While the public cloud sector continues its rapid growth—as of 2016, it was estimated to be a $200 billion market—one segment within it is growing at even faster pace. The Infrastructure as a Service (IaaS) market grew at a blistering 42.8% in 2016, twice as fast as the Software as a Service (SaaS) market and 149% faster than the public cloud sector as a whole. Growth in IaaS adoption is expected to continue into 2017. According to recent studies, more than half of custom web applications (also known as in-house applications) are currently hosted in enterprise data centers instead of the cloud. By the end of 2017, less than half of these apps will be hosted in enterprise data centers.
Today, we’re pleased to announce the next phase in secure cloud enablement, the launch of McAfee MVISION Cloud (formerly Skyhigh) for Amazon Web Services (AWS), making us the only cloud access security broker (CASB) to provide an exhaustive cloud security solution for IaaS, PaaS, and SaaS.
While Amazon has built robust security features that protect the underlying infrastructure of AWS, cloud security’s shared responsibility model requires customers to ensure secure usage of AWS. McAfee MVISION Cloud for AWS is a comprehensive protection, monitoring, auditing, and remediation solution for enterprises looking to secure all of their AWS accounts.
MVISION Cloud for AWS provides an API integration with AWS infrastructure to enforce an exhaustive set of security controls to ensure enterprises meet their security, compliance, and governance requirements. Since enterprises often times have multiple AWS accounts, MVISION Cloud provides a single view for activities, threats, and security misconfigurations across every enterprise AWS account. MVISION Cloud addresses 5 key areas pertaining to AWS security:
1. Capture a complete audit trail of all AWS user activity for investigation in real time
MVISION Cloud integrates with Amazon’s CloudTrail to provide complete and granular visibility into how AWS is being used by all users, including root, IAM, and federated users. With MVISION Cloud for AWS, enterprises can easily detect, in real time, creation, modification, or removal of AWS resources, including those made to Amazon’s Elastic Compute Cloud (EC2) and associated Elastic Block Storage (EBS). MVISION Cloud supports and dramatically accelerates post-incident investigation while decreasing incident response time. McAfee’s platform extends NLP based activity categorization to IaaS so that InfoSec does not need to worry about the details of a specific IaaS, PaaS or SaaS platform and keep their IR independent of the platform.
2. Detect compromised accounts, insider threats, and privileged access misuse across AWS.
Securing an Amazon deployment requires customers to operationalize the shared responsibility model. While Amazon is responsible for threats posed to the underlying infrastructure of AWS, the customer is wholly responsible for the kind of threats arising from within, those from misuse, or negligent use. This is a critical paradigm shift from how enterprises have historically operated with on-premises systems. More and more cloud security incidents are expected to be the fault of the customer, as evident by Gartner’s prediction.
“Through 2020, 95 percent of cloud security failures will be the customer’s fault”
McAfee MVISION Cloud combines machine learning and user and entity behavior analytics (UEBA) to build a self-learning behavior model that can detect anomalous activity patterns in AWS indicative of a compromised account, including excessive failed login attempts, brute-force attacks, login attempts from untrusted or disparate locations, etc. McAfee’s UEBA is also the only solution operationalizing a threat funnel to differentiate between anomalous behavior and real threats. With this, AWS customers can protect themselves against malicious or negligent insider threats such as unwarranted escalation of permissions by a privileged user. McAfee correlates user activity within AWS with activities across all other cloud services to correctly identify actual AWS threats while minimizing false positives.
3. Analyze and audit AWS security configuration to ensure compliance with external regulations and internal policies.
AWS provides an extensive set of security configuration options for all their services. Some of the most common and critical ones are:
- Identity and Access Management (IAM)
- Relational Database Service (RDS)
- Elastic Cloud Compute (EC2)
- Amazon Machine Images (AMI)
- Elastic Load Balancer (ELB)
MVISION Cloud for AWS provides enterprises with the tools needed to continuously monitor and audit AWS security settings, in real-time, to ensure they are compliant with ISMS controls required of any enterprise. For example, McAfee will flag security misconfigurations such as access logging being turned off for CloudTrail. This is an extremely important setting that must remain turned on at all times. When turned off, a malicious user can not only create, modify, or delete key AWS resources, but they can also access the S3 bucket containing the CloudTrail logs of their nefarious activity. They can then systematically delete these logs, which would make it impossible to not only identify who made the changes to the AWS services but also who accessed and deleted the logs.
McAfee will also flag misconfigured settings such as when multifactor authentication is turned off for root accounts or for deleting a CloudTrail bucket. In total, McAfee will monitor over 70 AWS security configuration settings across all AWS services, flag those that are non-compliant with an enterprises ISMS controls and the risk profile of the IaaS deployment. In addition, McAfee provides recommendations an in-product remediation platform. This, coupled with Role Based Access Control, ensures that InfoSec can partner with Ops teams within a single console.
4. Analyze and audit identity and access management (IAM).
IAM is Amazon’s access control service for AWS. IAM lets AWS admins create users or groups of users and limit their access to AWS resources. Limiting factors include whether someone is accessing from a specific IP address, whether they’re using SSL, or have multi-factor authentication turned on. McAfee adds an additional layer of security control to IAM that provides, at a glance, a dashboard view of all user and user group permissions to identify users with unnecessary permissions, users with dormant account that should be removed, or groups with inactive users that should be decommissioned to reduce risk.
5. Extend activity monitoring, threat protection, and data loss prevention to custom apps deployed on AWS with no coding.
As IaaS adoption grows, so does the number of custom applications that enterprises build and deploy on public cloud infrastructure. The average enterprise has hundreds of custom applications deployed in the cloud, and that’s expected to grow over the next twelve months. Most of these applications are business critical and have strict security and compliance requirements.
To that end, McAfee enforces data loss prevention policies for sensitive data uploaded to custom apps, including protected health information (PHI), personally identifiable information (PII), and intellectual property to ensure compliance with external regulations and internal policies. McAfee’s platform approach allows enterprises to enforce the same policies and remediation actions across all cloud services, including SaaS, PaaS, and custom applications hosted in AWS.
McAfee also extends activity monitoring and threat protection to the custom apps built on AWS, including rapid detection and remediation of insider threats, privileged user threats, and compromised accounts. Best of all, the solution can be scaled out to any custom app running on AWS without writing a single line of code.
About the Author
Categories: Cloud Security