The Inner Circle

Β View Only
  • 1.  Security Features of the Big 3 Comparison

    Posted Apr 21, 2021 06:16:00 AM
      |   view attached

    Intezer put together a side-by-side comparison of the built-in security features offered by AWS, Azure and GCP. This single point of reference can help security teams develop their strategy across different clouds.

    Available here β†’ Security Features of the Big 3 Comparison (also attached for those who don't want to leave their details)

    Security controls and categories:

    • Network security
    • Vulnerability management
    • Cloud Workload Protection Platform (CWPP)
    • Cloud Security Posture Management (CSPM)
    • SIEM capability
    • Additional threat detection and monitoring
    We hope you find it useful πŸ™

    ------------------------------
    Ian Gallagher
    Marketing Manager
    Intezer
    ------------------------------

    Attachment(s)



  • 2.  RE: Security Features of the Big 3 Comparison

    Posted Apr 22, 2021 07:57:00 AM
    Ian, looks great!

    A few feedback items you might want to consider for your next revision...

    I don't see mention of AWS Audit Manager? Is there an equivalent on Azure (or GCP)? There are some commercial vendors out there that do this across clouds (maybe Intezer is one of these?)

    Also no mention of AWS Detective? I guess Azure has ASC and Graph API (+ powerBI + ?) for this?  

    For AWS container security I think you're right that there is no point-and-click AWS service but it's also fairly transparent via blogs, meeting attendance and github commits that AWS has participated with CNCF from day 1 on things like OPA Gatekeeper, eg:
    https://aws.amazon.com/blogs/containers/using-gatekeeper-as-a-drop-in-pod-security-policy-replacement-in-amazon-eks/
    So while technically, yes, it's "3rd party" it's also true that kubernetes itself is "3rd party" in that respect.  Similarly for runtime scanning, Falco - another CNCF project - is a drop-in to kubernetes on EKS, eg:
    https://aws.amazon.com/blogs/containers/implementing-runtime-security-in-amazon-eks-using-cncf-falco/

    Azure retired ACS I believe so you may need to update to point to Azure Defender for Kubernetes.

    I like the comparison format overall! Helpful to those of us trying to keep this all straight in our heads :)

    ------------------------------
    Robert Ficcaglia
    CTO
    SunStone Secure, LLC
    ------------------------------



  • 3.  RE: Security Features of the Big 3 Comparison

    Posted Apr 26, 2021 08:00:00 AM
    Hey Robert, thanks a lot for your feedback πŸ™  We're going to take it to the next revision.
    Regarding AWS Audit Manager and AWS Detective, we didn't want to overwhelm with many tools and wanted to focus on the main controls. Audit is more for auditing and detective is for investigations but we'll reconsider since we now see some interest from the readers.
    Re: open sources around container security, we consider them as third parties. It's true you have blogs but the user needs to deploy and maintain, unlike K8s, where with EKS, AWS provides an out of the box service.


    ------------------------------
    Ian Gallagher
    Marketing Manager
    Intezer
    ------------------------------



  • 4.  RE: Security Features of the Big 3 Comparison

    Posted Apr 26, 2021 08:17:00 AM
    EKS, AWS provides an out of the box service
     
    I do understand what you mean in general - yes it's a managed control plane vs. roll your own from scratch. But... there is definitely a lot you DO need to manage even on a managed EKS deployment - including adding Falco and using Gatekeeper on EKS to get into a best practices secure baseline. EKS is definitely not 100% compliant/secure as deployed. While I guess you could call it PaaS, unlike something like Lambda or Azure Functions (PaaS) where the control plane and all configuration and monitoring and policy management is done for you, I see EKS more as IaaS++  where more of the shared responsibility is yours than the cloud provider's.


    ------------------------------
    Robert Ficcaglia
    CTO
    SunStone Secure, LLC
    ------------------------------



  • 5.  RE: Security Features of the Big 3 Comparison

    Posted Apr 22, 2021 08:44:00 AM
    This document provides examples how how Intenzer and other 3rd parties can implement controls toward a more complete security strategy.    

    It strikes me that the framing of shared responsibility discussions are limited to cloud service models. It's almost like current shared responsibility discussions are limited to an extremely simplistic directed graph without forks (e.g. focused on representing security controls offers by On-Prem, Iaas, Paas, through Saas).  This Intezer document shows the obvious point that there is value in including 3rd party CSPs as part-of the ultimate solution even while not being the underlying cloud service the solution "runs on". 

    What is less obvious is how this should be represented. The paper does a good job of presenting the information and makes me wonder if the whole concept of shared responsibility is ready for an upgrade.

    ------------------------------
    Max Pritikin
    Principal Engineer
    Cisco
    ------------------------------



  • 6.  RE: Security Features of the Big 3 Comparison

    Posted Apr 23, 2021 09:07:00 AM
    In practice the shared responsibility model is heavily abused.  Either it is offered up by a CSP as evidence of their own compliance, ignoring the "shared" part altogether, or when the CSP does actually try to define how to operationalize the shared responsibility, the cloud provider pushes back on providing any support.

    More like kids in a sandbox building separate castles instead of all the kids collaboratively building one castle together.  At least that's been my experience in ATO processes.

    ------------------------------
    Robert Ficcaglia
    CTO
    SunStone Secure, LLC
    ------------------------------



  • 7.  RE: Security Features of the Big 3 Comparison

    Posted Apr 23, 2021 11:18:00 AM
    I think I’d agree that the shared responsibility model is abused and fractured. I was suggesting that even good work like the white paper starting this thread is an example.

    Therefore, In the context of CSA, I guess I was wondering if there is work going on to improve the model. The use case I was thinking of is 3rd party providers (more interesting graphs). I appreciate your point that even the existing use case of direct shared responsibility isn’t completely met.

    My apologies if I’ve derailed the original message. I don’t mean to detract from it.

    - max




  • 8.  RE: Security Features of the Big 3 Comparison

    Posted Apr 26, 2021 08:06:00 AM

    Hey Max, nice observation. You bring up a good point.

    Thanks for sharing πŸ™



    ------------------------------
    Ian Gallagher
    Marketing Manager
    Intezer
    ------------------------------