If you’re operating in the cloud, you may be familiar with the shared responsibility model. We often hear people say they think they’re inherently secure because they use the cloud and their cloud provider takes care of all security needs, but that’s not exactly true. While your cloud provider is responsible for some security, you, too, have several responsibilities—hence the shared model.
In this post, we’ll show you what you’re responsible for securing in the cloud, how vulnerability management differs in the cloud, and what you need to do to minimize your risk.
Why vulnerability management still matters in the cloud
What often happens when a company moves to the cloud is the DevOps team takes ownership of the cloud infrastructure, leaving the security team without easy visibility into what’s happening. But even if security does have visibility, it can be difficult because processes happen automatically and there typically isn’t a singular approval process when something is deployed to production.
This is something cloud providers aren’t responsible for. The only thing your cloud provider must do is secure the core infrastructure (the hardware and firmware). You are responsible for what you put on that infrastructure, such as EC2 instances and virtual machines. To that end, let’s take a look at how you do that.
Detecting vulnerabilities in the cloud
Now that you know there are areas of your cloud that may be vulnerable, there are two ways you can go about addressing them—either by using a third-party vulnerability risk management solution like InsightVM or Amazon’s native Amazon Inspector.
Amazon Inspector is designed to automatically assess assets in AWS for exposure, vulnerabilities, and deviations from best practices. Once it performs an assessment, Inspector produces a detailed list of security findings prioritized by level of severity. It can also check for unintended network accessibility of your EC2 instances and vulnerabilities on those EC2 instances. This is a good start, but when it comes to managing risk in your AWS environment, simply identifying and assessing vulnerabilities is not enough.
A third-party solution like InsightVM goes beyond identifying and assessing—it helps to prioritize, remediate, report, and track vulnerabilities, which are necessary components for a successful vulnerability risk management program. In addition to having cloud discovery connections, Cloud Configuration Assessment, and Container Assessment, InsightVM takes the findings from these sources and prioritizes them with the Real Risk score, which shows you the likeliness of an attacker exploiting the vulnerability in a real attack, letting you prioritize vulnerabilities the way attackers would.
Once you know the highest-priority vulnerabilities to fix, InsightVM then tracks remediation progress through Remediation Projects and Goals & SLAs. And with Automation-Assisted Patching and Automated Containment, it leverages automation capabilities to actually reduce risk.
When it comes to staying secure in the cloud, you need the ability to detect vulnerabilities and take fast action on them to ensure they are fully remediated. InsightVM is purpose-built to help security teams do just this.
Addressing and minimizing vulnerabilities in the cloud
So, what happens when a vulnerability does appear? Well, there are many ways to remediate vulnerabilities in an AWS environment. One option is to create and maintain a base AMI that gets regularly updated to run the most recent version of whatever operating system you’re using. With this approach, when a vulnerability is detected, you can create a new baseline AMI that incorporates patches for the vulnerability. This will eliminate the vulnerability from any future EC2 instance you deploy, but you’ll need to redeploy the new AMI to any currently running EC2 instances.
Another option is to use AWS Patch Manager. With this approach, you can automatically apply patches to your EC2 instances during regularly scheduled maintenance windows. Patch Manager has additional features such as the ability to include or exclude certain patches and use different patch baselines for different groups of instances.
A third option is to use an infrastructure automation tool like Chef or Puppet to install patches. This approach makes sense if you are already using one of these tools to maintain your EC2 instances.
We’ll further discuss the ways you can remediate vulnerabilities in an AWS environment in the next blog post in this series.
Taking the shared responsibility model to the next level
Now that you’re familiar with the shared responsibility model and what you need to do to cover your part, stay tuned for the next posts in our series on vulnerability risk management in the cloud to learn:
- How to detect, prioritize and remediate vulnerabilities
- How to handle misconfigurations in the cloud
- How to secure containers and serverless environments
What other questions do you have about vulnerability risk management? Comment below or tag us on Twitter @Rapid7.