The 10 Step Action Plan - Amazon Web Services · The 10 Step Action Plan: Meeting Your Shared...

A Trend Micro White Paper | July 2015

The 10 Step Action Plan: Meeting Your Shared Security Responsibility with Microsoft Azure

www.trendmicro.com

of 15 | Trend Micro White Paper


ContentsExecutive Summary. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .3

Shared Security Responsibility with Cloud Service Providers. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .4

The Cloud Provider’s Role in Security. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .4Administrative Controls. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .4

Physical Controls. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .5

Logical Controls. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .5

Your Organization’s Responsibility for Secure Cloud Adoption. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .6

Action 1: Plan before Your Cloud Adoption. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .6

Action 2: Control Access to the Azure Management Portal. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .7

Action 3: Harden Administrative Access to Your VMs. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .8

Action 4: Create Restrictive Network Policies. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .9

Action 5: Secure Your Applications Using a Host-Based Intrusion Prevention System.. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .11

Action 6: Leverage Patch Images. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .11

Action 7: Monitor Your Security Posture. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .12

Action 8: Secure Your Applications Using Host-Based File Monitoring. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .12

Action 9: Use Azure to Improve Incident Response. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .13

Action 10: Conduct Vulnerability Assessments and Penetration Testing. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .13

Making Security Work in the Cloud. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .14

How Trend Micro can Help Secure Your Journey to the Cloud. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .15

www.trendmicro.com



Executive Summary

Cloud adoption is increasing at a rapid rate, introducing unique and complex security considerations for users. Security is no longer solely under the control of an organization. It’s an inherent partnership between the organization and the cloud service provider. And organization may not have complete visibility into all aspects or their security. So they need to understand how adopting a cloud-computing model will affect their risk profile related to data security, privacy, and availability. And if they don’t get it right, organizations can compromise the benefits of going to the cloud. Choosing a strong cloud service provider is the first step.

With its Azure offering, Microsoft has built a solid foundation that addresses security with comprehensive administrative, physical, and logical controls—from strict policies for physical access to its data centers, to well thought-out configuration change management procedures. However, a secure foundation is just the start and to build an end-to-end secure computing environment, organizations must still take an active role in protecting systems, applications and data to fulfill their part of a shared security model.

This paper will discuss what part of the shared responsibility equation customers are responsible for and what some of the recommended security practices are that can help create a secure cloud-computing environment.

www.trendmicro.com



Shared Security Responsibility with Cloud Service Providers

To address the security needs of workloads running in the cloud, first organizations need to understand who is responsible for protecting those workloads. While the specifics of the threats that face cloud computing implementations are not new, the way that they are mitigated and who is responsible, is different. For example, “inside threats” in a traditional IT model still apply to the cloud-computing model. But in a cloud service offering, the primary controls, e.g. administrative and physical controls, which can help mitigate this type of threat, are now provided by the cloud service provider.

In the Amazon environment, Microsoft is responsible for the security of the underlying infrastructure. Microsoft Azure provides a robust platform for deploying workloads with greater speed, cost-effectiveness and agility than the traditional data center. This platform includes robust security around the physical security, network infrastructure, and the virtualization layer.

While Microsoft gives organizations the most freedom in leveraging the benefits of cloud computing, it also requires customers take an active role in securing their own operating system, applications, and data. Any cloud project needs to consider the security and compliance requirements of each workload being moved to Microsoft Azure.

The Cloud Provider’s Role in Security

When an organization chooses to secure their data in the cloud, they need to understand the types of controls that the cloud service provider provides. As the responsibility for securing the underlying controls shifts to the cloud service provider, organizations need to understand exactly what the service provider will offer. That will help you to ensure that you know your organization’s responsibility and are prepared to step up to the plate. You should be able to eliminate any potential gaps in your cloud security strategy by ensuring that you have the right security controls at each layer to reduce both the opportunities to reach your workloads and the number of system elements an attacker can leverage.

AdMINISTRATIVE CONTROLS Administrative controls (also called procedural controls) consist of approved written policies, procedures, standards and guidelines. Administrative controls form the framework for running the business and managing people. When workloads are run in a traditional enterprise IT infrastructure, it is considered a trusted environment because it is either physically located within the organization’s on-premise facilities and/or directly managed by the organization. Complete control over the networking infrastructure is exercised and includes physical access to the facility, background checks to hire new employees and implementing change management processes.

When migrating to the cloud, applications and data are now in an environment that is not controlled directly by the organization. In its place is a separately managed and maintained infrastructure hosted externally with the cloud provider. Now, instead of controlling the IT environment directly through the implementation of various controls that are defined by the organization, this is now achieved through the relationship with the cloud service provider and their associated service level agreements.

www.trendmicro.com



PHYSICAL CONTROLS Physical controls monitor and control the environment of the workplace and computing facilities. They also monitor and control access to and from such facilities. Administrative and technical controls ultimately depend on proper physical security controls. An administrative policy allowing only authorized employee access to the data center serves no purpose if there is no physical access control stopping an unauthorized employee access to the facility. In a traditional IT model the organization is responsible for implementing these physical controls to secure the computing facility, while separating the network and workplace environments and putting up environmental safeguards.

When moving to cloud services, physical controls implementation is the responsibility of the cloud provider. It is important to understanding the specific physical controls and map them to ensure that these meet the organization’s requirements. Cloud security providers secure their data centers with a variety of physical controls such as security guards, multiple authentication and dual factor authentication—all part of preventing unauthorized access to their data centers.

LOgICAL CONTROLS Logical controls (also called technical controls) use software and data to monitor and control access to information and computing systems. For example: passwords, network and host-based firewalls, intrusion prevention systems, access control lists, and data encryption are logical controls. Control over the implementation of the logical controls varies depending upon the cloud service model.

Figure 1: Shared Responsibilities Model

YourOrganization

Operation System, Network & Firewall Configuration

Platform, Applications, Identity & Access Management

Application & Data

Foundation Services

Compute Storage Database Networking

Cloud Global Infrastructure

Availability Zones Regions

MicrosoftAzure

www.trendmicro.com



Your Organization’s Responsibility for Secure Cloud Adoption

Building on the security of the Azure infrastructure, this shared security responsibility starts with making sure your Azure environment is secure.

Unfortunately, it’s a common mistake for application owners/departments or business units to bypass IT and security teams to sign up with cloud services without a specific plan for meeting their shared responsibility. Such adoption of cloud services often leads to complicated and costly corrections later on when your IT and security teams become involved. For example, if you don’t clearly separate your subscriptions, you can inadvertently give access to production services to employees who don’t need it. While thinking and planning takes time, it is a good investment. When you spend time planning your cloud adoption strategy, it allows you to establish a solid foundation upon which you can build and grow without fearing costly changes later on.

Below is a discussion of some of the best practices that help protect help you meet your responsibility for cloud security and so you can build a secure computing environment.

Action 1: PLAN BEFORE YOUR CLOUd AdOPTION Before moving to Microsoft Azure, you’ll need to understand the general flow of the Microsoft Cloud Service (Azure) sign-up and introduce you to the some fundamental concepts associated with the service. This will help you better understand the relationship between these components, what the security principles for each step are, and what options are at your disposal.

Creating Your Azure AccountTo do anything in Azure, you need an account. When you create an account with Azure using the Azure Account Center, there are two choices provided to sign up:

a) Microsoft account such as <user>@outlook.com, <user>@hotmail.com or <user>@live.com; or b) Your organization/work account—these are sourced from Azure Active Directory.

Microsoft Azure subscriptions use Azure Active Directory to sign users into the management portal and to secure access to the Azure management API. It’s recommended to use organization/work accounts that are created from within Azure Active Directory and provide more options for managing them. Importantly, organization/work accounts can be supplemented with multi-factor authentication, which is always recommended for privileged users such as “account administrator/global administrator.”

Consider creating a “service” email account in your organization, e.g., a distribution list (DL) with an external SMTP address associated with it that can be used for Azure sign-up. This email DL should hold few key project stakeholders as members, that way, your Azure Account is unaffected by employee turnover. For example, “[email protected]” could be the user ID used for your Azure account sign-up process. This will become your “Account Administrator or Global Administrator.” Simply place this user in your “root” account. The account administrator is the only one who is authorized to access the account center to create subscriptions, cancel subscriptions, change billing for a subscription, change service administrator, and more. There is a one-to-one relationship between Azure account and account administrator.

www.trendmicro.com



Setting up Your Subscription

Once the Azure account is created, the next step is to set up subscriptions. Every cloud service belongs to a subscription; subscriptions help you organize access to cloud service resources. The account administrator—the person who creates the Azure account—is the only one who can create subscriptions and is designated as the default “service administrator” for the subscription. There is a one-to-one relationship between subscription and service administrator. Access to the Azure Management Portal is granted to this administrator. You can also create up to 10 co-administrators per subscription and can create multiple subscriptions based on your requirements. For example, you can create individual subscriptions based on the type of environment, such as “development,” “staging” and “production.” It is advisable to separate your workloads into specific subscriptions to avoid accidental changes, enabling you to view usage and control access to each service granularly.

Figure 2: Azure Account to Subscription and Access Administrators

Action 2: CONTROL ACCESS TO THE AzURE MANAgEMENT PORTAL The first thing you’ll want to do after creating subscriptions is to set Role-Based Access Controls. This will help you control which cloud resources your employees can access and what actions they can perform on those resources. Using Role-Based Access Controls, you can limit the access of users and groups by assigning them roles on Azure resources. Azure role-based access control comes with different built-in roles: “owner,” “reader” and “contributor,” that can be assigned to users, groups and services.

It’s easier to first create and assign access to the “subscription level” and then make adjustments at the resource levels. For example, John Smith (your DBA), can be assigned as a “reader” role at the subscription level, and based on his job role (i.e. DBA) and application structure (three-tier application, Web, app and database), you can then assign the “contributor” role to him at the virtual machine (VM) level that is running the database for your application.

Account Administrator

1:1

1:1

1:1

1:1

1:10

1:10

1:10

Service Administrator

Co-Administrator

Service Administrator

Co-Administrator

Service Administrator Co-Administrator

Azure Account

Development

Staging

Production

www.trendmicro.com



Action 3: HARdEN AdMINISTRATIVE ACCESS TO YOUR VMS Next, you need to decide how you will control your access points to Azure Resources. You need to decide how your users will access the cloud resources that they have been given access to. Microsoft Azure allows multiple access methods and management capabilities, so it’s important to restrict remote access to your VM from a dedicated hardened workstation that runs only required services and applications and may have restricted network access to only what is needed to perform tasks at hand. These workstations are not used by your users for day-to-day activities. You can further lock down access to Azure resources by having a Remote Desktop Gateway installed on-premise that is connected to the Azure environment. This Remote Desktop Gateway, together with Windows Server Network Access Protection (NAP), helps ensure that only clients that meet specific security criteria established by your AD GPOs can connect.

In this type of setup, the local instance of Windows Firewall (or a non-Microsoft client firewall) is configured to block inbound connections, such as RDP. The administrator can log on to the on-premise hardened workstation and start an RDP session that connects to Azure VM, but cannot log on to a corporate PC and use RDP to connect to the hardened workstation itself. This practice is meant to restrict and reduce your attack surface. The following logical view shows how access to the Azure VM is only allowed from the hardened on premise workstation via Remote Desktop Gateway.

Figure 3: Taken from: http://go.microsoft.com/fwlink/?linkid=518999&clcid=0x409

Staging

DOMAIN\USER

DOMAIN\USER

Hardened Workstation domain Joined

Rd gateway with NAP

Interactive Login

Interactive Login

RdP Sessions

RdP Sessions Allowed

RdP Sessions Blocked RdP Sessions

Blocked

RdP Sessions

Microsoft Azure

Corporate PC

www.trendmicro.com



Action 4: CREATE RESTRICTIVE NETWORk POLICIES Network security is one of the most important building blocks of your overall security design, whether it is done on-premise or in the public cloud. Microsoft Azure provides the infrastructure necessary to securely connect your VMs to one another, and be the bridge between the cloud and your data center. The responsibilities for network protection and management are shared between you and Microsoft. For example, Microsoft Azure takes care of spoofing attacks by performing hypervisor-based checks on the outgoing network, i.e., a compute node is disallowed from sending traffic from any IP other than its own. Similarly, as an Azure subscriber, you cannot walk into a Microsoft data center and rewire a server rack, but you are allowed to do the equivalent within your cloud environment through a number of different virtual mechanisms, including guest OS firewalls, VNET Gateway configuration, and virtual private network.

Just like with an on-premise model, you should plan your network design based on your security, connectivity, and application requirements. This must be done prior to launching your workloads (VMs) in Azure, because after a VM has been deployed, you can’t move it to the virtual network without redeploying it.

By leveraging Windows Azure virtual networking service, you can create virtual networks for the purposes of segregating your three-tier application stack where you put your Web, application and database VMs.

Once the virtual network is created, you can attach your VM to a Windows Azure Virtual Network. All VMs attached to the virtual network can only talk to other VMs attached to the same virtual network. If communication should be restricted among VMs within the same subnet, e.g., VMs in Web-Tier can’t talk to each other (east-west), then either use the guest OS Firewall, or deploy third-party host-based firewall solution. To restrict the traffic flow between subnets and VMs (e.g., the VMs in Web-Tier can’t talk to database-Tier), you can use guest OS firewall, deploy a third-party host-based firewall solutions like Trend Micro Deep Security, or you can also use network level access control from Azure called Network Security Groups as long as your vNet is not associated with affinity groups. Network Security Groups will allow a two-tier level of traffic filtering on inbound and outbound flow and implement a traffic flow firewall policy that is maintained at the network level instead of the OS level.

External access to the VM from the Internet is defined by creating input endpoints that allow inbound communication to your VM. In the three-tier network design, VMs placed in an app-tier and database-Tier usually don’t need direct access from the Internet. For this reason, it’s recommended to restrict direct access to them by not having any input endpoints for these VMs and creating input endpoints to only open ports that you need open from the Internet. When access to application and database servers from outside is required, you can also specify access control lists on input endpoints to control the source IPs from which the VM will allow inbound traffic.

Similarly, the outbound communication flow of your VM should be restricted based on your security and application requirements.

The logical diagram in Figure 4 below depicts the network control choices we have discussed for our sample three-tier application stack.

www.trendmicro.com



Figure 4: Network Access Controls with 3-Tier Application Stack

X

X

Microsoft Azure

Client

HTTP/HTTPS (80/443)

HTTP(s) (443)

SQL 1443

Azure Cloud Access Layer

Web Server-1

VM VM

VM

VM

App Server

dB Server

WEB-TIER

APP-TIER

dB-TIER

NSg

NSg

NSg

Web Server-2

10.10.1.0/24

10.10.2.0/24

10.10.3.0/24

3-TIER NETWORk

Communication between the VM

can be blocked by guest OS Firewall

or with third party Hosted-based

Firewall solution.

RdP and Remote Management Input Points for your servers can be locked down for specific IP using IP ACL’s.

Inbound communication to your web server can be restricted to specific TCP ports, i.e. 80 and 443 by creating input endpoints.

X

direct Access to dB-Tier can be

blocked by guest OS Firewall or Hosted-based

Firewall solution, or Azure Network

Security group applied at the

subnet level.

X

www.trendmicro.com



Action 5: Even though you have enabled inbound connections on port 80 and 443 using network security controls available to us in the Azure Cloud. You still need to further protect this allowed communication channel on port 80 and 443 in our application. You can’t simply take an approach and trust everything that is coming over this channel. You must put necessary controls in place to ensure the traffic coming over this channel is legitimate and monitors your incoming traffic to actively try to prevent any intrusion it detects.

This is where an intrusion prevention system (IPS) comes into play. When you are running your workloads in Azure, you are not going to deploy network-based intrusion prevention appliances; instead, you will go with a host-based intrusion prevention system. This host-based IPS will monitor your allowed incoming traffic and will try to actively prevent any intrusion it detects. As traffic passes through, it looks to make sure that it’s following the rules. Is the packet well-formed (e.g., does it conform to RFC specifications)? Is the packet in sequence? During this analysis, the IPS will make a decision about the traffic. Should it be allowed to continue on through, or should it be dropped immediately? The IPS controls would look for attacks such as SQL injection, cross-site scripting, attacks targeted towards the servers’ OS, and others. If it found any, the traffic would be dropped immediately before it hit your applications and workloads. If nothing was found, the request would continue on as normal.

The IPS provides a level of protection that goes beyond reducing the attack surface. It’s actively looking for the correct behavior within the permitted traffic.

Action 6: LEVERAgE PATCH IMAgES Virtual Patching complements a proactive approach and helps reduce your window of exposure. It uses technologies such as intrusion prevention systems to create a security layer and avoid direct modifications to the resources being protected. As soon as vulnerability is announced, you can auto-protect your systems immediately without the need to wait until a patch is issued, tested, and deployed. It provides you the time required to complete all phases of patch management and follow the normal change management process. Virtual patching is less disruptive (i.e., system reboot is not required) and is particularly beneficial to reduce the need for “out-of-band” patches or more frequent patching cycles.

Selecting a good host intrusion prevention system is critical so that it can help you automate your virtual patching process and can also take the complexity out of your hands by automatically assigning IPS rules that your systems are vulnerable against and later un-assigning IPS rules that are no longer needed after your patch deployment cycle.

When selecting a security control that provides virtual patching capabilities, you should look for these basic features as a start:

• Ability to perform vulnerability scan to discover vulnerabilities that the system is vulnerable against

• Ability to auto-assign IPS rules to protect your system against reported vulnerabilities

• Ability to un-assign IPS rules that are no longer needed after patch deployment on your systems

SECURE YOUR APPLICATIONS USINg A HOST-BASEd INTRUSION PREVENTION SYSTEM

www.trendmicro.com



Action 7: MONITOR YOUR SECURITY POSTURE Until now, we have discussed security controls that provide protection capabilities using firewall and IPS. The defense-in-depth security posture demands controls at each layer. The next step in your security strategy is to uphold continuous integrity of critical system files, application configuration files, and application logs. Microsoft Azure provides diagnostic capabilities for Windows-based virtual systems that can be used to collect and track various metrics, analyzing log files, defining custom metrics and logging generated by specific applications, or workloads running in virtual machines. The monitoring is done via the VM agent that gets installed automatically (default configuration), and the monitoring is enabled on a VM level.

Once monitoring is enabled against your virtual system, it provides statistics data that you can use to detect abnormal network activity, outages, or indicators of attacks. You can also trigger alarms when certain conditions are met.

Action 8: SECURE YOUR APPLICATIONS USINg HOST-BASEd FILE MONITORINg

The Azure monitoring capabilities provide the foundation for your monitoring requirements, but that’s only a start. Using a good host-based file integrity monitoring solution will take you one step further in your overall monitoring strategy. Having a host-based file integrity monitoring solution has become a critical aspect of information security since it can provide an early indication of a compromised system. It is also required by various compliance standards such as PCI. The host based integrity monitoring system provides detection capabilities. Simply put, the host-based monitoring solution helps in the following ways:

• Something exists now, and it didn’t exist before, i.e. “created”

• Something existed before, and it doesn’t exist now, i.e. “deleted”

• Something existed before, and it is in a different state now, i.e. “updated”

And that “something” could be a critical operating system and application file(s), directories, registry keys, values and system services, etc.

If you are already using a monitoring solution and are collecting logs to a central server, virtual machines running in the Azure cloud are just another resource that must be monitored.

When selecting a security control that provides “file integrity” capabilities, you should look for these basic features:

• Ability to provide “real-time” monitoring events

• Ability to auto-assign monitoring rules to help monitor critical operating system and application files, registry, system services, etc.

• Provide easy interface/framework to create custom monitoring rules

www.trendmicro.com



Action 9: USE AzURE TO IMPROVE INCIdENT RESPONSE The Number 1 goal is to have a successful recovery as fast as possible. In a traditional response flow, the first thing to do when an incident occurs is to isolate the server and take the workload out of service. After an incident the first thing you do is isolate the server, taking your workload out of the service. It is imperative to restore service as quickly as possible. Next, you analyze and try to identify the cause of the incident, and then begin the repair process to see if an improvement can be made to avoid a reoccurrence. Once this cycle is complete, you can bring the replacement online.

However, when moving to the cloud, you can bring in the replacement server more quickly and conduct the analyses on the snapshot of the server by automation. This allows for a faster return time to service and more time to perform analyses. One argument against this approach is the question of “what did we gain with this?” Bringing in the replacement server without being repaired will just reintroduce the problem. This approach starts a game with the attacker that will kick them out, stopping further penetration into your environment.

By using this method, you have minimized the service impact and made infiltration more difficult. This game can run in parallel while you focus on analyzing and identifying the problem, fixing it on the replacement server and, knocking the hacker off completely.

Action 10: CONdUCT VULNERABILITY ASSESSMENTS ANd PENETRATION TESTINg

The main objective of the vulnerability assessment is to discover as many vulnerabilities as possible that an attacker can leverage to cause destruction to an organization. There are many self-servicing tools that can be used to conduct vulnerability assessments. However, it is recommended a trained security assessor, either internally or externally, performs this assessment. Their fresh set of eyes may detect more security flaws and can help fine-tune existing security controls, or recommend adding more.

To evaluate the security of your implementation, consider doing a post-vulnerability assessment penetration test to safely exploit system vulnerabilities, including OS service and application weaknesses. By conducting the vulnerability assessment, you have identified the vulnerabilities, but not the potential consequences if they are exploited. Therefore, penetration testing is very useful in validating the effectiveness of the defensive mechanisms.

Azure understands the importance of penetration testing in any secure application deployment and has established a policy for its customers to request permission to conduct penetration tests.

These exercises will help you determine if the implemented security controls can withstand real-world attacks. Afterward, you can begin the remediation steps which can be as simple as closing a port, turning off a service or, in other cases, it can require a software patch or a rule from an intrusion prevention system. No matter how it is accomplished, it is important to verify that remediation is in place and protecting the vulnerability.

Finally, you must stay involved and maintain your security practice because requirements will evolve and, you will need to evaluate these changes from a security perspective and deploy updated or new controls. It is key to ensure that the ongoing management aspect of security continues, which may involve documenting implemented controls and monitoring changes.

www.trendmicro.com



Making Security Work in the Cloud

Successfully supplementing Microsoft Azure with the security you need to meet your shared responsibility must be done with an eye to protecting your workloads. But just as importantly, it’s important that you do it in a way that won’t compromise the very benefits you are seeking from the cloud.

By its very nature the cloud is dynamic, with resources of a varying types being launched and retired—often in the span of minutes. If your security can’t keep up in this fast-paced environment, you are faced with either compromising security as you try to “catch up” or sacrificing agility as you force the cloud to operate more like the conventional data center with static resources.

To ensure you receive the full benefit from your secure cloud deployment, you’ll need to address several critical success factors:

1. Being able to recognize all virtual machines in your environment and have a clear picture of their security status. For example, it is critical to have a single dashboard for visibility into the current security status, alarms, or alerts of all VMs. This is especially important in cases where distributed administrators may launch new VMs without notification.

2. Automatically recognizing new virtual machines as they launch and immediately initiating security to ensure seamless security coverage. This allows you to take advantage of one of the most valuable aspects of the cloud—being able to launch resources only when they are needed.

3. Automatically recognizing when virtual machines are stopped so that unnecessary security resources are not consumed. This will help minimize costs, especially in environments where security is licensed on a per-hour or per-VM basis.

4. Automatically recognizing the nature of the workload as it is provisioned to ensure that the appropriate security is applied. The security policies for a web server differ from those of an application or database server. Being able to recognize the workload type when it launches ensure the right security policy is deployed without delaying the availability of the resource.

If your cloud project is an extension of your data center, the capabilities listed above must be consistently managed across your physical, virtual, and cloud servers. Without this, you will end up with silo’ed security processes and policies. This disjointed approach not only drives up operating costs, it increases the odds that an inconsistency or oversight will increase the odds of compromise.



©2015 by Trend Micro Incorporated. All rights reserved. Trend Micro, the Trend Micro t-ball logo, and Smart Protection Network are trademarks or registered trademarks of Trend Micro Incorporated. All other company and/or product names may be trademarks or registered trademarks of their owners. Information contained in this document is subject to change without notice. [WP01_Azure_CSP_150721US]

Trend Micro Incorporated is a pioneer in secure content and threat management. Founded in 1988, Trend Micro provides individuals and organizations of all sizes with award-winning security software, hardware and services. With headquarters in Tokyo and operations in more than 30 countries, Trend Micro solutions are sold through corporate and value-added resellers and service providers worldwide. For additional information and evaluation copies of Trend Micro products and services, visit our Web site at www.trendmicro.com.

How Trend Micro can Help Secure Your Journey to the Cloud

Trend Micro understands that to fully embrace the cloud, the unique security challenges posed by it must be delivered in a way that preserves its economic and operational benefits. Trend Micro has been working closely with Microsoft to ensure that Trend Micro delivers elastic, flexible and scalable security solutions that are compatible with the Azure environment. Together, the two companies are helping organizations understand and overcome the main adoption barrier of deploying applications in reliable cloud service programs—security.

Security in the cloud is different and Trend Micro Deep Security is designed to be as automatic, agile and flexible as Microsoft Azure itself. The Deep Security platform delivers the broad range of security capabilities needed as part of the cloud’s shared responsibility model. Unlike traditional security, Deep Security monitors your Azure environment, automatically recognizing and provisioning security to new instances. Plus, Deep Security automates repetitive, resource-intensive security tasks, such as provisioning and deprovisioning, to dramatically reduce operational cost and time. These are done in a way that reflects the elastic nature of the cloud with fast deployment and automated management. So you get the security you need to move sensitive workloads to Microsoft Azure without compromising its promise of automation and agility.

To find out more about Trend Micro solutions for the Microsoft Azure, check out azure.trendmicro.com

Leuvensesteenweg 5101930 Zaventem+32 2 790 81 11www.econocom.be

Econocom is a major digital service provider who assists European organisations in their digital transformation. Our 7,000 employees in 10 countries offer their expertise in infrastructures (IT governance and security, consulting and integration, cloud transformation, outsourcing and critical maintenance) and applications (digitalisation, new usages, collaboration, mobile solutions, Big Data, etc.). Our expertise ranges from data centres and end-user environments to networks and business applications.

www.trendmicro.com

The 10 Step Action Plan - Amazon Web Services · The 10 Step Action Plan: Meeting Your Shared...

Documents

Transcript of The 10 Step Action Plan - Amazon Web Services · The 10 Step Action Plan: Meeting Your Shared...