An on-demand CrowdStrike® webcast titled “Security at the Speed of DevOps” offers an in-depth examination of the security implications that accompany organizations’ rapid adoption of DevOps as they retool their IT infrastructure and face the advantages and challenges of moving to the cloud.
Because of the speed and agility, DevOps provides, security is often viewed as an obstacle because it can inhibit the rapid delivery of new applications and the ability of organizations to scale as they strive to meet new business demands. This webcast offers the opportunity to hear two seasoned security experts — CrowdStrike Services Principal Consultant Alexi Papaleonardos and Amazon Web Services (AWS) Solutions Architect Scott Ward – discuss both the benefits and challenges of DevOps, and offer their expertise and guidance on how to adopt the DevOps model without sacrificing security.
The Shared Responsibility Model
Ward begins the discussion by focusing on AWS’ commitment to security, which it considers its highest priority, explaining that AWS data centers and infrastructure are built to meet the security requirements of even the most sensitive customers. Against this backdrop, Ward discusses how and why security is a shared responsibility between customers, which are responsible for security configurations in the cloud, and AWS, which is responsible for security of the cloud. “For AWS, responsibility centers on securing the global infrastructure, including physical data centers and the housing infrastructure that runs AWS,” Ward says, “as well as the foundational infrastructure around compute, storage, database and networking.” He explains that customers’ responsibility lies with the security configurations and choices they make in the cloud, such as securing applications and content, operating system, network and firewall configuration, client and server-side encryption, and protecting network traffic.
Recommendations for Maintaining a Secure AWS Environment
Ward offers several suggestions on how customers can work with AWS tools to improve their security postures:
Understand what you have and what you need: Customers should first evaluate the tools they have so they can determine the tools they will need. He explains that this includes having awareness of the many AWS tools available to you. You should also evaluate your in-house tools, with particular focus on how they might be automated. He says, “Automating and integrating these tools are crucial — I’m talking about bootstrapping, autoscaling, elimination of manual configuration – how can these tools help me do what I want to do in the cloud?”
Establish baseline security configurations: This is what AWS calls a “landing zone,” which “defines the security foundation of your cloud strategy by creating a pre-configured, secure, multi-account environment that is repeatable for new requests — giving you automation that allows iteration and extension over time.”
Security should be integrated with DevOps: Ward also discusses why and how security should be folded into the development process of continuous integration and continuous deployment (CI/CD), so that security becomes a part of DevOps, not an obstacle to it. He also emphasizes the importance of having an incident response (IR) plan, so that your organization can respond quickly should an event occur.
CrowdStrike on the Customer’s Security Responsibility
In his presentation, Papaleonardos focuses on the customer’s role and technology responsibilities in the cloud. “A lot of problems can occur when you assume that AWS is taking care of security for you, or if you aren’t taking advantage of what AWS has to offer.” He goes on to explain the security measures customers should take and how the CrowdStrike Falcon® platform integrates seamlessly with AWS. He offers a number of suggestions on how customers can take advantage of the security tools available to them:
Eliminate rogue AWS accounts: First, he stresses the importance of eliminating rogue accounts – the unmanaged accounts that can be a prime target for compromise. “Typically, unmanaged accounts have a terrible security posture and even if they don’t have a crucial purpose and aren’t being used for sensitive data, they constitute a security vulnerability.” Papaleonardos says hackers are using stolen AWS API keys to access unmanaged accounts, which often leads to cryptocurrency resource hijacking. He suggests creating an incentive program for IT dev or engineering staff to spur them to identify any unmanaged accounts they find.
Ensure automatic AWS account provisioning: Papaleonardos suggests organizations automatically provision new AWS accounts for individual sandbox use, new projects, etc. and set them up with baseline policies to ensure consistent security. This should also include making sure the right teams are receiving security communications from AWS, so that issues aren’t overlooked. He also suggests organizations ensure that the IR team has the access they need in advance, so they can respond quickly. “Amazon has strict rules about crossing boundaries, so if you don’t establish access upfront, your security team won’t have it when you need it.”
Use AWS service control policies to your advantage: This allows your organization to establish policies that can’t be overridden, and disable services you don’t want to allow. This feature also allows you to apply policies per region, and can work as safety rails, preventing actions such as modification to VPC security groups, IAM policy modifications, and other activities that could expose your organization to compromise.
Provision one account per user: There should be one authentication account per human user, but assign roles so that workloads can be managed more easily and with scalability. This approach also saves time — you can assign roles in advance and encourages role-based privilege design, which is a better security practice. He says it’s also a good idea to lock accounts via Okta, Google or another single sign-on (SSO) provider, which can help you avoid shared accounts and the problem of past-life accounts.
Bootstrap accounts to make secure practices easier: He recommends using AWS tools such as AWS CloudTrail, which should be activated in every account, with the logs sent to S3 buckets in AWS. He also recommends that customers employ AWS GuardDuty, which is powered by CrowdStrike Falcon and protects against vulnerabilities such as known bad IPS addresses and invisible VPC DNS tunneling. Also, streamline security for your team by creating VPC security groups.
Establish instance authentication: Storing instance profiles with IAM roles allows you to seamlessly and automatically deliver AWS API authentication tokens.
Ensure instance integrity: Instances in the cloud can be easily rebuilt every one to two hours to make sure integrity is maintained. You also need to be sure that your advanced endpoint protection is cloud-ready. Having built an extensive cloud-native platform, CrowdStrike understands cloud lifecycles and the fact that cloud IP addresses are not unique. With Falcon Discover™ for AWS, you can effortlessly identify security gaps left by unmanaged endpoints and close them quickly, Papaleonardos says.
The CrowdStrike Platform with Falcon Discover for AWS
The CrowdStrike Falcon platform fulfills customers’ security responsibilities by protecting organizations, from applications and content all the way down to AWS foundation services. As Papaleonardos discusses in his presentation, advanced endpoint protection needs to be cloud-ready. Because of its cloud-native architecture, the Falcon platform is built to seamlessly integrate in an AWS environment. The introduction of Falcon Discover for AWS ensures you have the comprehensive visibility to identify security gaps and close them immediately.
Falcon Discover for AWS provides visibility and flexibility across the AWS Elastic Compute Cloud (EC2) seamlessly. Discover’s next-gen features allow organizations to take advantage of AWS’ tremendous operational and business advantages by providing the following benefits:
- Identifies security gaps across all endpoints and EC2 instances globally — allowing you to discover unmanaged assets and secure them instantly
- Prioritizes detections by delivering metadata on all AWS EC2 instances so you can prioritize the assets that are impacted and mitigate the more serious gaps first
- Conserves resources with simple deployment and a completely integrated management interface, eliminating the need for your security to team to pivot across tools by delivering all features via Falcon’s single lightweight agent
Watch the on-demand webcast “Security at the Speed of DevOps.”
Learn more about Falcon Discover for AWS.
Get a full-featured free trial of CrowdStrike Falcon Prevent™ and learn how true next-gen AV performs against today’s most sophisticated threats.