1594795560
Securing Cloud Infrastructure in Run-Time vs. Build-Time
For cloud-native environments, addressing cloud security in run-time alone is no longer enough.
In today’s cloud-native world wherein infrastructure as code adoption is soaring and building cloud environments at scale requires reproducibility and resilience, the ability to change and grow infrastructure quickly is prioritized from the start. It’s intriguing then, that for so many of us, “cloud security” is associated only with addressing misconfigurations and compliance violations after they’ve occurred in run-time.
Identifying infrastructure issues without focusing on the process and code in build-time is at complete odds with how we design and build modern cloud infrastructure. If we build immutable infrastructure, we need to start thinking about how to secure immutable infrastructure, and run-time security in isolation isn’t enough. On the flip side, addressing cloud security risks in build-time alone lacks the full context of production infrastructure, leaving gaps in your environment.
In this post, we’ll focus on security issue detection via scanning in both build-time and run-time, outlining their values and pitfalls to illustrate the importance of leveraging them both.
Run-Time Cloud Security Posture Management
To keep up with clouds becoming more complex, cloud providers supply rich metadata and telemetry surrounding the management of cloud resources. Building a sustainable cloud security program requires the consistent and extensible collection and analysis of that data.
Community-led projects such as Prowler for AWS and Forseti for Google Cloud have emerged to help serve that purpose. Both projects pioneered the usage of exposed APIs to gather configuration data and inspect for misconfigurations and are implemented to detect post-deployment misconfigurations.
Most cloud providers also now include this type of functionality in their control plane management services. Using native tools like AWS Config, Azure Policies, and Google Asset Inventory, it is easier than ever to gain that basic visibility for your cloud.
Run-time cloud security is certainly best practice but comes with its own set of benefits and caveats:
✅ Change Tracking
Scanning in run-time follows the actual states of configurations. When managing configuration in multiple methods, run-time scanning remains the primary viable technique for identifying and evaluating configuration changes over time.
✅ Compliance-friendly
Most regulated industries now require continuous change-control auditing and tracing. To satisfy those requirements, most scanners map their findings to standard industry benchmarks. Once controls are mapped into benchmarks and sections, you can use the scan reports as baseline evidence to satisfy most industry-specific requirements and audits.
✅ Near Real-Time Results
Depending on the scan frequency, run-time scanning can quickly identify and classify ongoing issues. Connecting scanners to ticketing or monitoring tools can help ensure speedier response and mitigation.
❌ Low Signal to Noise
Most scanners still rely heavily on deterministic detection logic that lacks context, resulting in a tide of irrelevant findings—especially for dynamic environments with short-lived resources. For example, in environments utilizing auto-scaling groups, run-time scanning would return inconsistent results between scans and produce output that’s not representative of the latest resource states. Additionally, scanning multi-faceted IAM permissions or full networking topology could falsely alarm against a configuration change.
❌ Impracticable Findings
After flagging a misconfiguration the immediate question is usually “what can we do to fix it?” If fixing a single cloud misconfiguration requires ten manual steps, or a configuration cannot be reverted, then its very escalation ended up wasted valuable developer time.
❌ Recurring Misconfigurations
For teams utilizing infrastructure code frameworks to orchestrate cloud resources, fixing a misconfiguration solely in run-time leaves the risk of it recurring. To ensure that a cloud misconfiguration won’t recur, remediations have to happen at the source.
#cloud #cloud security #devsecops #infrastructure as a code #buid time scanning #run time scanning
What is GEEK
Buddha Community
1594795560
Securing Cloud Infrastructure in Run-Time vs. Build-Time
For cloud-native environments, addressing cloud security in run-time alone is no longer enough.
In today’s cloud-native world wherein infrastructure as code adoption is soaring and building cloud environments at scale requires reproducibility and resilience, the ability to change and grow infrastructure quickly is prioritized from the start. It’s intriguing then, that for so many of us, “cloud security” is associated only with addressing misconfigurations and compliance violations after they’ve occurred in run-time.
Identifying infrastructure issues without focusing on the process and code in build-time is at complete odds with how we design and build modern cloud infrastructure. If we build immutable infrastructure, we need to start thinking about how to secure immutable infrastructure, and run-time security in isolation isn’t enough. On the flip side, addressing cloud security risks in build-time alone lacks the full context of production infrastructure, leaving gaps in your environment.
In this post, we’ll focus on security issue detection via scanning in both build-time and run-time, outlining their values and pitfalls to illustrate the importance of leveraging them both.
Run-Time Cloud Security Posture Management
To keep up with clouds becoming more complex, cloud providers supply rich metadata and telemetry surrounding the management of cloud resources. Building a sustainable cloud security program requires the consistent and extensible collection and analysis of that data.
Community-led projects such as Prowler for AWS and Forseti for Google Cloud have emerged to help serve that purpose. Both projects pioneered the usage of exposed APIs to gather configuration data and inspect for misconfigurations and are implemented to detect post-deployment misconfigurations.
Most cloud providers also now include this type of functionality in their control plane management services. Using native tools like AWS Config, Azure Policies, and Google Asset Inventory, it is easier than ever to gain that basic visibility for your cloud.
Run-time cloud security is certainly best practice but comes with its own set of benefits and caveats:
✅ Change Tracking
Scanning in run-time follows the actual states of configurations. When managing configuration in multiple methods, run-time scanning remains the primary viable technique for identifying and evaluating configuration changes over time.
✅ Compliance-friendly
Most regulated industries now require continuous change-control auditing and tracing. To satisfy those requirements, most scanners map their findings to standard industry benchmarks. Once controls are mapped into benchmarks and sections, you can use the scan reports as baseline evidence to satisfy most industry-specific requirements and audits.
✅ Near Real-Time Results
Depending on the scan frequency, run-time scanning can quickly identify and classify ongoing issues. Connecting scanners to ticketing or monitoring tools can help ensure speedier response and mitigation.
❌ Low Signal to Noise
Most scanners still rely heavily on deterministic detection logic that lacks context, resulting in a tide of irrelevant findings—especially for dynamic environments with short-lived resources. For example, in environments utilizing auto-scaling groups, run-time scanning would return inconsistent results between scans and produce output that’s not representative of the latest resource states. Additionally, scanning multi-faceted IAM permissions or full networking topology could falsely alarm against a configuration change.
❌ Impracticable Findings
After flagging a misconfiguration the immediate question is usually “what can we do to fix it?” If fixing a single cloud misconfiguration requires ten manual steps, or a configuration cannot be reverted, then its very escalation ended up wasted valuable developer time.
❌ Recurring Misconfigurations
For teams utilizing infrastructure code frameworks to orchestrate cloud resources, fixing a misconfiguration solely in run-time leaves the risk of it recurring. To ensure that a cloud misconfiguration won’t recur, remediations have to happen at the source.
#cloud #cloud security #devsecops #infrastructure as a code #buid time scanning #run time scanning
1594162500
Multi-cloud Spending: 8 Tips To Lower Cost
A multi-cloud approach is nothing but leveraging two or more cloud platforms for meeting the various business requirements of an enterprise. The multi-cloud IT environment incorporates different clouds from multiple vendors and negates the dependence on a single public cloud service provider. Thus enterprises can choose specific services from multiple public clouds and reap the benefits of each.
Given its affordability and agility, most enterprises opt for a multi-cloud approach in cloud computing now. A 2018 survey on the public cloud services market points out that 81% of the respondents use services from two or more providers. Subsequently, the cloud computing services market has reported incredible growth in recent times. The worldwide public cloud services market is all set to reach $500 billion in the next four years, according to IDC.
By choosing multi-cloud solutions strategically, enterprises can optimize the benefits of cloud computing and aim for some key competitive advantages. They can avoid the lengthy and cumbersome processes involved in buying, installing and testing high-priced systems. The IaaS and PaaS solutions have become a windfall for the enterprise’s budget as it does not incur huge up-front capital expenditure.
However, cost optimization is still a challenge while facilitating a multi-cloud environment and a large number of enterprises end up overpaying with or without realizing it. The below-mentioned tips would help you ensure the money is spent wisely on cloud computing services.
- Deactivate underused or unattached resources
Most organizations tend to get wrong with simple things which turn out to be the root cause for needless spending and resource wastage. The first step to cost optimization in your cloud strategy is to identify underutilized resources that you have been paying for.
Enterprises often continue to pay for resources that have been purchased earlier but are no longer useful. Identifying such unused and unattached resources and deactivating it on a regular basis brings you one step closer to cost optimization. If needed, you can deploy automated cloud management tools that are largely helpful in providing the analytics needed to optimize the cloud spending and cut costs on an ongoing basis.
- Figure out idle instances
Another key cost optimization strategy is to identify the idle computing instances and consolidate them into fewer instances. An idle computing instance may require a CPU utilization level of 1-5%, but you may be billed by the service provider for 100% for the same instance.
Every enterprise will have such non-production instances that constitute unnecessary storage space and lead to overpaying. Re-evaluating your resource allocations regularly and removing unnecessary storage may help you save money significantly. Resource allocation is not only a matter of CPU and memory but also it is linked to the storage, network, and various other factors.
- Deploy monitoring mechanisms
The key to efficient cost reduction in cloud computing technology lies in proactive monitoring. A comprehensive view of the cloud usage helps enterprises to monitor and minimize unnecessary spending. You can make use of various mechanisms for monitoring computing demand.
For instance, you can use a heatmap to understand the highs and lows in computing visually. This heat map indicates the start and stop times which in turn lead to reduced costs. You can also deploy automated tools that help organizations to schedule instances to start and stop. By following a heatmap, you can understand whether it is safe to shut down servers on holidays or weekends.
#cloud computing services #all #hybrid cloud #cloud #multi-cloud strategy #cloud spend #multi-cloud spending #multi cloud adoption #why multi cloud #multi cloud trends #multi cloud companies #multi cloud research #multi cloud market
1594166040
What are the benefits of cloud migration? Reasons you should migrate
The moving of applications, databases and other business elements from the local server to the cloud server called cloud migration. This article will deal with migration techniques, requirement and the benefits of cloud migration.
In simple terms, moving from local to the public cloud server is called cloud migration. Gartner says 17.5% revenue growth as promised in cloud migration and also has a forecast for 2022 as shown in the following image.
#cloud computing services #cloud migration #all #cloud #cloud migration strategy #enterprise cloud migration strategy #business benefits of cloud migration #key benefits of cloud migration #benefits of cloud migration #types of cloud migration
1602963300
Cloud Security: Is it Worth it?
Storing and managing corporate data by applying the cloud is becoming more and more popular. Companies grow, and it gets too expensive, and resources consuming to store their data on traditional servers. To prove it, look at the research conducted by Google in 2019 that includes insights for the cloud computing market for the next 10 years.
Around 80% of US respondents (about 1,100 businesses participated) revealed that they are thinking about cloud adoption by 2029. In 2019, only about 40% made a switch. 72% of businesses state that they’d like to automate security solutions by 2029, while now only 33% actually do it.
What do these numbers tell us? That companies seem to be suspicious about cloud security and prefer traditional on-premises data storage to the cloud environment. Why are they afraid to entrust cloud providers with their data? What to do to get rid of this fear? How to prove that the future of security is after the cloud?
In our article, we aim to answer these questions and more, but first, you need to be able to identify the reasons why companies have cloud-related trust issues. The first step in eliminating a problem is identifying it, let’s do it together!
#cloud-security #security-of-data #cybersecurity #cloud-computing #aws-security #azure-security #data-breaches #cyber-security
1604257200
Lax Security Exposes Smart-Irrigation Systems to Attack Across the Globe
More than 100 smart-irrigation systems deployed across the globe were installed without changing the factory’s default, passwordless setting, leaving them vulnerable to malicious attacks, according to recent findings from Israeli security research firm Security Joes.
The researchers immediately alerted CERT Israel, the affected companies and the irrigation system vendor, Mottech Water Management, which did not immediately respond to a request for comment from Threatpost.
Mottech’s system allows for real-time control and monitoring of irrigation for both agricultural and turf/landscaping installations, via desktop and mobile phone. Sensor networks allow for the flexible and real-time allocation of water and fertilizer to different valves in the system. Access to the network could result in an attacker being able to flood fields or over-deliver fertilizer, for instance.
Security Joes regularly scans for Israeli open devices on the internet to check for vulnerabilities, the firm’s co-founder Ido Naor told Threatpost. Recently, its researchers discovered that 55 irrigation systems within Israel were visible on the open internet without password protections. After expanding their search, they found 50 others scattered around the world in countries including France, South Korea, Switzerland and the U.S.
“We’re talking about full-fledged irrigation systems, they could be entire cities,” Naor said. “We don’t look closely at what’s behind the address, because we don’t want to cause any trouble.”
Naor said that at last check, only about 20 percent of the identified vulnerable irrigation devices have had mitigation efforts taken to protect them so far.
Israel’s Water Systems Under Attack
There’s good reason for alarm about water systems not being secured, particularly in Israel. Just last April, a cyberattack on Israeli water systems, reportedly launched by Iran, attempted to increase the mix of chlorine in the water to poison the civilian population and ultimately interrupt the population’s water supply, The Times of Israel reported.
Yigal Unna, the head of the country’s National Cyber Directorate addressed the CybertechLive Asia conference in late May with the ominous warning that the direct cyberattack on people represented a new chapter in cyberwarfare, according to The Times of Israel.
“Cyber-winter is coming and coming even faster than I suspected,” he told the conference, according to the report. “We are just seeing the beginning.”
Unna was correct. Just weeks later in July, the Israeli Water Authority said that it was able to stop an attack on agricultural water pumps in Galilee, and another on water-supply infrastructure in the “center of the country,” reports.
The irrigation systems which were discovered without password protection aren’t related to the previous attacks, Naor said.
Locking Down Utilities Beyond Israel
These types of vulnerabilities certainly aren’t limited to Israel.
Last month, six critical flaws in CodeMeter, software used to power industrial systems in the U.S., including water and electric utilities, were discovered which could be exploited to launch attacks or even allow third-party takeovers of systems.
Over the summer, researchers found that VPNs used for remote access to operational technology (OT) networks in industrial environments left field devices open to attacks, which could cause shutdowns or even physical damage.
Governments are making attempts to keep up with the proliferation of internet-of-things (IoT) devices throughout critical-infrastructure systems. In the U.S., the House of Representatives passed legislation in September establishing minimum requirements for IoT devices within the federal government.
“Most experts expect tens of billions of devices operating on our networks within the next several years as the [IoT] landscape continues to expand,” the legislation’s so-sponsor Senator Cory Gardner (R-Co.) said in a press release. “We need to make sure these devices are secure from malicious cyberattacks as they continue to transform our society and add countless new entry points into our networks, particularly when they are integrated into the federal government’s networks.”
#cloud security #critical infrastructure #iot #web security #connected devices #cory gardner bill #critical infrastructure #cyberattack #cybersecurity #default password #galilee #government #infrastructure security #internet of things #irrigation systems #israel #mottech water management #open to internet #security joes #smart irrigation #water system attacks