AWS security and compliance tools embrace enterprise clouds

08.10.2015
Once upon a time, the biggest barrier to cloud adoption was security. That is no longer the case, but at the Re:Invent conference, Amazon.com unveiled two new security and compliance tools designed to make it easier for Amazon Web Services users to proactively find and fix security issues.

Organizations were originally reluctant to move their servers and applications to cloud platforms because they didn't want to run afoul of compliance requirements or commit errors that could result in a massive data breach.

Thus, AWS's new Amazon Inspector helps find vulnerabilities and other security issues; it also provides information on how to remediate those bugs and correct configuration mistakes. Finally, AWS's Config Rules is designed to ease compliance concerns as it tells users when specific resources changed and are no longer compliant.

Amazon Inspector is an automated security assessment service that finds security or compliance issues on applications deployed in AWS. It analyzes the application’s behavior by monitoring the network, file system, and process activity. It correlates the information with other data, such as details of communication with AWS, use of secure channels, and network traffic between instances to generate reports listing potential security issues.

Inspector correlates and analyzes all this information into a report, with issues grouped by severity so that users know which ones to pay attention to first. Inspector also provides advice on how to fix the problems.

The resulting report shows existing vulnerabilities in the application code or the server configuration, as well as areas where the service may be out of compliance. Inspector’s reports would be valuable for Amazon customers who find it challenging to stay abreast of changes made to their applications and servers. There have been numerous stories of developers realizing passwords and keys were left inside configuration files when the application was deployed or all the times a server was misconfigured. For businesses in heavily regulated industries such as finance and health care, the assessment could verify they are meeting the strict guidelines on how to store and use data.

Because Inspector is currently in preview, the only set of compliance rules it can check against is the PCI DSS 3.0 Assessment, but others will be added over time. Inspector also provides Cloud Trails, which is an audit trail indicating what issue was found, what actions were taken to address the issue, and when those actions occurred. Cloud Trails could be invaluable when working with auditors.

Users can specify the duration of the assessment and which rules -- such as best practices, compliance standards, and known vulnerabilities -- Inspector should use as part of its analysis. Along with the PCI DSS assessment, Inspector includes rules from Common Vulnerabilities and Exposures, Network Security Best Practices, Authentication Best Practices, Operating System Security Best Practices, and Application Security Best Practices.

The rules packages draw on all the knowledge Amazon has built up over the years, AWS senior vice president Andrew Jassy said. "You can tell which assessments were done, what findings they have, and what they actually did to remediate."

The second tool, Config Rules, is designed to make compliance more straightforward. Users can set up compliance rules for resources and define specific actions that execute automatically if the rules are violated. The triggers can range from simply reporting the issue to appropriate parties to shutting down instances.

Developers can fire up and shut down storage, processing, and networking resources as needed on AWS. But in a fast-paced environment, it is very easy to overlook security guidelines and policies. Config Rules will automate the checks so that users can fix the issues as they are found, Amazon said.

Config Rules can ensure, for example, that every instance is associated with at least one security group or EC2 instances launched in a particular virtual private cloud are properly tagged. It can also check that port 22 is not open to any resource associated to a production security group. If the resource changes or a new one is created, Config Rules run and verify if the resource is still within the defined parameters.

Config Rules automates compliance checks, and all results are recorded and tracked on a per-resource basis. Config Rules could be very helpful for customers who may have forgotten about an instance or two sitting around in their environment. Config Rules can be used to shut down instances that aren’t in use or to look at the compliance status of a specific type of resource.

For a long time, many organizations held back from moving their workloads to cloud platforms because they were concerned about security. They weren’t sure how to secure the data being stored on servers they didn’t have full control over. There were questions about authentication and identity management, concerns over compliance, and issues with moving data securely.

At this year's Re:Invent conference, consulting giant Accenture announced a new AWS Business Group to help businesses address those worries and to migrate their applications to the cloud platform. Accenture recently bought Cloud Sherpas, a Google Cloud Platform consultancy, and it is clearly beefing up its cloud development and migration capabilities.

(www.infoworld.com)

Fahmida Y. Rashid