In this first part of a series of articles discussing ‘How to build a Cloud Security Posture Management platform for AWS’ we’ll cover what one is , why we should use one and how they work.
Cloud Security Posture Management is a practise intended to Identify and Remediate risk through security assessments and automated compliance monitoring.
Many organisations assume their cloud hosting provider is entirely responsible for Security and Compliance. In reality this is a shared responsibility between the cloud hosting provider and the customer. The Cloud hosting provider will published a Shared Responsibility statement clearly defining the demarcation between the responsibilities of the provider and the customer.
The AWS Shared Responsibility Model details AWS responsibilities and the Customers responsibilities.
AWS responsibility “Security of the Cloud” – AWS is responsible for protecting the infrastructure that runs all of the services offered in the AWS Cloud. This infrastructure is composed of the hardware, software, networking, and facilities that run AWS Cloud services.
Customer responsibility “Security in the Cloud” – Customer responsibility will be determined by the AWS Cloud services that a customer selects. This determines the amount of configuration work the customer must perform as part of their security responsibilities.
Once we understand what we, as the customer, are responsible for we now need a mechanism for assessing if Security controls are enabled or configured correctly. This is where a CSPM platform can be used. A CSPM is aware of the desired or recommended state of Security configurations and can test if these configurations have been enable or set correctly. This platform can conduct continuous assessments for the Security configuration of our cloud workloads and take the appropriate action if it discovers misconfigurations, either in the form of alerts and notifications, or automatic actions or remediations.
Best Practice Guidelines
The Center for Internet Security create consensus based Security configuration guidelines. The Amazon Web Services Foundations Benchmark was created using a consensus review process comprised of a global community of subject matter experts. The benchmark provides prescriptive guidance for configuring security options for a subset of Amazon Web Services with an emphasis on foundational, testable, and architecture agnostic settings.
The benchmark provides recommendations and audit instructions which can be mapped directly onto the Implementation groups of the CIS Controls. These recommendations are categorised into one of two Profile levels.
- Level 1 – Items in this profile intend to:
- be practical and prudent;
- provide security focused best practice hardening of a technology; and
- limit impact to the utility of the technology beyond acceptable means.
- Level 2 – This profile extends the “Level 1” profile. Items in this profile exhibit one or more of the following characteristics:
- are intended for environments or use cases where security is more critical than manageability and usability
- acts as defence in depth measure
- may impact the utility or performance of the technology
- may include additional licensing, cost, or addition of third party software
A CSPM will test if the controls defined in this benchmark have been configured and will report a Pass/Fail result. These results can be used to measure compliance against this benchmark and trigger automated responses to alert Analysts or remediate configuration drift.
