Prioritize Risks and Add Context to Amazon Inspector Findings with Solvo Data Posture Manager
By David Hendri, CTO and Co-Founder – Solvo
By Siva Sadhu, Sr. Partner Solutions Architect – AWS
One of the biggest cloud security concerns is the lack of visibility and control over sensitive data. It’s becoming increasingly difficult to track the movement of files containing sensitive data and ensure they are protected with appropriate access policies and controls—let alone in real time.
This can be a result of several factors, including the distributed nature of cloud environments, proliferation of devices, and increase of shadow IT.
The lack of visibility and difficulty involved with centrally managing access and permissions for cloud resources has led to a situation where users and applications accumulate permissions and privileges that provide them with access to cloud resources and data beyond the scope of their job requirements.
In addition, outdated, inaccurate, and irrelevant permissions often go unnoticed. These blind spots can potentially expose sensitive data to attackers who are always searching for vulnerabilities in the cloud infrastructure.
In this post, we will explore the challenges involved in protecting sensitive data against unauthorized access to cloud infrastructure. We will discuss the need for multi-dimensional visibility into infrastructure resources, applications and user behavior, and the data associated with them, and how Solvo’s Data Posture Manager uses this approach to provide contextual, adaptive cloud security.
Solvo is an AWS Partner and AWS Marketplace Seller whose platform provides contextual, application, and data-aware cloud infrastructure security. Solvo enables security, DevOps, and engineering teams to automatically prioritize and resolve access-related risks and misconfigurations in cloud-native environments.
Cloud Infrastructure Complexity
Making sure that users, applications, and services can only access the data and resources that are necessary for legitimate purposes is critical for protecting sensitive data in the cloud. However, implementing least privilege in a modern cloud environment is an entirely different story as compared to the data center era.
The scale and complexity of cloud infrastructures are the key challenges here. In a modern cloud environment where multiple human and machine identities require access to an ever-expanding array of cloud services and resources, policies and controls must be frequently adjusted to prevent unauthorized access to sensitive data.
But with so many identities, resources, and complex dependencies between them, achieving this goal using traditional security approaches becomes a tedious, error-prone task.
Critical Role of Automation and Contextualization
To address this challenge, organizations must be able to continuously monitor their cloud infrastructure for access misconfigurations and vulnerabilities, and to detect, prioritize, and respond to risks. Given the dynamic nature and scale of cloud infrastructures, automation needs to play a major role.
Many security, engineering, and DevOps teams struggle with the amount of ongoing evaluation, updating, and enforcement of cloud access policies and controls that are currently required. Automation is essential for both reducing this burden along with the amount of human resources needed. Furthermore, automation can significantly reduce the potential for human error and help bridge the cloud security skills gap, allowing security teams to focus their time and attention on what matters most.
However, cloud infrastructure is a dynamic environment. That’s why introducing automation into the process of creating cloud access policies must be based on real-time, contextual understanding of the changing relationships between users (human and machines alike), applications, resources and data, and the circumstances pertaining to each access request.
A cloud infrastructure security approach along these lines requires comprehensive and integrated visibility across traditionally separated domains. By combining insights about application and user behavior, the resources they require access to, and the sensitivity of the data stored on the resource being accessed, security teams can automatically prioritize risks and apply the right policies and entitlements on an ongoing basis.
By incorporating application- and data-awareness into cloud infrastructure access management, security teams can establish a decision-making framework that distinguishes between legitimate and excessive permissions based on contextual understanding of the risk they pose to critical data or resources.
This multi-dimensional security can be used to create least privilege access policies and entitlements that are consistent with the level of estimated risk. This way, for example, cloud repositories containing confidential corporate or customer information can be automatically configured with stricter access policies and controls.
Solvo: Breaking Down Application, Identity and Data Silos
Traditional security architectures weren’t designed to deal with the scale and complexity of a modern, dynamically changing cloud infrastructure. Adopting a multi-dimensional security approach is essential for dealing with the complexity and lack of visibility into modern, dynamic cloud environments, and for implementing adaptive cloud infrastructure access security that can detect and respond to identity-related threats in real time.
Solvo takes a different approach to cloud security that enables security teams, developers, and other stakeholders to automatically uncover, prioritize, mitigate, and remediate cloud infrastructure access risks. Using multi-dimensional, contextual monitoring and analysis of infrastructure resources, applications and user behavior, and the data associated with them, Solvo enables enterprises to implement adaptive least privilege access policies and controls at scale.
Solvo automatically creates customized, constantly-updated least privilege access policies based on the level of risk associated with entities and data in the cloud. Solvo helps identify and prioritize risks, and proactively mitigates cloud misconfigurations and vulnerabilities while facilitating collaboration between security, DevOps, and engineering teams.
By breaking down application, identity, and data silos, Solvo offers an application- and data-aware cloud infrastructure security platform designed for the scale and speed of cloud-native environments.
Solvo’s Data Posture Manager on AWS
One of Solvo’s key benefits is the ability to combine visibility, prioritization, and actionable insights, making it an ideal solution for infrastructure and data security. All cloud users store sensitive data in the cloud, but the questions you should ask are how you store it and what’s the risk?
Solvo’s Data Posture Manager (DPM) answers all of these questions, providing a clear and actionable graph to help fix issues. Using DPM, customers can mark cloud resources that contain sensitive data and apply tighter access controls to that data.
In addition, DPM allows for integrating third-party data classification solutions such as Amazon Macie, which uses machine learning (ML) and pattern matching techniques to identify and classify sensitive data in Amazon Simple Store Service (Amazon S3) objects, including credentials data, financial data, personal health information (PHI), and personally identifiable information (PII).
Data resources are presented and prioritized by the sensitivity of their content and severity of the findings, reducing risks of exposure and leakage. DPM prioritizes the findings using an advanced scoring algorithm that analyzes factors such as vulnerabilities, AWS Identity and Access Management (IAM) permissions of the data resource, connected assets, direct and indirect network access, blast radius, and business impact.
The scoring mechanism is dynamic. This means scores are constantly changing based on real-time multi-dimensional analysis of risks, presenting the most relevant findings first so security teams can focus and spend their time on specific issues that will have the most impact on the overall security posture.
For example, the finding below shows an Amazon Elastic Compute Cloud (Amazon EC2) instance with a risk score of “High.” The risk factors that impacted this score are:
- “Too broad permissions to a data resource”
- “Publicly exposed”
- “Can read from all S3 buckets”
- “High severity CVE”
Figure 1 – Amazon EC2 instance with risk factors and associated CVEs.
When Solvo identifies a resource containing sensitive data, the primary consideration is to make sure no unauthorized resource or identity is directly or indirectly connected to it. In a cloud deployment, it’s likely that a single resource has access to dozens of other resources. The reason is that users typically create and reuse generic security policies, which may contain a high volume of excessive permissions.
In the example below, AmazonS3ReadOnlyAccess allows the EC2 instance to read data from all S3 buckets without any limitations. However, based on Solvo’s analysis of the application’s needs, this EC2 machine should only be able to read data from a specific bucket.
To mitigate this risk, Solvo displays a suggested IAM policy alongside the current policy (see on the right side of the screen in Figure 2). In this case, a least privilege security policy was generated automatically after analyzing the application’s behavior and understanding its context.
The suggested policy allows to perform the GetObject action from a specific bucket and even points at the specific partition in the bucket (path) where the relevant objects are.
Figure 2 – Solvo’s auto-generated least privilege policy suggestion.
To complete the process, Solvo helps remediate security findings at scale by integrating with instant messaging tools, ticketing, and security orchestration tools where users can get notifications about new security findings and their correlating remediations.
Data Posture Manager enables security, DevOps, and engineering teams to see data as part of their cloud security posture, and easily adjust security configurations based on ongoing assessment of the associated level of risk.
Using DPM, organizations can regain control of their sensitive data in the cloud, reduce the risk of exposure and leakage, and monitor, prioritize, and secure their data resources continuously.
One of Solvo’s clients, a large U.S.-based fintech company, is using AWS as a cloud infrastructure to host workloads and data. The client utilizes Docker containers orchestrated by Amazon Elastic Container Service (Amazon ECS).
For security, Solvo’s client uses Amazon Inspector to scan for vulnerabilities in the cloud infrastructure. This is an automated vulnerability management service that continually scans EC2, container workloads, and AWS Lambda functions for software vulnerabilities and unintended network exposure to improve the security and compliance of applications deployed on AWS. By identifying misconfigurations within the AWS infrastructure, Amazon Inspector provides package vulnerability and network reachability findings.
Solvo’s client has activated Amazon Inspector on their AWS environments which were generating thousands of findings. These findings contain detailed description of the security issues identified, as well as recommendations for remediating them using patches. However, the client was struggling to prioritize the findings due to lack of contextual information needed to accurately assess their potential impact.
Instead, the client had to go over all of the findings manually—a time-consuming and error-prone process. Furthermore, analyzing the security impact of the findings requires a deep understanding of the system’s infrastructure, which further increases the time and effort required to investigate and resolve issues.
The client realized that in order to protect its rapidly growing cloud infrastructure and remediate vulnerabilities before they can be exploited, it must be able to automatically prioritize risks and misconfigurations by their severity.
To tackle this challenge, the client implemented Solvo’s Data Posture Manager in its AWS environment. The key requirement was to obtain a contextual understanding of cloud access risks associated with AWS assets, leveraging DPM’s advanced scoring algorithm that takes into account multiple parameters such as:
- Is the asset exposed to the public internet?
- Does the asset have access to sensitive data?
- How accurate are the permissions?
Based on these factors, DPM assigned risk scores to Amazon Inspector findings. By providing an accurate assessment of the risk that considers the sensitivity of the data stored on AWS assets, Solvo helped the client to prioritize and focus on the most urgent findings.
Using Solvo’s Policy Manager, the client was able to automatically remediate the issues and create contextual, data-aware least privilege policies to reduce the risks associated with unauthorized access to AWS cloud infrastructure.
In this post, you learned how the complexity and dynamic nature of cloud infrastructure leads to lack of visibility and difficulty in identifying, assessing, and prioritizing risk associated with entities and data.
By using Solvo’s Data Posture Management (DPM) to assign risk scores to Amazon Inspector findings based on contextual, multi-dimensional analysis, customers can focus on the most critical cloud access risks, and assign data-aware least privilege policies accordingly.
You can also learn more about Solvo in AWS Marketplace.
Solvo – AWS Partner Spotlight
Solvo is an AWS Partner whose platform provides contextual, application, and data-aware cloud infrastructure security.