AWS re:Invent 2015: AWS security and compliance tools embrace enterprise Clouds

Two new Amazon cloud products proactively deal with security issues before they become security and compliance problems

Once upon a time, the biggest barrier to cloud adoption was security. That is no longer the case, but at the Re:Invent conference, unveiled two new security and compliance tools designed to make it easier for Amazon Web Services users to proactively find and fix security issues.

Organizations were originally reluctant to move their servers and applications to cloud platforms because they didn't want to run afoul of compliance requirements or commit errors that could result in a massive data breach.

Thus, AWS's new Amazon Inspector helps find vulnerabilities and other security issues; it also provides information on how to remediate those bugs and correct configuration mistakes. Finally, AWS's Config Rules is designed to ease compliance concerns as it tells users when specific resources changed and are no longer compliant.

Amazon Inspector

Amazon Inspector is an automated security assessment service that finds security or compliance issues on applications deployed in AWS. It analyzes the application’s behavior by monitoring the network, file system, and process activity. It correlates the information with other data, such as details of communication with AWS, use of secure channels, and network traffic between instances to generate reports listing potential security issues.

Inspector correlates and analyzes all this information into a report, with issues grouped by severity so that users know which ones to pay attention to first. Inspector also provides advice on how to fix the problems.

The resulting report shows existing vulnerabilities in the application code or the server configuration, as well as areas where the service may be out of compliance. Inspector’s reports would be valuable for Amazon customers who find it challenging to stay abreast of changes made to their applications and servers. There have been numerous stories of developers realizing passwords and keys were left inside configuration files when the application was deployed or all the times a server was misconfigured. For businesses in heavily regulated industries such as finance and health care, the assessment could verify they are meeting the strict guidelines on how to store and use data.

Because Inspector is currently in preview, the only set of compliance rules it can check against is the PCI DSS 3.0 Assessment, but others will be added over time. Inspector also provides Cloud Trails, which is an audit trail indicating what issue was found, what actions were taken to address the issue, and when those actions occurred. Cloud Trails could be invaluable when working with auditors.

Users can specify the duration of the assessment and which rules -- such as best practices, compliance standards, and known vulnerabilities -- Inspector should use as part of its analysis. Along with the PCI DSS assessment, Inspector includes rules from Common Vulnerabilities and Exposures, Network Security Best Practices, Authentication Best Practices, Operating System Security Best Practices, and Application Security Best Practices.

The rules packages draw on all the knowledge Amazon has built up over the years, AWS senior vice president Andrew Jassy said. "You can tell which assessments were done, what findings they have, and what they actually did to remediate."

AWS Config Rules

The second tool, Config Rules, is designed to make compliance more straightforward. Users can set up compliance rules for resources and define specific actions that execute automatically if the rules are violated. The triggers can range from simply reporting the issue to appropriate parties to shutting down instances.

Developers can fire up and shut down storage, processing, and networking resources as needed on AWS. But in a fast-paced environment, it is very easy to overlook security guidelines and policies. Config Rules will automate the checks so that users can fix the issues as they are found, Amazon said.

Config Rules can ensure, for example, that every instance is associated with at least one security group or EC2 instances launched in a particular virtual private cloud are properly tagged. It can also check that port 22 is not open to any resource associated to a production security group. If the resource changes or a new one is created, Config Rules run and verify if the resource is still within the defined parameters.

Config Rules automates compliance checks, and all results are recorded and tracked on a per-resource basis. Config Rules could be very helpful for customers who may have forgotten about an instance or two sitting around in their environment. Config Rules can be used to shut down instances that aren’t in use or to look at the compliance status of a specific type of resource.

Accenture aims to get more users aboard the cloud

For a long time, many organizations held back from moving their workloads to cloud platforms because they were concerned about security. They weren’t sure how to secure the data being stored on servers they didn’t have full control over. There were questions about authentication and identity management, concerns over compliance, and issues with moving data securely.

At this year's Re:Invent conference, consulting giant Accenture announced a new AWS Business Group to help businesses address those worries and to migrate their applications to the cloud platform. Accenture recently bought Cloud Sherpas, a Google Cloud Platform consultancy, and it is clearly beefing up its cloud development and migration capabilities.

Join the CSO newsletter!

Error: Please check your email address.


More about Amazon.comAmazon Web ServicesAWSCloud SherpasGoogle

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Fahmida Y. Rashid

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place