SOC (Security Operations Center) teams, ops, DevOps, SRE, or whatever you want to call, security operations need special attention. Companies of all sizes and industries must invest in security. Security requirements drastically change based on industry and team size. On-prem, cloud, or hybrid choices also affect these requirements and the type of expertise you need to secure your system. But one thing doesn’t change: security operations are never static. Everything changes all the time when the software is in actual use on prod. In this blog post, we will look at why static security approaches don't work on the cloud and learn how cloud providers support us.
Security operations are never static on the cloud
Modern software runs on the cloud unless there is a strong legal reason not to do so. The cloud became the default choice. Unlike the common perception, the cloud doesn’t make security harder but it does require a different approach as everything is even more dynamic.
Traditional security checks are about installing apps on machines that would collect logs or metrics every X minutes or hours. This static approach doesn’t work on clouds where things change dynamically. Cloud has two major differences from the traditional approach.
Resources are short-lived
We started treating cloud infrastructure resources as cattle instead of pets. We don’t open an EC2 instance and use it for a year before we upgrade. Software is installed on many machines distributed into more than one availability zone and updated using automation by replacing old instances with new ones.
Fully Managed services favored over self-managed services
Cloud offers much more than just VMs, containers, or functions. There are more than 100 different services for almost anything you need to build your software on AWS. RDS, DynamoDB, SNS, SQS, Kinesis are all services with unmanaged options but cloud customers choose them because they cause much less trouble over time. This change in managed over unmanaged approach means we don’t care about most internal stuff, instead, we need to look for changes to resource configurations and take timely actions for potential dangers.
How does cloud support modern security?
Cloud providers such as AWS embeds services that do security checks out of the box. There is a long list of security and compliance services in AWS’s portfolio. For example, Amazon GuardDuty is a continuous threat detection service for malicious activity and unauthorized behavior. Its goal is to protect your AWS accounts, workloads, and data stored in Amazon S3. Another powerful tool in AWS security tool kit is AWS Config. Config records resource configuration changes in AWS accounts and allows you to query the data collected. Such tools are great at keeping up with the cloud’s security promise and makes it much easier than on-prem security solutions. This doesn’t mean modern software teams can just use these built-in services and stay secure. These built-in tools have some downsides but the benefits show that they should be enabled by default. Supporting tools like Resmo should also be used to extend the capabilities. Our capabilities enable more resource choices and offer additional flexibility with out-of-the-box third party integrations and built-in rules.
Logs don’t work well in dynamic environments
One important difference that is worth mentioning in cloud security is that traditional log-based security approaches fall short. In many cases, you need on point queries with specific attributes to be able to detect key misconfigurations. Logging without key metrics makes security complex and hard to scale. Even when tools support all types of queries and collect all types of data, it is harder for the operator to be able to have that kind of mental overhead with hundreds of data points. When metrics are collected for services with resource details and auto-complete functionally, security becomes much easier.
How should you approach dynamic cloud security?
We believe that our approach to modern cloud security at Resmo is the best and easy starting point where dynamic posture is needed to secure all types of cloud and SaaS services. You connect your AWS accounts and other dev tools like GitHub, GitLab, CircleCI, or Slack, and immediately start collecting changes to resources in one place.
Developers with extended responsibilities in infrastructure level and dynamic microservices environments lead to resources being created and destroyed every second. Having config changes in one place helps security teams to stay focused and have the right context. If resource configuration changes are not monitored in near real-time, important data may be lost and critical questions could stay unanswered. If you hear someone say; this happened only once and we can’t figure out why then start with collecting the right data at the right time. The analysis part is also important but it all starts with the right data. Right data is key because too much-unstructured data, as we mentioned earlier, make things worse.
In our upcoming blog posts, we will show how Resmo helps with your cloud posture and stay secure in dynamic development environments. For now, sign up for our list to get notified of our upcoming private beta launch!