Conformity
Prioritize Security Controls for Critical AWS Assets
Learn best practices for securing your sensitive data in your Amazon Web Services (AWS) environments with automated tools that integrate into your pipeline.
If you’re already using Amazon Web Services (AWS) to build your cloud applications, you’re in luck. AWS has a seemingly endless number of native and AWS Marketplace vendor security services that can integrate into your environment without a hitch so you can build and deploy securely.
We explored how to keep your sensitive assets safe with AWS experts in our on-demand webinar How to prioritize security controls for sensitive AWS assets. You can watch the full video here, or keep reading for the tl;dr version.
Pets vs. Cattle in the Cloud
Huh? We’ll explain.
Using cloud-native security solutions can help you adhere to design patterns that look more like “cattle” and less like “pets.” Still confused? Stick with us.
Pets are very personal. You name them, give them lots of hugs, and dote on their every need. When your pet is sick, you take them to the vet and hold back tears when you receive the bill.
On the other hand, cattle are less personal. They’re branded with a long string of numbers and serve a bigger purpose than being your loveable pet. And, as morbid as it is, if a cow becomes ill, you cull it from the herd.
The difference between pets and cattle extends to the world of cloud computing. If you build a system that requires a ton of personal care like pets, security is often time consuming and tedious. But, if you design them like cattle and minimize the individual attention needed, you’ll find that security is substantially easier.
Keep in mind that you will always have pets, but the goal is to make better design choices to build more cattle to increase automation and adapt for scale.
More cowbell: DIE Triad and pet control
Leveraging the DIE Triad helps you build cattle. This model is an answer to the issues the CIA Triad (confidentiality, integrity, availability) couldn’t resolve. Namely, the CIA model isn’t as scalable as organizations require today. DIE model aims to reduce complexity (cattle > pets) by building in security through the following attributes:
Each attribute has a security benefit that eliminates the need for following the CIA Triad:
| CIA | DIE |
| Confidentiality | Ephemeral: There is less concern about confidentiality because it won’t be lingering around longer than necessary |
| Integrity | Immutable: If the data cannot be changed, the integrity shouldn’t matter |
| Availability | Distributed: This negates the need for one component to always be available |
Another component of building better is disincentivizing and discouraging pets through awareness. Sometimes you may intend to build cattle, but suddenly it’s morphing into a pet.
If you see something, say something. Here’s 3 signs your cow is becoming a chihuahua:
- SSH-ing into a container
- Letting an asset live longer than needed
- Patching in place
If you see signs of a pet-in-progress, remind yourself of the commitment you’re about to enter. Yes, having a pet is fun, but you are obligated to give it a lifetime of love, care, attention, and fun. No takebacks. When you need to build and launch quickly, you can’t be held back by system security issues that require manual, tedious attention.
Herding the cattle
You can use AWS cloud-native capabilities to build cattle-like designs. For instance, Amazon CloudFront takes care of the distributed attribute, AWS CloudFormation templates keep things repeatable and immutable, and AWS Lambda allows you to build applications based on very short-lived functions.
This is a great starting point, but the more security the better. This doesn’t mean you need more security products. We’ll get to that in a bit.
Prioritizing security with the cyber defense matrix
Leveraging this matrix helps you check if all your bases are covered and if you need to fill any gaps. The functions of the cyber defense matrix—identify, protect, detect, respond, and recover—embody the five operational functions of the NIST Cybersecurity Framework (CSF). The assets—devices, applications, networks, data, and users—refers to what needs to be secured.
We’re focusing primarily on the left side of the matrix, or rather before the “boom,” which refers to the point between protect and detect where some event occurs. Ideally, you want to avoid a boom. You can do so by shifting security left (get it?) and prioritizing the identify and protect functions.
When you prioritize security by shifting it to the forefront, it ensures your application is in tip top shape from inception to creation, instead of having to scramble to remediate issues after the boom.
The identify function means understanding what the organization needs to be secure and getting everyone on the same page. Security isn’t one-size-fits-all, so it’s important that the business context is considered.
The protect function is essentially creating a game plan to make sure everything goes smoothly. This is where using the DIE model to build cattle is essential. Since DIE encourages security by design, you can limit the impact of a cybersecurity issue.
As we mentioned earlier, using the cloud-native capabilities of AWS services like Lambda and CloudFormation serve as great building blocks for a strong application. But integrating another layer of security provides a powerful one-two punch to keep the bad guys away.
How Trend Micro Cloud One™ helps
Purpose built for cloud builders, Trend Micro Cloud One™ is a platform of seven security services that provide protection throughout the development process. AWS customers can leverage this innovative platform thanks to powerful APIs for an extra layer of defense that enhances your security posture.
Using our handy cyber defense matrix, let’s look at how the seven services stack up:
Well, would you look at that… Seems like all your bases are covered.
Trend Micro Cloud One™ – Conformity provides protection across the board. Conformity complements other services by working in tandem to ensure continuous compliance via automated scans across cloud service configurations for AWS services and best practice checks against the AWS Well-Architected Framework. It also connects with your favourite third-party ticketing or communication providers like Amazon Simple Notification System (SNS). All this to say, Conformity seamlessly integrates with your AWS environment so you can build confidently in the cloud.
Try it for yourself with a free 30-day trial.
