DevSecOps combines the rapid speed-to-market of DevOps with robust security. An important tenet of DevSecOps is that security is not an afterthought, but rather a part of the delivery from day one. It integrates security seamlessly into your CI/CD processes so that the end product is not only viable to the customer, but also secure by default.
In the cloud-first world of today, where applications are built and deployed to the cloud at a dizzying pace, web security for DevSecOps has become vital. As cyber threats are evolving by the day, the importance of scanning and analyzing your cloud resources for possible attacks or vulnerabilities cannot be emphasized enough.
Leading cloud service providers like Azure, AWS, and GCP have native tools (such as AWS WAF) available to provide advanced security and threat management capabilities in the cloud. This article will discuss these services in detail, and explore the importance of integrating them with existing DevSecOps practices.
Security Monitoring in the Cloud: Current Landscape
Continuous monitoring is necessary to ensure that your environment is protected against threats. Getting a unified view of your security posture is important, especially in multi-cloud and hybrid-cloud deployments where resources are distributed across multiple environments. The security of components in each of these environments sums up the overall security posture of your workloads. Along with native workload monitoring, some of the tools offered by AWS, Azure, and GCP also provide cross-platform monitoring capabilities out of the box.
Let’s take a look at these in more detail.
Security Monitoring in Azure
There are three main services in Azure that help you monitor and manage a workload’s security posture: Azure Security Center, DDoS protection, and Azure Advanced Threat Protection.
Azure Security Center
The services offered by Azure Security Center strengthen the security posture of environments and protect them from threats via timely alerts and remediation. Native Azure services like Azure SQL, Storage, NSGs, and VMs are integrated with Azure Security Center by default for continuous and automated security monitoring and protection by services such as Azure WAF. Additionally, on-premise VMs and workloads in other cloud environments can be monitored via Microsoft Monitoring Agent, which is easily deployed through DevOps pipelines.
The identified vulnerabilities also include actionable instructions that help security admins to mitigate risks, and the network map tool from Azure Security Center provides a topology of workloads, flagging the security status associated with those components. A security score associated with each recommendation helps organizations prioritize and action the alerts based on the assigned priority. Meanwhile, the fusion kill-chain analysis used by the security center helps correlate and trace attack campaigns, focusing on identifying the origin of attack and its overall impact.
Public IPs in the cloud are often the targets of DDoS attacks intended to exhaust application resources and cause unexpected downtime. In addition to the basic DDoS protection that acts at Azure’s platform level, Standard DDoS Protection can be enabled for virtual network resources that have public IPs associated with them, such as Load Balancer, Application Gateway, third-party firewalls, and Service Fabric.
The service uses always-on traffic monitoring and detection that leverages advanced machine learning algorithms to identify and protect you from organized attacks. DDoS protection plans can be easily integrated into your DevSecOps practices through ARM templates, which you can read more about here.
Azure Advanced Threat Protection
Azure cloud is preferred by organizations with long-standing investments in Active Directory Domain Services, because it offers seamless hybrid identity enablement with Azure Active Directory integration. Azure Advanced Threat Protection (ATP) helps to protect such environments by monitoring Active Directory signals and identifying any unusual user behavior, compromised identities, brute force attacks, pass the hash/ticket, etc.
Advanced user profile analytics also help reduce the attack surface by flagging non-standard identity configurations. ATP can pull up visual Lateral Movement Paths to show possible attack vectors that could leverage compromised sensitive accounts.
Security Monitoring in AWS
Amazon Inspector, Amazon GuardDuty, and AWS Shield are three prominent security monitoring and management tools in AWS that provide functionalities similar to those delivered by the security tools in Azure.
Often considered to be an AWS counterpart to Azure Security Center, Amazon Inspector analyzes the security status of EC2 instances along with the workloads deployed in them. With a robust library of built-in rules and reports, this tool evaluates cloud deployments against compliance standards and deployment best practices. Applications deployed in AWS are inspected for known vulnerabilities, adherence to security best practices, and possible exposure to cyberattacks.
Inspector also enables organizations to define their own security standards and best practices for applications so that appropriate corrective measures can be implemented when deviations are flagged. The service is API-driven and can integrate easily into the application build and deployment process in DevOps in order to identify risks early on in the product life cycle. SDKs are available for all leading programming languages, including Java, .NET, Python, and Ruby, to enable this integration.
Amazon GuardDuty enables continuous threat detection in AWS to detect and protect workloads and user accounts from unauthorized access and exploitation. Powered by machine learning algorithms, the service can identify anomalies in user behavior and generate alerts on potential security breaches. It analyzes data from AWS CloudTrail, DNS logs, and AWS VPC Flow Logs, evaluating them against threat intelligence feeds to filter out malicious activities.
It also flags unusual account activities like password policy changes and non-standard deployment patterns. AWS SDKs enable programmatic access to Amazon GuardDuty APIs, and the service can be integrated with workflows or AWS Lambda for auto remediation.
AWS Shield delivers managed always-on DDoS protection and mitigation for your workloads in AWS and comes in two tiers: Standard and Advanced. Standard DDoS protection is available for free and protects against attacks on infrastructure layers (Layers 3 and 4). AWS Shield Advanced adds real-time visibility, enhanced detection, and advanced mitigation against organized attacks like HTTP floods and DNS query floods. It can also be integrated with AWS Web Application Firewall (WAF) to enhance application layer protection.
Security Monitoring in GCP
Security monitoring in GCP depends mainly on tools such as Web Security Scanner and Cloud Armor that have niche capabilities.
Web Security Scanner
This service helps to ensure application level security of workloads deployed in App Engine, Google Compute Engine, and Google Kubernetes Engine. It works on public IPs and IPs that are not placed behind a firewall (such as Azure Web Application Firewall). Web Security Scanner detects and generates alerts for vulnerabilities like mixed content, clear text passwords, and insecure libraries used in applications, cross-site scripting, Flash injection, etc. The service can integrate with DevOps design and deployment processes, and has built-in intelligence to suppress false alarms.
The same technology that is used to protect services like Gmail, Google Search, and YouTube from DDoS attacks and web-based security risks is now available to customers through Cloud Armor. Cloud Armor enables comprehensive protection at Layers 3, 4, and 7 for workloads deployed behind an external HTTPS load balancer in GCP. Cloud Armor security policies can be configured to enable/disable traffic based on IP address, or to use custom-rule expressions to monitor and mitigate attacks from Layer 3 to Layer 7 based on attributes of incoming requests. The GCP security service is prebuilt with rules to detect SQL injection and cross-site scripting attacks.
Additional Considerations for Cloud Security Monitoring
In addition to the native security monitoring services offered by cloud service providers, organizations should also augment them with third-party tools. For example, full traffic transparency in real time is necessary in order to understand what’s happening in your incoming traffic stream.
Although the top-tier cloud providers offer a variety of native tools, it is a mistake to assume that these tools provide comprehensive security. They do not, nor are they meant to do so. A robust security posture also requires a next-generation Web Application Firewall (WAF), advanced bot mitigation to block hostile bot traffic, API protection, and more. A web security platform such as Reblaze provides these capabilities and more, and runs natively on the top-tier cloud providers.
When adopting security monitoring tools, you should also consider auto-remediation options that can trigger corrective actions without human intervention. For example, webhooks and Automation runbooks can be linked to security alerts generated by Azure. Similarly, Amazon GuardDuty can be configured to leverage AWS Lambda for auto-remediation.
Last but not least, security should be built in from Day 0, when the components are deployed for the first time. For many organizations, this requires a culture shift; for example, adopting IaC (Infrastructure as Code) and implementing immutable infrastructure. All the right security measures should be built into the templates or scripts that deploy your cloud environments through DevSecOps practices and monitored continuously for any deviations.
AWS, Azure, and GCP offer native and third-party tools to protect customers from emerging cyber security threats. However, the cloud follows a shared security model, and it’s up to you to implement the right security monitoring tools. As discussed above, due diligence in choosing the right tools, configuring them per best practices, and integrating them with DevSecOps are some of the steps you can take to protect your cloud workloads from rampant security threats.