Configuration Compliance in the Cloud

By David Meltzer

As a member solution provider in the Cloud Security Alliance, paying careful attention to risk and planning for improvement is second nature for my own companies’ security services. As a consumer of many start-up cloud services built completely outside the security industry, however, I have observed that building secure cloud services is a much more daunting task for companies not filled with security experts. Asking an early stage SaaS start-up to answer 197 questions about their risk and how they comply with the 98 items in the Cloud Controls Matrix is more likely to get a “You have got to be joking” and /or a virtual blank stare than receive any substantive assurances about security risk.

Vendors might look at a list of questions like the CSA Consensus Assessments Initiative Questionnaire and be overwhelmed with all the requirements. Vendors that want to provide a more substantive answer than ‘YES’ or ’ NO’ are probably also asking, ‘How do I get started with the basics?’

In this article, I’ll walk through one of the basic security building blocks that can turn an average start-up SaaS service into one that takes security seriously and can ‘pass muster’ with even the most paranoid security auditors found at companies like mine.

One requirement cuts across a broad cross-section of controls in the Cloud Controls Matrix is the performance of infrastructure audits. Infrastructure audits always begin with a discovery process; – you have to know everything in your infrastructure before you can determine if it is secure. This seems straight forward, but it’s not as easy as you think. Do you know specifically how many assets you have, where are they, and what are they? Discovery can be a simple process if all management is centralized, but most companies can find a few surprising things (or a lot of things) pretty quickly. For example, what started as a few virtual instances with a single provider can quickly morphed into multiple cloud infrastructure providers with a private network or two thrown in for good measure. At this point an asset inventory becomes a very valuable step. A variety of open-source and free cloud solutions that automate basic network discovery are available, so if the answers to infrastructure questions aren’t totally straight forward, it’s easy and free to get detailed, reliable answers.

Once you know what is there, the next question to ask yourself is, ‘Do I have a security configuration policy for each of these systems’? It is rarely necessary to create any configuration policies yourself; the security industry has spent the last decade building policy templates for a wide range of operating systems, servers, devices, and applications. The most prominent sources for these policies today are the Center for Internet Security (http://www.cisecurity.org/) & NIST’s Security Content Automation Protocol (http://scap.nist.gov/content/index.html).

These policies can be applied to your systems ‘as-is’ or used as a baseline and modified to fit your particular application needs.

Now that you have a policy, the next step is auditing the assets against the policy. A variety of solutions exist for doing this – it can be a manual effort, a host-based approach applied system by system, or a network-based approach assessing the entire discovered network at once. Both CIS & NIST have certification processes and publicly list certifications awarded, so if you decide to use a vendor instead of assessing each asset manually it’s easy to narrow down options.

Automation of configuration auditing pays dividends quickly, but the frequency of updates to your production services will dictate how much re-auditing is necessary. In an ideal closed-loop solution, changes to a configuration will immediately trigger an automated re-audit, giving you a constantly updated assessment of how closely the configurations of your production assets compare to the policies you’ve set. With manual processes, weekly or monthly audits may be a more practical goal to set. Almost anyone who implements an automated configuration auditing program will start to see how quickly policy deviations creep into production services. With quick detection, these configuration errors are just as easy to remediate as they are to detect.

Implementing a configuration compliance program from scratch that includes discovery, policy assignment, and auditing doesn’t require a lot of time and produces one of the biggest ‘bangs for the buck’ in securing a service. And, perhaps more importantly, with a configuration compliance program in place you are able to produce evidence of compliance for future customers and auditors. This program ensures you have a broad set of documented configurations for your infrastructure that should be configured (with little work on your part), a program to audit compliance, and evidence of compliance, as provided by the output of your audits, for every asset of your infrastructure.

A solid configuration compliance program is the cornerstone of every cloud security program. It pays immediate dividends with customer and auditors and is relatively inexpensive to put together.