Chef Blogs

Secure your Cloud Native Environments Holistically

Sharan Rayakar | Posted on | Chef Cloud Security | DevSecOps

As organizations, accelerate the adoption of Cloud and Container platforms, it opens up a challenge to ensure a compliant environment across a plethora of new, esoteric tools that get introduced.

While cloud platforms have made it incredibly easy to define and scale environments on-demand, with those capabilities come new challenges in how to validate that those environments have been securely designed.

Also, While the cloud service providers take over some security tasks, enterprises retain the responsibility for protecting end-user data, applications, operating systems, endpoints, and network traffic. And just as with on-premises applications, enterprises continue to have the responsibility to monitor user and system activity to detect attacks. This is evident from the Shared Responsibility Model which reflects delineation between what your cloud vendor is responsible for, what you as a cloud customer are responsible for, and where those responsibilities overlap. So very clearly, your cloud vendor is responsible for making sure the services themselves are secure, and you are responsible for making sure you use them securely.

 

Gartner also predicts that through 2023, at least 99% of cloud security failures will be the customer’s fault. Nearly half the organizations it surveyed made mistakes that have exposed data, APIs, or network segments to the internet.

CSPM Solutions and their Need

Cloud security posture management (CSPM) combines threat intelligence, detection, and remediation that works across complex collections of cloud-based applications.

Cloud Solutions today lack a perimeter – it is tough to define which process or person are allowed or disallowed access. Also with Automation through Infrastructure as Code, it has made easier to provision and change infrastructure on the fly but also makes it easy to create misconfigurations that leave the environment open to vulnerabilities. Customers also tend to use several environments (Multi-Clouds) for a specific feature – for e.g., for Containers some customers may use combination of Amazon Web services (AWS) and Azure in different departments. Also, you need a single source of truth - Visibility about your cloud security posture and this posture truth needs to be carried over and integrated with existing security systems already in place.

Finally, Data in the cloud is subject to the same privacy, security, and integrity regulations as the data of previously on-prem locations, yet it is much more difficult to demonstrate compliance. Many organizations cannot demonstrate compliance or pass an audit of cloud environments without enduring slow, manual and costly processes, including generating and stitching together multiple reports.

So very clearly enterprises need CSPM tools to power the source of truth for your cloud infrastructure, to report whether the configuration of your resources meets the best practices prescribed by various industry groups.

Chef Cloud Security Posture Management (CSPM)

To address these challenges many organizations are looking to extend Centre for Internet Security’s (CIS)’s benchmarks to their cloud and container environments. However, much like many traditional compliance rules and guidelines, CIS benchmarks are provided as a PDF file which organizations then in turn need to determine how to apply.

Chef customers have access to a library of pre-created resources, including benchmarks created by the Center for Internet Security (CIS) that turn security best practices into specific, actionable controls that can be run against the systems you manage.

Chef provides these CIS Benchmarks for a variety of server operating systems, as well as for cloud providers themselves — Chef has CIS-Certified profiles available for Amazon Web Services, Microsoft Azure, and Google Cloud Platform. These profiles take aim directly at those cloud-native services called out earlier, providing you with out-of-the box insights into whether services like identity management, security groups, and storage buckets are being implemented securely.

 

BenchmarkAudit
CIS for AWS Foundations Benchmarks – Level 1 & 2Yes
CIS for Azure Foundations Benchmarks – Level 1 & 2Yes

While the CIS Benchmarks enable correcting and fixing the misconfigurations, Chef also provides the capabilities to prevent the misconfiguration at the first place. In many cases, that means fixing the misconfigurations in the Infrastructure As Code (IaC) that was used to create the resources. DevOps teams are increasingly using IaC to deploy cloud-native applications and provision their infrastructure. IaC languages, like Terraform, CloudFormation (CF).

Policy as code merges infrastructure-as-code and compliance-as-code into a single workflow.  Policy as code can also be applied in the context of provisioning tools like Terraform. You can leverage Terraform in local development, in your automated pipelines, or in runtime environments. Terraform uses descriptive files to define system resources, and Chef InSpec can be used with Terraform in two different ways to confirm compliance:

  • Audit provisioned infrastructure: When developing Terraform code for repos, Chef InSpec can be used to verify that resources have been provisioned/updated to match the tested and approved criteria.
  • Terraform code declaration: Chef InSpec can be used for test-driven development to declare the infrastructure configuration and Terraform can be used to provision resources accordingly. In this way, Terraform manages provisioning while InSpec ensures the provisioned resources meet the organization’s policy requirements.

describe aws_s3_bucket(bucket_name: 'my_secret_files') do
   it { should exist }
   it { should_not be_public }
end

describe aws_iam_user(username: 'test_user') do
   it { should have_mfa_enabled }
   it { should_not have_console_password }
end

Validate Your Docker and Kubernetes Configuration Using Chef

Apart from Chef Cloud Security for Cloud Providers, Chef also provides curated, codified and ready-to-run CIS Benchmark templates for Docker and Kubernetes that can be used to perform security scans as an integrated part of automated DevSecOps workflows. By integrating compliance checks as part of automated workflow you can then easily validate that all your container and cloud-native environments are secure.

BenchmarkAudit
CIS Docker Community Edition Benchmark – Level 1 & 2Yes
CIS Kubernetes Benchmark – 1.6.1- Level 1 & 2Yes

The Docker benchmark has recommendations that apply to both the host and the Docker components and are organized around the following components:

  • Host Configuration: Secure the host on which Docker engine runs so that the container it hosts are safe.
  • Docker Daemon Configuration/Files: Secure the behaviour of Docker Daemon that manages all containers on the Docker host.
  • Container Images and Build File: Ensure trusted images and verified packages.
  • Container Runtime: Ensure complaint container startup and runtime parameters configurations to ensure there is no compromise of the host and containers running on it such as avoiding usage of privileged containers and avoid usage of ssh within containers.
  • Docker Security Operations: Ensure limit on the number of containers and container images on the same host.
  • Docker Swarm Configuration: Secure Docker Swarm - the container orchestrator that can manage clusters of containers and their lifecycle.

The CIS Benchmark for Kubernetes  enables that configuration checks to be performed on the following components of their Kubernetes environment:

  • Control Pane
    • Master Node Configuration
    • API Server
    • Controller manager
    • Scheduler
    • Etcd
  • Worker Nodes
    • Worker node config files
    • Kubelet configuration
  • Kubernetes Elements
    • Role Based Access Control, Pods, Network Policies , container network interface (CNI) and Secrets

With Chef Policy as Code Approach, the backend Chef InSpec policies can be extended to Container and Kubernetes use cases such as:

  • Ensuring Secure Docker Host – e.g ensuring privileged access to critical operations , harden the docker host, set image/ build files and config parameters
  • Securing Kubernetes Control Pane - validate that cluster configuration is compliant based on CIS Benchmarks for Kubernetes (Kube-bench)

Mitigate OS Misconfigurations and Vulnerabilities Using Chef

Additionally, Chef has built Premium content specific to helping client ensure that the Host OS is properly hardened in your cloud native environments to mitigate host security misconfigurations and vulnerabilities

Using Chef Premium Content customers can also scan the host operating systems for compliance to benchmarks such as CIS or DISA-STIG by running the corresponding profiles. As part of this you can consider various CIS Security Benchmarks for your container host that Chef provides such as RHEL, SUSE Linux, CentOS Linux, Debian, Ubuntu etc. Additionally, CIS Content for Applications and Databases such as Apache Tomcat, Microsoft SharePoint, MongoDB, PostgreSQL can be leveraged.

Find out more about Chef Cloud and Container Security by visiting our various resources:

To learn more about securing your Cloud and Container environment, contact our Sales and Customer Success Team today!