Automating cloud security compliance

When organizations migrate operations and data to the cloud, security should be a top priority. However, many organizations do not cover this topic exhaustively or believe that cloud providers are responsible for securing their cloud environment. The reason is simple: maintaining security is a complex and challenging task.

It takes the time, effort, and expertise of every engineer to ensure a cloud environment is secure and compliant with industry standards. Every engineer who can modify the cloud environment is also able to introduce security vulnerabilities.

This means that every such engineer needs to not only be an expert in their field, but also a security expert. Engineers that maintain cloud infrastructure need to:

• Have a deep understanding about the cloud providers services.

• Understand the security posture of each service that is used.

• Understand the interplay between the services and how they can be used securely.

While dedicated security engineers are of great help, they cannot verify every change without becoming a bottleneck. This is where automation comes into play.

Which aspects of security can be automated? ​

There are so many aspects of security that it is hard to write about one without mentioning the other. Here are a few examples of security aspects that can be automated:

• [CSPM] Security configuration management. Deployment of security configurations and policies across cloud services and resources. Includes setting up firewalls, network configurations, access controls, etc.

• [CIEM] Identity and access management (IAM). Creation, rotation, and deletion of credentials, and the enforcement of multi-factor authentication (MFA) as well as user access and permission to cloud resources.

• [CSPM] Patch management. Ensuring that cloud resources are up-to-date with the latest security patches.

• [CSPM] Vulnerability scanning and assessments. Scanning of cloud resources for vulnerabilities and misconfigurations.

• [GRC] Compliance monitoring. Compliance with industry standards and regulatory requirements. Includes checks against standards such as CIS Benchmarks, PCI DSS, HIPAA, and GDPR.

• [SIEM] Threat detection and response. The use of behavioral analytics and heuristics to identify potential threats, coupled with automated response actions (such as isolating affected systems or revoking access).

While the first three items are widely accepted and understood, the last three are often overlooked or neglected. One possible explanation is that the former are part of the development and deployment process, while the latter are part of the operations and maintenance process.

In this post, I go into detail about vulnerability scanning and compliance monitoring, and how it can be automated and made accessible to everyone.

The need for automation ​

Security benchmarks are standardized sets of practices designed to secure cloud environments. (For a more detailed introduction to benchmarks, please read my previous blog post, Understanding Security Benchmarks.)

Benchmarks serve as the foundation for building a secure cloud infrastructure and form the basis for compliance automation. Some of the most widely used security benchmarks include CIS Benchmarks, ISO 27001, PCI DSS, and others.

While it is possible to manually perform compliance checks with benchmarks, it is a time-consuming and error-prone process. Automation ensures that checks are performed consistently and accurately.

There are several tools to automate compliance checks, including AWS Audit Manager, Microsoft Defender for Cloud, and Fix.

Benchmarks encode the knowledge and best practices of security experts and are updated regularly to reflect the latest threats and vulnerabilities. Benchmarks can be run on different cloud providers, accounts, and regions across your organization automatically to ensure cloud environments are secure and compliant, without the need for a security expert.

Benchmarks allow engineers to focus on their core tasks—as soon as they make a change to the cloud environment, compliance checks run automatically.

Making security benchmarks “executable” ​

Automating a security benchmark means encoding the knowledge of security experts into an executable piece of code. A benchmark is typically broken down into sections where each section contains a set of rules. Each rule is a statement that describes a security best practice.

We need a shared understanding and data model of a resource for effective security rules. The data model is a structured representation of a cloud resource (e.g., EC2 instance, S3 bucket, VPC) containing information about the resource—its configuration, relationships to other resources, and metadata. We can describe best practices in terms of those properties and relationships.

For example, consider a rule that states all database access should be encrypted. It is easy to forget that backups also need to be encrypted. The data model defines the properties of a database and its backups, and we check if the database and its backups are encrypted based on this information.

Executable security benchmarks allow us to collect resource information from cloud providers and run checks on the collected data as often as desired. The resulting reports show which resources are compliant and which are not. This information can then be used to take action and remediate the non-compliant resources.

Decomposing benchmark results into actionable tasks ​

The results of compliance checks are often long lists of non-compliant resources. These lists can be difficult to prioritize and work through.

Fix offers the following information for each non-compliant resource:

• Severity. The criticality of the issue (e.g., critical, high, medium, low) for prioritizing the remediation.

• Description. A human-readable explanation of the issue.

• Risk. The threat that the issue poses if left unaddressed.

• Remediation. Instructions for how to fix the issue.

• Remediation complexity. The complexity of the proposed remediation (e.g., low, medium, high).

• Links. Links to external resources with additional information about the issue.

• Resource data. Information collected about the non-compliant resource.

When issues are detected, we encourage engineers to start by addressing critical items with low remediation complexity.

Fix provides all of the information required to understand and remediate issues, facilitating improvement of your cloud security posture with minimal time and resources.

Continuous compliance ​

Cloud environments are not static, often changing several times a day. New resources are created, existing resources are modified, and old resources are deleted.

This constant cycle of change means that compliance checks need to be performed continuously. A good practice is to run compliance checks often enough to react to non-compliant resources promptly.

Many companies have a development environment that replicates the production environment. This development environment should also be checked for compliance to create an early feedback loop for engineers and ensure security best practices are applied from the beginning. Keeping the development environment secure and compliant is essential, as it is the source of the changes that are rolled out to production.

Not only is your infrastructure constantly changing, but security benchmarks are updated regularly as well. Using a tool like Fix ensures that the latest security best practices are always applied to your cloud environment.

Automating compliance with security benchmarks in cloud environments underscores a fundamental shift towards a more resilient, proactive, and efficient approach to cloud security. Organizations unlock the potential to encode the distilled wisdom of security experts into their digital infrastructure, ensuring that best practices are not just recommendations but actionable, enforceable standards.