Succeeding at Cloud Vulnerability Management
Many organizations are migrating to cloud infrastructures. The cloud presents new levels of flexibility and scalability in the way organizations operate. But as with any new opportunity, it also creates new forms of risk. How can organizations succeed at identifying and remediating these security risks?
Take advantage of vendor-provided security products
Cloud service providers (CSPs) like Google (GCP), Microsoft (Azure), Oracle, and Amazon (AWS) are motivated to help you secure your cloud environment. These services have built-in security checks as you develop your environment to protect against common misconfigurations. Additionally, they often have premium security services that can help protect your infrastructure from misconfiguration and vulnerabilities.
Examples of these products include Google’s Cloud Security Command Center, Amazon Inspector, and Azure Security Center.
Each vendor provides an array of services that may be appropriate for your environment according to what’s in your cloud and how it integrates with your business. There are options to assist with identity management, cryptographic keys, DDoS prevention, web application firewalls, secure image deployment, and many other components of a cloud presence.
Take Asset Inventory
Any vulnerability management program requires a solid understanding of the organization’s assets. Fortunately, this is often easier in the cloud than in physical environments. Cloud providers allow an administrator to see all associated computing resources, such as compute, storage, and network connections, by using an administrative interface, API, or running a query.
Inventory work becomes more challenging when there are multiple cloud providers and environments; for these situations, the organization may require a central documentation repository of cloud assets.
Starting with a reliable collection of assets will improve your ability to get accurate and thorough results when conducting vulnerability scans
Secure Configuration
Cloud environments have introduced unprecedented flexibility to organizational infrastructure – almost any network configuration imaginable is possible in a virtual environment. However, that flexibility introduces additional risk. Insecure configuration is one of the top threats to a cloud environment.
One way to mitigate this risk is to use industry-standard secure practices when designing and auditing configuration. The Center for Internet Security (CIS) provides industry-standard benchmarks for secure cloud configurations for most common vendors. These benchmarks are integrated into most popular vulnerability scanners as a plugin, but the content is also available for free at https://www.cisecurity.org/insights/blog/foundational-cloud-security-with-cis-benchmarks . Many CSPs also provide their own versions of best practices when configuring cloud environments.
Limit the attack surface
Until recently, many organizations were afraid to move their assets to the cloud – “I don’t want my assets exposed to the Internet!”
CSPs have responded to this concern by creating granular controls over the exposed surface. A cloud environment can have open access to assets from anywhere on the Internet, or it can be tightly controlled and logged with assets accessible only from specific jump points and identities. For example, port 22 (SSH) can be accessible only from a computer that offers a pre-distributed private key, or from a specific IP address range, or through an identity-aware proxy.
The external attack surface is important, but it’s also important to manage access internally. For example, limit access to specific users or groups to data storage.
This is often a delicate balance between security and usability – more granular security often means more time troubleshooting, managing exceptions, and organizational changes.
Regular auditing and scanning
Once cloud configurations are secure, your organization may want to scan the operating systems of virtual machines or computing resources within the cloud for vulnerabilities. If your organization already uses a vulnerability scanning product like Nessus, Wazuh, OpenVAS or another scanner, it may be necessary to link the on-premise product to the cloud, or build a scanning environment within the cloud. Some commercial toolsets hosted by the provider may also have the ability to link to your organization’s cloud environment. Once the toolset can connect to the cloud assets, scanning for vulnerabilities is much like it is on a physical network – provide the assets to the scanner, run a scan to collect vulnerabilities, and remediate.
Prioritize and remediate
As with any vulnerability management program, resolving findings is an important phase in the cycle. Severity, exploitability, and potential impact all come into play when making decisions about where to put resources. Severe and highly-prioritized vulnerabilities might include:
- Severe exploitation risks, like remote code execution or authentication bypass
- Vulnerabilities that can be exploited from the larger Internet, or by a large number of users
- Vulnerabilities with a large impact (that risk a large set of data, or sensitive data)
Once high-priority vulnerabilities are identified, the team can plan and schedule remediation.
We Can Help
Sedara’s Cybersecurity Development Program (CDP) and its trained virtual Chief Information Security Officers (vCISOs) can help you build a successful cybersecurity program that reduces risk. Our vCISOs serve as your expert, trusted advisors on all things cyber. If you want to know more about how we can help – it’s time to get started.