Shared Responsibility Model Automation: Automating Your Share Part 2
Published 09/30/2020
By CloudPassage
In Part 1 of our Shared Responsibility blog series, we provided a detailed overview to help you understand security in a public, hybrid or multi-cloud environment. We broke down the infrastructure stack, explained the responsibilities taken by the cloud service provider, and where you retain ownership over security. We also discussed how the shared responsibility model affects members of your team and changes the way you think about security as you move your workloads to the cloud. In this installment, we’ll dive deeper into shared responsibility model automation and the important role cloud security tools play in securing your complex, modern infrastructure at scale.
Meeting the Demands of Shared Responsibility Model Automation
Let’s quickly re-visit the shared responsibility model chart from Part 1. The sum total of your security ownership across each of your connected cloud environments is determined by your provider contract and the services you’ve chosen to use. Your first step is to define a strategy and choose tools that can handle the unique security requirements of each of your server-based and serverless instances, along with securing your on-premises bare-metal servers and virtual environments.
Figure: Division of duties in a shared responsibility security model
Regardless of where your contract with your provider draws the line, your security posture in a shared responsibility model depends on your ability to standardize and maintain security orchestration, action, and response across your entire infrastructure, including:
- Asset discovery, interrogation, and inventory monitoring
- Continuous inventory updates
- Vulnerability and exposure management, including network and privileged access configuration
- Integrity and drift monitoring
- Indication of compromise, threat detection, and security event management
- Network security configuration and management
- Compliance management and continuous compliance monitoring
Eight key attributes for shared security model automation
Effective cloud management unifies your security responsibilities on a single platform and provides shared responsibility model automation controls and compliance across all of your servers, containers, IaaS, and PaaS in any public, private, hybrid, and multi-cloud environment. Your security solution should encompass the following eight key attributes in order to provide complete, effective, and efficient security:
Unified: Traditional security tools often don’t meet the various and unique needs of a complex, shared responsibility cloud security environment. Without a unified security solution, you end up tying together several different tools, which can lead to operational complexity, unnecessary redundancy, and potential gaps in coverage.
A unified cloud security platform simplifies operational processes for continuous monitoring, automatic indication of compromise in the cloud, visualization of network traffic, and sets you up for automated compliance management across IaaS services, virtual and bare-metal servers, containers, and Kuberentes environments. A cloud security platform built specifically for the cloud gives you a comprehensive set of configurable tools and the flexibility you need to close your gaps, improve your security posture, and adapt as your infrastructure grows and changes.
Automated: As your environment grows in size and complexity, it becomes increasingly difficult to keep track of all the various, moving parts. Shared responsibility model automation provides dependable speed and consistency, and frees up staff time to focus on strategic goals rather than repetitive tasks. Your cloud security automation platform should automate asset discovery and monitoring, and should automatically deploy sensors when a new service, environment, or application is created.
You’ll also need integration with your DevOps tools to automatically fail builds when new vulnerabilities might be introduced, assign new issues automatically, and monitor the development pipeline for remediation. With comprehensive, shared responsibility model automation in place, you can centralize and simplify your cloud security integration and operations across systems and solutions that have different security concerns. Effectively cloud security automation also enables security to shift left into the development process, and empowers the adoption of a DevSecOps culture.
Portable: With the rate of change we experience in technology, it’s no longer an option to say “no” to a better solution when it comes along. Everything about your application infrastructure, from the code you write to the containers you configure to security, needs to be portable. When moving a workload or application stack between clouds, your share of the shared responsibilities may change. Your security solution needs to work seamlessly across any public, private, hybrid, and multi-cloud environment while requiring as few changes as possible during lift-and-shift operations and if you move from one cloud service provider to another.
Some cloud security platforms automate and integrate through bi-directional REST APIs, which assure that security sensors and the policy checks they perform move seamlessly with workloads during migration between clouds or from on-premises architectures. Through automation, your policies are enforced throughout your CI/CD workflows and that compliance is enforced based on pre-established rules and standards regardless of intended production environment. These controls allow you to catch and remediate potential vulnerabilities before they become security gaps.
Comprehensive: Your share of the shared responsibility model includes a wide range of requirements, including asset discovery, inventory, assessment, remediation, threat detection, microsegmentation, traffic discovery, and continuous compliance. If you have separate tools for each of those security domains, you’re setting yourself up for operational headaches and worse--the very real potential for introducing blind spots and gaps.
Comprehensive cloud security should cover each of these requirements and automate as much of the security management as possible to alleviate your operational burdens. You should be able to implement security controls across all your cloud servers, environments, and containers quickly and efficiently. With comprehensive cloud security that includes the right sensors, registry connectors, and APIs that work together, you can better monitor and evaluate security across your public and private clouds, and even across your data center infrastructure, and unify security management while decreasing operational complexity.
Fast: Everything about the cloud boils down to speed. CI/CD pipelines delivering microservices and features to the cloud in real time increase the demand for fast, integrated security. Your security processes cannot become a bottleneck to your development team’s delivery schedule. Instead, you need to provide high-speed deployment, telemetry, and analytics that keep up with the speed of DevOps.
When properly architected, automated, distributed security offloads processing and accelerates security control, which means you can ensure compliance without impacting system performance or deployment cadence. By design, security automation that’s built for the cloud will maintain security coverage through infrastructure and workload scaling, as well. Once you’ve defined your security policies you should be able to introduce or remove assets quickly, without additional, hands-on configuration.
Integrated: The problem with legacy security solutions is that they tend to “bolt on” to cloud environments, rather than working seamlessly within your cloud infrastructure and workloads. These solutions that are not built for the cloud increase manual tasks and complicate monitoring. Security designed for the cloud integrates directly with cloud infrastructures and ensures consistency and compliance without manual intervention.
Security integrated as part of your DevOps process and workflows through APIs allows you to auto-scale your security implementation up and out as needed and in parallel with your growth without becoming a bottleneck for the CI/CD pipeline. With the right SDK and integrations with popular CI/CD tools, including Jenkins, Jira, ServiceNow, you can enforce security coverage for your code repositories, build and test processes, production deployment, and remediation processes. This early detection and intervention through security automation provides feedback on alerts and allows you to address potential vulnerabilities and misconfigurations before they become production security events.
Scalable: While nothing is truly infinite, cloud resources are about as close as you can get. Unlike a bare-metal data center, when you run up against the limits of your current cloud infrastructure, you simply ask for more, and it’s there. That means your security solution must scale automatically and instantaneously to keep up with fast-breaking, dynamic cloud changes.
But you don’t always scale up. Cloud resources also provide a valuable opportunity to use resources as needed, and then release them when demand drops. This elastic scalability should be mirrored in your cloud security so that you only use what you need in real time, and your security implementation should always match your cloud footprint.
Cost-effective: Cloud architectures offer right-sized, pay-as-you go and usage-based pricing, which means you can control your costs while maximizing the value of your investment. When choosing a cloud security vendor, look for one that follows cloud best practices for pricing models. Your cloud security solution should provide pricing that auto-scales based on your actual resources usage.
Automation accelerates the path to compliance
Regulatory compliance is a never-ending challenge, requiring a team of knowledgeable professionals who stay up to date with industry changes and how those changes affect your particular company. Shared responsibility model automation is key to helping your compliance team maintain control over your growing cloud environment.
When it comes to cloud security automation, pre-configured rules and policy templates that cover standards, including PCI, CIS, HIPPA, SOC, and more, are available. They accelerate your path to compliance. And automated detection and remediation of compliance issues helps you break free from the ad-hoc emails and meetings for vulnerability communications, and you’ll skip the fire drills before an audit. Instead, with continuous monitoring and shared responsibility model automation, you’ll know your state of compliance in real time, and will be ready when audit time comes.
Illuminate Your Blind Spots with Shared Responsibility Model Automation
Continuous monitoring and visibility across your cloud environments, and even into your data center, and across every environment are critical for maintaining accountability for your defined and accepted portions of the shared responsibility model. The right cloud security implementation can simplify management of your share of the shared responsibility model, eliminate security blind spots across your cloud infrastructure, and provide seamless integration between your DevOps pipeline and your public, private, and multi-cloud environments.
Related Articles:
Group-Based Permissions and IGA Shortcomings in the Cloud
Published: 11/18/2024
Navigating Cloud Security: A Shared Responsibility
Published: 10/17/2024
App-Specific Passwords: Origins, Functionality, Security Risks and Mitigation
Published: 10/11/2024
Reflections on NIST Symposium in September 2024, Part 2
Published: 10/10/2024