Finding, Grouping and Scanning Cloud AssetsUnknown or undermanaged cloud environments can create a significant security gap that opens networks to security breaches, data loss, intellectual property theft, and regulatory compliance issues. The first step in getting control over cloud assets is discovery of cloud assets. Once cloud instances are found, they must be managed to limit exposure. Solutions must discover all cloud instances in the environment, group cloud assets for secure management, and scan for vulnerability and access-related risks. Look for:
- A centralized solution that covers the majority of cloud workloads, including: Amazon Web Services (AWS), GoGrid, Microsoft Azure, Microsoft Hyper-V, Rackspace, IBM SmartCloud or VMware.
- Capability to inventory all cloud instances regardless of runtime state.
- The ability to group cloud assets and establish role based access.
- Vulnerability assessment, reporting and remediation that ties into your existing vulnerability management environment. This holistic view of vulnerability-based risks will simplify a security admin’s life.
Protecting Virtual and Cloud Management Consoles and InstancesCloud and virtualization introduce new super user consoles into the mix. Consoles such as those for Amazon AWS and Office 365 provide administrators with tremendous control, enabling them to modify, delete, and add new servers, often with just a few clicks. Corporate accounts for Facebook, LinkedIn or Salesforce are similarly powerful – inappropriate access can severely damage a firm’s reputation resulting in significant financial loss. Solutions must enable tighter control and accountability over cloud management consoles by discovering, onboarding, and managing and cycling passwords, as well as performing session management and reporting on access. Look for:
- Secure storage and session management for administrative credentials to cloud platforms, as well as social networks
- Broad platform coverage of cloud and social media platforms, like: Amazon AWS, Azure, Dropbox, GoGrid, Google, Office 365, Rackspace, Salesforce, Facebook, Instagram, LinkedIn, Pinterest, Twitter or XING.
Using a Cloud Access Service BrokerMany organizations utilize cloud access service brokers (CASBs) as a proxy for all cloud traffic. Usually implemented using reverse proxy (or a VPN connection), all internet-bound network traffic is funneled through these proxies to centralize access control and auditing. Most CASBs, however, deliver only generalized policies. Solutions should improve on CASB functionality by providing a single tunnel to control and audit cloud access activities – specifically for privileged accounts and sessions. Specifically, look for capabilities that ensure that all access to all cloud assets are segmented, protected, monitored and recorded for auditing purposes beyond typical CASBs.
- Enterprise password management – Discover accounts, randomize, rotation, and check-in/check-out passwords.
- Session monitoring, management and recording – Record privileged sessions in real time via a proxy session monitoring service and enable dual control.
- Advanced workflow controls – Provide additional context to requests by considering the day, date, time and location when a user accesses resources to determine their ability to access those systems.
- Advanced segmentation – Route all remote access sessions through the proxy for management, reporting, and enforce segmentation from authorized connectivity and attack.