When you’re managing complex workloads in the cloud, taking advantage of Cloud Service Provider (CSP) security and management tools make sense. For Amazon Web Services (AWS) customers there is a myriad of tools that provide specific security services, such as Amazon GuardDuty, Inspector, and Macie. Individually, all of these tools should be used where appropriate to improve your cloud security management capabilities. AWS has also recently created a tool called AWS Security Hub to provide “high-priority security alerts and compliance status across AWS accounts. With Security Hub, you now have a single place that aggregates, organizes, and prioritizes your security alerts, or findings, from multiple AWS services, such as Amazon GuardDuty, Amazon Inspector, and Amazon Macie, as well as from AWS Partner solutions.” This new tool is designed to help customers improve their overall security posture and bind information from these separate services together.
AWS Security Hub Capabilities include:
- Aggregated findings across AWS services and partner solutions
- Preconfigured security insights
- Custom insights for your environment
- Multi-account support
- Automated, continuous compliance checks
- Standardized findings format
- Broad partner integrations
- Integrated dashboard
AWS Security Hub is a helpful system to be aware of as you grow your AWS footprint. Moving into, or expanding your AWS footprint in the cloud means grappling with security challenges that include: the scope of implementation, defining and enforcing best practices, and building a strategy that enables developers to rapidly innovate. While AWS Security Hub provides a great set of capabilities, it also has limitations to be aware of; and for large enterprises working on long-term security strategies, there are considerations that deserve a closer look.
Capabilities & Limitations
Pricing & Availability
AWS Security Hub is currently available as a free preview. While it’s not clear what the pricing will be once it is generally available, it is important to recognize that AWS Security Hub compliance standard checks rely on configuration items recorded by AWS Config, which is a service that is priced separately. This pricing approach may end up being very costly for large enterprises, requiring AWS Config to be enabled also creates a prerequisite that is less than ideal when trying to deal with massive and rapid changes at scale. Additionally, AWS SecurityHub is not currently available in all AWS Regions — as of April 2019, it is not supported in Stockholm, Osaka, Beijing, Ningxia, GovCloud (US-West), or GovCloud (US-East). While availability is likely to expand, for large organizations planning a security strategy it is difficult to plan around a service that may or may not provide comprehensive business flexibility.
In most organizations, it’s difficult to “see” what’s going on with all of your cloud and container infrastructure. Before you can establish smart security controls you have to know what infrastructure exists. As of April 2019, AWS Security Hub displays each region individually, and for enterprises with complex AWS environments, you’re required to view multiple dashboards for full visibility. This limitation will likely be solved eventually by AWS, but today it represents a serious usability challenge for organizations with more complex AWS environments. And, while these challenges may be temporary and enterprises can trust AWS to provide quality enhancements, ongoing expansions to service coverage, and improvements to capabilities — these tools will typically be oriented towards solving common challenges within the small and medium-sized business markets more than the enterprise market.
The self-service nature of cloud tools means that there may be infrastructure configured that you weren’t even aware existed. The challenges around unified visibility encompass not just the discovery and tracking around resources, but having security that will scale alongside your cloud and container growth. Visibility must unify data from across all of AWS, but also across all cloud and container environments that you use. To this end, AWS Security Hub will likely never provide multi-cloud support to deliver a comprehensive strategy for enterprise customers that use more than just AWS. As such, these enterprise customers should leverage AWS Security Hub but also supplement with third-party systems that are purpose-built for their unique needs. A comprehensive security strategy means real-time visibility into infrastructure, regardless of platform, provisioning details, or dependencies on other services.
Translating Visibility Into Action
One big weakness with AWS Security Hub is the focus on aggregating signals. It is up to you to piece together what to do with those signals. In some instances your organization is better informed, in others it creates a new challenge about how to ingest and react to so much data. In an enterprise setting, a range of users needs to be able to view and interact with the security data about your infrastructure in a way that provides the context they specifically need. The scale and rate of change in complex cloud environments require a system that automates the analysis and response to these data streams. CloudOps and CloudSecOps need to verify security and compliance rules (and automate remediation), executives need summary information, developers need detailed information and guidance on automation (key to surviving the scale of cloud), and your audit team may prefer to export data to create customized reports aligned with industry standards and regulatory frameworks. AWS Security Hub is great at visibility but struggles with how to translate that visibility into action. DivvyCloud automates both the monitoring, but importantly the remediation of cloud and container misconfigurations and policy violations.
The prescriptive, preventative, command and control model of the traditional IT data center security does not translate well to cloud security. “Trust, but verify” is the new mantra of the progressive IT organization. The concept of “Frictionless Security” is built on the idea of enabling developers to operate securely in the cloud, without hampering innovation. Putting the right policies in place empowers and amplifies digitally savvy business units to enable innovation and profitability. To innovate, developers need freedom, but this freedom has to come from somewhere, and this is where automation comes in and where AWS Security Hub doesn’t play a role yet.
For most cloud-adopting organizations balancing agility and speed to securely innovate means finding the right tools. Security needs to meet two equally important goals: protecting your overall architecture and do so without being an obstruction to innovation. DivvyCloud deftly balances this potential friction. Security best practices should be built on an approach that doesn’t restrict the ability of developers to gain access to best-in-class AWS services while safeguarding cloud operations through self-service remediation powered by automation. DivvyCloud monitors all changes occurring during cloud service configuration to identify in real-time if a developer has made a change that creates risk for the organization. This “protect” approach acts as an umbrella policy that allows organizations to fully embrace self-service access to all AWS services. DivvyCloud can help your organization create an approach that works best for whatever governance or compliance issues you’re facing, without becoming an obstacle to developer innovation.
Every aspect of cloud technology is experiencing growth, from the how – the adoption of multi-cloud and containers, to the who – diversity of user groups, and finally to the what – varying resources, services, and systems. If security is required to keep pace with the perpetually changing landscape, enterprises need to invest in a long-term and adaptive strategy. Years from now enterprises will rarely operate in a single CSP or container (most are already moving there today), building a security posture with maturity means finding a solution that is “future proof”. Quick iteration to fuel innovation makes manual, preventative, prescriptive security controls obsolete. To build an approach that will scale, smart enterprises will take advantage of both