The Challenges of Multi-Cloud Compliance

Organizations that use public clouds like Amazon Web Services (AWS), Microsoft Azure and Google Cloud Platform (GCP) understand that each platform does things its own way, and those differences create challenges for securing them all. In a recent episode of the Tenable Cloud Security Coffee Break webinar series, we talked about those challenges and how Tenable Cloud Security can help. Check out the highlights of our discussion.

Automation and infrastructure-as-code tools like Terraform have helped organizations large and small change how they deploy and manage systems in public clouds, but it’s also led to cloud sprawl and misconfigurations that lead to security problems. Different teams and workloads can become scattered, making it hard to know about and fix security problems before they become security disasters.

The problem is made worse by multi-cloud adoption, the increasingly popular practice of organizations choosing to use two or more public cloud platforms to avoid placing all their eggs in a single basket. While this diversification has its benefits, it also creates a security challenge, because each platform does things in slightly different ways. Securing them typically requires experts to manage each separately.

That doesn’t scale well and isn’t practical as cloud infrastructure grows and becomes more scattered. During a recent episode of Tenable’s Cloud Security Coffee Break webinar series, we sat down with Tenable’s Senior Manager of Information Security Phillip Hayes and Tenable Senior Manager of Security Engineering Alex Feigenson to talk about some of these challenges and how multi-cloud compliance gets done. 

Automation: There’s some bad with the good

Terraform, AWS CloudFormation, Dockerfiles, Helm charts and other infrastructure-as-code tools make it easy and fast to automate the provisioning of systems, but they also make it easy to create instances that aren’t compliant with a company’s security policies.

“There are a lot of really great automation tools out there, and you could pick from any number of them, like Terraform and AWS CloudFormation, but there are really just no sane defaults for a lot of it,” said Feigenson. 

A few lines of Terraform code can stand up one, hundreds or thousands of instances in AWS or Azure in minutes. Some of the default settings you use might be secure, but you’re just as likely to find dozens of default settings that aren’t.

“Maybe you grab some Terraform sample code off the web and you’re like, ‘Oh, man! I just stood up machines on AWS. Look how easy that was!’,” Feigenson said. “And the next thing you know, you're getting a phone call from the security team.”

Discovering cloud environment misconfigurations that expose your organization to security risks is bad enough, but figuring out what’s causing them – and how to fix them all – is an even greater challenge. “When you multiply that out by multi-cloud, it just gets much, much worse,” Feigenson said.

For Hayes, avoiding these kinds of scenarios is part of his everyday job as head of information security. It’s a problem that’s become harder to wrangle, particularly over the past 10 years.

“It's beautiful that you're able to do that type of automation in this day and age at such a low cost and at high speed,” Hayes said. “But you unknowingly may be deploying things that are insecure, or perhaps AWS released a new feature you had no idea about and all of a sudden what was secure 72 hours ago suddenly isn’t.”

Securing multiple clouds usually means multiple tools

The public cloud vendors recognized this problem and developed tools to help their customers secure their environments and the workloads running in them. But as the scale of everything grows, security teams using multiple clouds have to rely on different tools – often provided by each cloud vendor – for each platform. 

To be efficient, Hayes and his team didn’t have to go far to find the tool that fit their needs. They adopted Tenable Cloud Security, formerly Tenable.cs, and provide user feedback to the Tenable Cloud Security engineers on how to meet their needs. Tenable Cloud Security uses cloud APIs to gather data from different cloud platforms, aggregate the data, scan it for security problems and unify the results. It provides an apples-to-apples view across cloud resources – and all the security misconfigurations affecting them.

“There are so many clouds out there,” Hayes said. “Aggregation and centralization very quickly becomes a necessity.”

Tenable Cloud Security provides a single interface for multiple clouds

Tenable Cloud Security provides a unified view across AWS, Azure and GCP so security teams can see everything they have running in public clouds, identify the most critical problems, and begin the process of remediation with integrated Jira tickets and Git pull requests.

Security teams also can take advantage of more than 1,500 built-in policies that support compliance for a variety of security frameworks, including from the Center for Internet Security (CIS), the National Institute of Standards and Technology (NIST), and Systems and Organization Controls (SOC-2), as well as regulations like the General Data Protection Regulation (GDPR) and the Health Insurance Portability and Accountability Act (HIPAA). Filters quickly show cloud resources that are compliant – or not.

“This helps on a daily basis,” Hayes said. “Whether we're triaging an incident or maybe somebody is having an issue with a resource, or too much access, or they don't know where something lives. This is when aggregation quickly comes into play. It’s highly efficient for our needs compared to the individual cloud tools.” 

Tenable Cloud Security also makes security-audit reporting much faster and easier, he said. Built-in reporting makes it possible to provide governance and compliance teams with detailed summaries.

“It saves a lot of time because we don't have to build tools to do all these checks and show where we're compliant or non-compliant,” Hayes said. “That is an ongoing aspect of our jobs that we have to constantly be responding to, and a tool like this helps make it efficient.”

Learn more about CSPM and Tenable Cloud Security here.