AWS Partner Network (APN) Blog

Managed Security and Continuous Compliance

As we continue our MSP Partner Spotlight series, let’s dive into managed security, continuous compliance, and the convergence of what have traditionally been the separate focuses of Managed Service Providers (MSPs) and Managed Security Service Providers (MSSPs). A next-generation MSP must have a deep understanding of their customers’ security and compliance needs and possess the ability to deliver solutions that meet these needs. This week we hear from APN Premier Consulting Partner, MSP Partner, and Competency Partner, Smartronix, on how they approach this for their customers.


Managed Security and Continuous Compliance:

Next Generation Autonomic Event Based Compliance Management

By Robert Groat, Executive Vice President – Technology and Strategy at Smartronix

One of the least understood and often overlooked benefits of deploying cloud services is the ability to transform and operationalize security compliance. This means that services native to the cloud can help assess, enforce, remediate, and report on security compliance semi-autonomously. Every action that affects any change in AWS, from the initial creation of the environment, to provisioning and deprovisioning resources, to changes made to even the most mundane setting are all affected via an API service call, and every API service call is logged and audited as an event.

AWS has enabled native capabilities that allow you to respond programmatically to these events. In effect, you can use automation such as AWS CloudFormation and AMIs to create an environment that is compliant at creation, and thereafter can have an autonomic response to events to enable remediation, self healing, reporting, or systematic incident response capabilities. Essentially, our customers’ environments remain continuously compliant via programmatic management.

Smartronix has been working in cooperation with AWS since 2008. Our initial infrastructure development efforts focused on creating reusable templates that incorporated security best practices, followed by a combination of proactive and reactive continuous monitoring, alerting, trouble ticket generation, and manual remediation. AWS Lambda, introduced in 2014, has been a key enabler for reaching the next level.

Lambda is a serverless (0-management) solution that can connect events with algorithms written as Lambda functions. Once an event is identified as meaningful—for example, a boundary configuration change—we can write a Lambda function that executes automatically whenever the event occurs.

The other key enabler is AWS Config, a native service that helps you continuously record, monitor, compare, and react to changes in your environment. We can now associate custom AWS Config rules with Lambda functions that enforce compliance. For example, if policy dictates encrypted root volumes, then we can monitor server launch events and enforce these policies automatically. If an attempt is made to create an instance with an unencrypted root volume, the action can be remediated by either  quarantining or deleting the resource via the AWS Lambda function.

Compliance actions can be reactive, such as when privileged account usage is identified, automatically verifying that an associated trouble ticket exists before authorizing the request. Other compliance actions can be scheduled. For example, certain rules can run every 24 hours to monitor license compliance, automate backups, or enforce tagging on deployed resources.

Speaking of tagging, your nascent library of Lambda functions should automate, reinforce, and be advised by your tagging strategy. That tagging strategy should help you differentiate activities within your compliance functions. Smartronix refers to this process as Attribute-Based Service Management. Lambda compliance functions can then behave differently based on tags. An instance tagged “environment = development” may not need the same compliance remediation as one tagged “environment = production”. Bringing this strategy full circle, you can actually write Lambda functions that enforce a compliance policy dictating that all deployed resources must include a set of predefined tags.

The high degree of flexibility that custom Lambda functions provide can also improve incident response and alerting when policy deviations occur. For Next Generation MSPs like Smartronix, this is an incredibly efficient way to manage multiple environments in a consistent and scalable manner. Although customers may have varying security and compliance requirements, we now have a framework enabled by AWS that helps us customize and respond in a repeatable, efficient manner.

Combining AWS CloudTrail, AWS Lambda, AWS Config, the instrumentation ecosystem, and a source code control system like GitHub, organizations can now manage their software-defined security and compliance processes in the same way they manage their software-defined infrastructure. This improves reusability, reduces errors, ensures policy compliance, automates response, and reduces the typically onerous reporting burden. Your AWS Config Rules and AWS Lambda functions are now important parts of your security controls documentation and you now have a natural audit mechanism for proving how you enforce these controls.

Smartronix is also extending this model into the areas of forensics, threat prediction, and log aggregation and analysis. Combining AWS CloudTrail, AWS Config, and AWS Lambda with Amazon Machine Learning and Amazon AI has enormous potential to change the signal-to-noise ratio of complex and active environments, ensuring that the anomaly envelope is adaptive and that outliers are raised, assessed, and reincorporated into the growing, learning, adapting, intelligent security ecosystem.

The availability of these tools and evolving experience is making NextGen Managed Services Providers highly competitive, if not superior, in entering a new opportunity space. Traditional MSPs have focused on IT service management, incident response, patch management, backup, and break/fix services. With software-defined infrastructure and now software-defined security and compliance, NextGen MSPs are blurring the lines between traditional Managed Service Providers and traditional Managed Security Services Providers. These new services, enabled by the cloud, include continuous monitoring, automated vulnerability scanning and analysis, automated boundary management, log aggregation and analysis, end user behavior analytics, and anomaly detection. At Smartronix, we are excited about disrupting the way enterprises view security and are democratizing services that at one time were the province of only a handful of the world’s largest enterprise companies.

Smartronix has managed highly secure, large-scale global environments for more than 22 years. When we say you can achieve greater security in the cloud, you now have a better perspective on how we and other NextGen Service Providers achieve it. You can choose to replicate how you manage on-premises environments in the cloud, but true transformational value occurs when you rethink your approaches that can make use of the newest, most powerful, and innovative services available to you.