Article Security August 16, 2018

Beware a False Sense of Security

Executive Summary

You may have heard a few Cloud Management Providers talking about a “single pane of glass” interface, and that sounds intriguing. Who wouldn’t want a single view that optimizes cloud costs, automates billing and invoicing, and ensures security and compliance? But talk is cheap, and some of our competitors are promising more than they deliver. By overstating their security features, customers might get a false sense of added security.

Looking below the surface, the features that some CMPs claim to have developed are merely AWS Trusted Advisor checks displayed in a new GUI, and are included security features that AWS actually provides. Passing those checks off as their own, and charging for them, is misleading at best, and malfeasance at worst.

The handful of AWS Trusted Advisor checks are a good start, and CloudCheckr adds hundreds of additional checks, many with automated self-healing capabilities to fix vulnerabilities, even while administrators sleep. Such capabilities are only possible because of our extensive library of internally-developed Best Practice Checks. And don’t forget, CloudCheckr’s Total Compliance reports display a compliance score, plotted over time, for 35 distinct regulatory frameworks including HIPAA, PCI-DSS, NIST and CIS. CloudCheckr’s Security functionality is generations ahead of competitors and additive to the functionality contained within AWS native tools.

Background

Security is in CloudCheckr’s DNA. CloudCheckr started life as “Cloud Compliance”, a cloud security startup in 2011. Only after adding cost optimization, billing, and expense reporting, in response to cloud sprawl, did we become CloudCheckr—a full cloud management suite. Cost management is increasingly important for fast growing cloud-enabled businesses, and security is mission critical—and not easily added to vendor solutions. This is something cost-only providers are finding out the hard way. And unlike security-only offerings, it becomes evident that CloudCheckr pays for itself many times over, thanks to the cost savings identified.

Let’s define what a modern Cloud Management Platform (CMP) needs. It starts with reducing costs. More specifically, a CMP should help optimize cloud spend by identifying idle, underutilized and even completely unused resources. Plus, a CMP should make recommendations for Right Sizing instances and purchases of Reserved Instances and Spot Instances. A modern CMP must help service providers and businesses automatically create invoices to charge or “show back” different departments. And because the cost of a security breach can be far more expensive than any cost savings identified, a CMP also needs to ensure security and compliance in the public cloud.

Security is more than AWS Trusted Advisor

But how do you define “cloud” security features? AWS Trusted Advisor checks are a great start and users who are paying for Trusted Advisor should certainly leverage those checks. That’s why CloudCheckr also includes the AWS Trusted Advisor checks, but with full attribution to AWS, side-by-side with hundreds of our own internally-developed checks. CloudCheckr’s native security checks are more thorough, customizable, and flexible because we have developed them internally.

 

 

AWS Trusted Advisor

AWS Trusted Advisor Checks, clearly labeled next to CloudCheckr’s hundreds of native Best Practice Checks

Check Your Buckets

Competitors may have a single check for S3 Bucket permissions, perhaps the most written about vulnerability of the past two years. CloudCheckr has more than 20 distinct checks for S3 security. It’s not just a question of if your buckets are public or private (a check we provide to the public for FREE with S3Checkr.com and BlobCheckr.com) but do you have permissions properly set for Read, List, Upload/Delete, View Permissions, Edit Permissions? Do those rules apply to Everyone or just AWS authenticated users? Are the buckets encrypted? Do they contain sensitive data? These variations and others result in a need for dozens of different checks.

 

CloudCheckr’s S3 Security Best Practice Checks outnumber competitors by a factor of 20:1. Plus many of CloudCheckr’s checks offer Self-Healing Automation to fix vulnerabilities upon detection.

S3 checks

Some of CloudCheckr’s 20+ S3 Bucket Security Best Practice Checks

 

Get Automated

Many of CloudCheckr’s security checks support self-healing automation, via Fix Now and Always Fix. With Fix Now, those vulnerabilities can be fixed at the click of a button, without having to login to the AWS Console to manually correct the issue. With Always Fix, CloudCheckr can fix the issue every time it detects it, even while you are sleeping, and send you an email letting you know of the fix. Competitors direct users to the AWS Console with a link to Amazon’s help. CloudCheckr has context-sensitive help, built-in to the app, and detailed explanations of what CloudCheckr will do via automation.

Automation Checks

Some of CloudCheckr’s Best Practice Checks. The blue icon indicates if a check supports Automated Self-Healing via Fix Now or Always Fix.

Persistent Security

Once you fix a security issue, it doesn’t necessarily stay fixed. In addition to our Always Fix option, CloudCheckr provides Change Monitoring, Perimeter Assessment, Visualization tools and Security Alerts, which can integrate with ServiceNow, Slack, SNS, PagerDuty, Jira and email. CloudCheckr can even initiate a Lambda function for a completely custom response.

 

Multi-Cloud Support

Parroting what AWS provides does nothing to address Microsoft Azure Security. CloudCheckr delivers internally-developed Security Best Practice Checks for Microsoft Azure, side-by-side with Azure Security Center recommendations, again with full attribution.

 

Get Compliant

CloudCheckr now offers Total Compliance, featuring graphical charts and a compliance score. We map our hundreds of best practice checks to 35 different regulations including HIPAA, PCI-DSS, CIS, NIST and more, accessible via the user interface and API. With CloudCheckr, you can see, at-a-glance, your security posture specifically scored for the regulations in your industry.

 

CloudCheckr Total Compliance Cloud Security Software

CloudCheckr’s TOTAL COMPLIANCE Scoring of 35 Regulations and Industry Standards Including HIPAA, PCI-DSS, CIS, NIST and more. This is possible because of the 100’s of checks CloudCheckr has developed internally. Other vendors cannot deliver this by relying on AWS Trusted Advisor.

 

Adding It All Up

At CloudCheckr, we know that cloud security should not be an add-on or an afterthought. It needs to be integrated, robust, actionable and automated if you are truly going to have a healthy cloud.

Todd Bernhard
Todd Bernhard is a Product Marketing Manager at CloudCheckr and AWS Certified Cloud Practitioner. He has been administering, teaching and developing on Unix systems since 1984 including 16 years at Sun Microsystems, now part of Oracle. In 2010, Todd founded the award-winning app development firm NoTie.com. This photo is the last known image of him wearing a tie!
Subscribe to our Blog
Sign up now to get more great content.
TRY CLOUDCHECKR FREE FOR 14 DAYS!
Learn how CloudCheckr can help you optimize and automate your cloud.
WANT TO SEE CLOUDCHECKR IN ACTION?