparation pro-grams. Ever since, she’s contributed articles on a variety of information security topics to CIO, CSO, Computerworld, SC Magazine and 2600 magazine.

©2019 Tripwire, Inc. Tripwire, Log Center/LogCenter, IP360 and Tripwire Axon are trademarks or registered trademarks of Tripwire, Inc. All other product and company names are property of their respective owners. All rights reserved. BRCAAv1a 1911

Tripwire is the trusted leader for establishing a strong cybersecurity foundation. Partnering with Fortune 500 enterprises, industrial organizations and government agencies, Tripwire protects the inte grity of mission-critical systems spanning physical, virtual, cloud and DevOps environments. Tripwire’s award-winning portfolio delivers top critical security controls, including asset discovery, secure configuration management, vulnerability management and log management. As the pioneers of file integrity monitoring (FIM), Tripwire’s expertise is built on a 20+ year history of innovation helping organizations discover, minimize and monitor their attack surfaces. Learn more at tripwire.com

The State of Security: News, trends and insights at tripwire.com/blog Connect with us on LinkedIn, Twitter and Facebook