Chef Blogs

New in Cloud Security: Parallelism and Suggestions for Cloud Security Posture Management

Jacob George | Posted on | Chef Cloud Security | Chef Cloud Security Posture Management

Businesses have benefited from the use of cloud services and cloud-based applications, which has led to unprecedented levels of productivity and flexibility. However, these technologies can expose enterprises to a higher risk of cybersecurity attacks, including data breaches, as they are easily accessible over the internet and can be used by anyone. Despite instruction and everyone's best efforts, security problems emerge, and vulnerabilities persist, endangering critical data. Business, Risk, and IT Leaders are having to address 

  • Misconfigured cloud infrastructure can expose vast volumes of sensitive data, causing data breaches that can result in legal liabilities and financial losses.
  • Continuous compliance is difficult to achieve for cloud workloads and apps using conventional on-premises technologies and methods.
  • Implementing cloud governance presents several challenges (visibility, authorization, policy enforcement across business divisions, ignorance of cloud security controls), which aggravates the organization's growing cloud usage. 

Our Cloud Security Posture Management (CSPM) solution empowers you to address misconfigurations and compliance risks in your cloud fleet through security assessments and continuous compliance monitoring. For more information on our cloud security solution, refer to the following video link.

InSpec, one of the engines that power our CSPM solution, has released new features that can be leveraged to make cloud security posture management more efficient. InSpec is our DevSecOps framework for testing and auditing your applications and infrastructure. It checks the configuration state of resources in virtual machines and containers, on cloud providers such as GCP, AWS, and Azure. InSpec enables you to 

  • Express compliance policies as code
  • Assess your applications’ compliance with security policies before pushing changes to build and release pipelines
  • Automate compliance verification in your CI/CD pipelines
  • Unify compliance assessments across multiple cloud providers as well as on-premises environments 

InSpec parallel mode and InSpec suggest are a couple of the new features that can be used for CSPM. We will discuss each of the features and how they help you effectively secure your cloud infrastructure.

Enabling parallelism in CSPM

Enterprises are adopting cloud infrastructure at an extremely fast rate, even doubling cloud usage over the last few years. Enterprises now have thousands of cloud accounts and tens of millions of cloud resources. They are also adopting the multi-cloud approach, be it private or public clouds. While organizations were previously hesitant to store sensitive data (like consumer data and financial data) on the cloud, a cloud-first approach has been adopted by many. This makes security a key aspect, with centers of excellence being created within organizations to monitor the posture of their cloud infrastructure.  

Parallelism enables you to audit cloud infrastructure at a faster rate (by running audits parallelly) and hence reduces the time to identify misconfigurations and risks. Hence, you can remediate your security issues faster, which eventually improves your speed of innovation and reduces operational costs. 

Using the InSpec Parallel command, you can execute multiple audit checks targeting multiple systems. You can also execute a profile on multiple target nodes or multiple profiles on the same target node.  

All you need to do is create an option file with the list of nodes and the profiles to be run against them. An example options file is given below.



The real-time status of audit checks is also provided during execution.


Parallel mode enables you to 

  • Monitor all your cloud accounts parallelly across multiple clouds 
  • Scan millions of resources (like s3 buckets, firewalls, access keys, etc.) in real-time
  • Make real-time decisions on deploying or dropping containers images
  • Understand the state of the security posture of network connections in your environment 

Identify the right compliance benchmarks 

Chef provides you with 300+ compliance profiles that you can use to check the posture of your environment, with hundreds of other profiles also available over the internet. If you are new to the world of posture management, it will be hard to select the right set of profiles to run against the right systems in your environment.  

InSpec has a new feature called InSpect Suggest, a recommendation engine that scans your target system and provides you with a curated list of profiles from our extensive profile library. InSpec examines your system and makes recommendations on which profiles would be a good fit to run audit scans on your system. An ideal use case is if you have a container image, you will need to know the list of software running in your image, based on which you can select the right profiles. 

You can use the suggest feature by simply using the “inspec suggest” command. If you have a fleet having virtual machines and container images, you can run “inspec suggest” remotely on any of the fleet’s nodes by adding the “-t” to the command. 

For example, you can see the results for InSpec Suggest on a virtual machine below. InSpec has run through the applications, databases, and services on the virtual machine to recommend a list of 5 profiles to be run for auditing the node.


Summary

Our CSPM solution offers you the ability to ensure your cloud accounts across multiple clouds are compliant with compliance benchmarks or your internal security benchmarks. The new features furthermore ensure scaling and ease-of-use of our solution.

Find out more about Chef Cloud and Container Security by visiting our various resources: 

To learn more about securing your Cloud and Container environment, contact us today!