Secure Your Cloud Estate with Continuous Audits

To meet the demands of an ever more connected world, executing on a comprehensive cloud strategy has become a critical component for organizations at any scale. While cloud platforms have made it incredibly easy to define and scale environments on demand, with those capabilities come new challenges in how to validate that those environments have been securely designed. With high-profile data breaches making headlines on a regular basis, it’s only natural to feel some anxiety, but by implementing a process for continuous, automated audits, organizations can detect and correct deviations from security best practices at any scale.

To put a finer point on the challenges facing cloud security, CSO published The Dirty Dozen: 12 Top Cloud Security Threats. In this article, CSO outlines 12 threats collected and ranked by the Cloud Security Alliance (CSA), providing examples and outlining the severity of each threat. In our latest webinar, Secure Your Cloud Estate with Continuous Audits, we provided guidance on how organizations can use Chef to address those threats consistently and continuously.

The Shared Responsibility Model

AWS Shared Responsibility Model

We’ve spent some time talking about the Shared Responsibility Model in the past, but it’s worth revisiting in the context of how to approach cloud security. In short, the model refers to the delineation between what your cloud vendor is responsible for, what you as a cloud customer are responsible for, and where those responsibilities overlap. Some aspects of these responsibilities are easy enough to understand. For example if you deploy servers, whether they live in an on-premises datacenter or within a cloud-provided virtual machine, it’s generally understood that you’re responsible for configuring and hardening its underlying operating system — this is what many organizations are already using Chef Infra to accomplish! Where the lines get blurrier are when companies implement cloud-native services for things like networking or data storage. In these cases, your cloud vendor is responsible for making sure the services themselves are secure, and you are responsible for making sure you use them securely. 

Auditing Cloud Environments with Chef

Chef customers have access to a library of pre-created resources, including benchmarks created by the Center for Internet Security (CIS) that turn security best practices into specific, actionable controls that can be run against the systems you manage. Chef provides these CIS Benchmarks for a variety of server operating systems, as well as for cloud providers themselves — Chef has CIS-Certified profiles available for Amazon Web Services, Microsoft Azure, and Google Cloud Platform. These profiles take aim directly at those cloud-native services called out earlier, providing you with out-of-the box insights into whether services like identity management, security groups, and storage buckets are being implemented securely. Furthermore, Chef InSpec provides an easy-to-learn language for codifying any organization-specific concerns above and beyond the guidance provided by the built-in CIS profiles, and Chef Infra provides similar resources for taking corrective action on the insights provided.

Together, these capabilities ensure that with Chef you have a single way to detect, correct, and automate any issue in any environment. With Chef Automate, all that data can be aggregated into filterable dashboards, making sure that you have not only the means to continuously audit the systems you manage, but a full history of change, so you always know your current security posture, and how it’s evolved over time.

To find out more, be sure to check out the full webinar recording. For some more technical examples of how to implement cloud audits, join next week’s webinar, Cloud Security Assessment for AWS Instances

Next Steps

Nick Rycar

Nick is a Technical Product Marketing Manager working out of Chef HQ in Seattle. When he's not busy preparing product demos, he's torturing his colleagues with terrible puns and needlessly esoteric pop-culture trivia. Mostly he's just another confused New York transplant in the Pacific Northwest.