In recent years, with the rapid rise of cloud computing, the virtualization of applications and infrastructure has been replacing traditional in-house deployments of applications and services.
It’s currently more cost-effective for organizations to rent hardware resources from companies like Microsoft, Amazon, and Google and spin up virtual instances of servers with the exact hardware profiles required to run their services. But security in the cloud is just as vital as security in traditional on-premise environments. Just like in physical servers, system hardening is an excellent way to help minimize security vulnerabilities in the cloud.
Learn more about system hardening and what steps you need to take to adopt hardening measures in the cloud:
What is System Hardening?
System Hardening is the process of securing a system's configuration and settings to reduce IT vulnerability and the possibility of being compromised. The purpose of system hardening is to eliminate as many security risks as possible, and in most cases, this is done by removing all non-essential software programs and utilities from the computer. By removing non-essential programs, account functions, applications, ports, permission and access, attackers and malware have fewer opportunities to gain a foothold into your IT environment.
What Hardening Recommendations Should I Follow?
There are hundreds of security recommendations out there to follow, but the most highly recommended are the CIS Benchmarks – configuration baselines and best practices for securely configuring a system.
In an on-prem environment, security recommendations such as the free CIS Benchmarks are predominantly applied by group policy for Windows and configuration management tools such as Puppet and Chef for Linux. In the cloud, however, organizations can pre-harden their server images using the CIS hardening guidelines ready for use or, in the case of AWS and Microsoft Azure, purchase a CIS hardened image from the respective marketplace.
Once the image is hardened then its security stance can be extended further by baking in your organization's security software such as your chosen AV and change detection solution such as the NNT Change Tracker agent. These CIS Hardening Images make running secure operations in the cloud fast, simple and affordable. These images are available for all major cloud computing platforms like AWS, Microsoft Azure, Google Cloud Platform, as well as Oracle Cloud Marketplace.
What Can I do Right Now to Harden Instances?
There is a lot that organizations can do right now to help secure sensitive data in the cloud. Cloud providers have collectively identified a few steps to take to harden your instances, including:
- Least Access - Restrict server access from both the network and on the instance, install only the required OS components and applications, and leverage host-based protection software.
- Least Privilege - Define the minimum set of privileges each server needs in order to perform its function.
- Configuration Management – Create a baseline server configuration and track each server as a configuration item. Assess each server against the current recorded baseline to identify and flag and deviations. Ensure each server is configured to generate and securely store appropriate log and audit data.
- Change Management – Create processes to control changes to server configuration baselines.
- Audit Logs – Audit access and all changes to EC2 instances to verify server integrity and ensure that only authorized changes are made.
How Do I Get Started on my Cloud Hardening Project?
One of the benefits of using the cloud is the ability to pre-construct images that your systems are built from. When more resources are required, whether temporarily or permanently, the images can be started to take up the load. These images can be hardened in accordance with the guidelines provided by the Center for Internet Security and NNT, as a partner of the CIS, and can provide the advice and remediation knowledge to support the hardening project. Using the CIS Remediation Kits, NNT can quickly configure a system to the desired hardened state before that image is saved, ready for future use.
Furthermore, part of the customization of the image should be to install any management software in preparation for the systems monitoring once the image is started. Using tools like NNT Change Tracker Gen7 R2 deployed to the image during this customization stage will ensure that throughout a systems life cycle, it is monitored for its adherence to the hardening standard and deviations away from that hardening posture are detected in real-time.
Share this post