How to improve cloud security with automation

To get it right in this complex, fast-moving area, automation is critical. It can proactively manage risk, cost-effectively deal with complexity and keep pace with changes in the IT environment. In our experience, there are four areas ripe for security automation that follow familiar National Institute of Standards and Technology (NIST) cyber security framework categories:

Identify

Understanding what assets, such as virtual machines, data stores, firewalls and internet gateways, are within your cloud environment is key to protecting your organisation. If you don’t know they exist, it’s hard to secure them.

As cloud vendors offer resource tagging on cloud infrastructure, it can be easy to see what’s where with a level of accuracy that on-premise data centres can’t come close to. Vendors normally offer basic automated tagging so they can get your bills right, but a more detailed view can help identify asset owners, flag components of production systems and highlight what types of data they handle. To get this closer view, you’ll need policies around what tags you need, processes for reporting on noncompliance and technical controls to put a stop to non-compliant assets.

Cloud services such as AWS Macie, Azure Information Protection and GCP Data Loss Prevention can automatically classify personally identifiable information (PII) and help categorise more complex data.

While these tools are most effective with easily recognisable patterns, such as credit card numbers, they can combine with other configuration management datasets. This would create a powerful tool for understanding what assets are in which networks and attached to which firewalls – a dream Configuration Management Database (CMDB) tool. Implementing such automation would avoid the “need to know” security issues the US General Services Administration faced after failing to proactively discover documents containing PII in their cloud.

Protect

Although legacy infrastructure can automatically deploy patches and anti-virus signatures, organisations typically need to run some rudimentary testing to ensure the updates won’t break their systems. With cloud infrastructure, it’s possible to rely on vendor services to keep things running. Vendors have a contractual responsibility for keeping services secure and operational. And, as they’re providing a ‘hyperscale’ service, they’re able put more effort into horizon scanning for bugs and threats.

Cloud security automation also makes it possible to automatically apply patches, make changes and, if something goes wrong, detect it and restore a previous configuration at scale. But it needs to be integral to the Continuous Integration and Continuous Deployment (CI/CD) pipelines as shifting detection and fixing to the start of the development lifecycle saves money. A State of DevOps report indicates that high performing organisations (which will use automation to support the DevOps approach) spend 50 percent less time remediating security issues. This means organisations should automate activities such as:

• Raising tickets for developers.
• Conducting static analysis as code is released.
• Measuring trust of open source code based on the provenance, author and number of users.
• Checking for vulnerabilities in any open source dependencies.
• Running dynamic application security testing.
• Performing continuous vulnerability testing as part of the pipeline.

Detect

It’s possible to automatically detect any policy and regulation issues in your cloud configuration, such as if your AWS S3 data storage buckets are public. Once detected, automation tools like AWS CloudWatch Events and Security Hub or Azure Workflow Automation can correct the issues using vendor-managed or custom responses. The system can then highlight issues to the security team so they can investigate further, ensuring your people spend their time where they can deliver the most value.

Organisations can also factor in regional variations to accommodate different laws or risk appetites. Coupled with a feedback loop to the asset owners, these detection mechanisms can help make the environment safer when developing at pace.

Cloud automation also plays a part in the improved detection of adversary activity on your network by combining the high visibility of assets and granular logging with machine learning and behavioural analytics. It’s one of the few ways to analyse the scale (billions of events) and complexity of data needed to infer malicious or odd behaviours.

Respond and recover

Whether you’re responding to a configuration issue or a security breach, automated actions can minimise potential damage.

For example, you could automatically adjust the capacity of the infrastructure and services in response to Denial of Service (DoS) attacks, increasing the number of servers to deal with additional traffic or decreasing them to reduce the attack surface area and cost of serving illegitimate requests.

You can also limit damage from attacks by automatically removing permissions for a compromised account. You can even isolate affected systems and prepare a forensic environment for further assessment using tools such as AWS lambda.

Automated cloud security reduces risks

By automating your cloud security practices where possible and adapting how your organisation works, you can develop a scalable security architecture that helps you keep pace with the ever-increasing regulatory burden. By thinking about these four areas, you can start your journey, put the right automated guardrails in place and start reducing risk.