Automating Secure Configuration Management in the Cloud
For many organizations moving to the cloud, Infrastructure as a Service (IaaS) like AWS EC2, Azure Virtual Machines or Google Compute Engine often forms the backbone of their cloud architecture. These services allow you to create instances of pretty much any operating system almost instantly.
Unfortunately, moving your IT infrastructure to the cloud doesn’t relieve you of your compliance or security obligations. Each public cloud provider publishes its own version of a shared responsibility model. In all of them, the customer, not the cloud provider, is responsible for operating system and application configuration security and compliance.
Responsibility for security and compliance do not go away when you migrate assets to the cloud. Rather, it becomes more challenging. According to a Gartner survey of 505 organizations that use public cloud services, 30% of them cited agility as their top reason for their adoption of cloud services (second only to cost savings at 34%). And no wonder. The ability to automate the deployment of assets allows organizations to scale their infrastructure up and down as needed, which also helps them achieve those cost savings.
The dynamic nature of IaaS either creates or magnifies challenges with which security and governance teams need to contend. For example, when a new EC2 instance is created and started, how would you prove to an auditor that its configuration is compliant with PCI, SOX, HIPAA, or any other of a number of standards that organizations are required to comply with? How can you ensure that the system is configured securely when it starts up?
The lifetime of a physical server in an IT environment is often measured in years. This meant that there was often sufficient time during provisioning to get an agent installed and run a configuration scan before the server went into production. However, in the cloud, the lifetime of a server instance is sometimes only minutes. Provisioning only takes a few seconds. And once provisioning is done, the virtual instance goes into production almost instantly. Immediate configuration and compliance scans are a necessity in cloud environments.
We have worked with a number of Tripwire Enterprise customers to develop automated onboarding workflows by integrating TE with their public cloud provider using TE Commander and TE’s rich REST API layer. In TE 8.8.1, we’ve incorporated those capabilities into the product itself. Now, when an agent connects to the console for the first time, you can have TE evaluate it against CIS, PCI, SOX or any of the other 2000+ out-of-the-box platform and policy combinations based on the asset’s make, model and version (e.g. RHEL 7.6, Windows 2016 Server, etc.).
Essentially, you can automate the entire security and compliance evaluation process when a new asset comes online. These new capabilities ensure that your assets are configured securely the moment they start running. And if they aren’t, they allow you to take immediate action. For compliance audits, you can show auditors evidence that assets were in compliance as they were spun up.