Beware a False Sense of Security: Must-Have Best Practice Checks
You may have heard a few cloud management providers talking about a “single pane of glass” interface, and that sounds intriguing. Who wouldn’t want a single view that optimizes cloud costs, automates billing and invoicing, and ensures security and compliance? But talk is cheap, and some of our competitors are promising more than they deliver. By overstating their security features, customers might get a false sense of added security.
Looking below the surface, the features that some cloud management providers claim to have developed are merely AWS Trusted Advisor checks displayed in a new GUI, and are included security features that AWS actually provides. Passing those security checks off as their own, and charging for them, is misleading at best, and malfeasance at worst.
The handful of AWS Trusted Advisor checks are a good start, and CloudCheckr adds hundreds of additional checks, many with automated self-healing capabilities to fix vulnerabilities, even while administrators sleep. Such capabilities are only possible because of our extensive library of internally-developed Best Practice Checks. And don’t forget, CloudCheckr’s Total Compliance reports display a compliance score, plotted over time, for 35 distinct regulatory frameworks including HIPAA, PCI-DSS, NIST and CIS. CloudCheckr’s Security functionality is generations ahead of competitors and additive to the functionality contained within AWS native tools.
Building off of a Security-First Mindset
Security is in CloudCheckr’s DNA. CloudCheckr started life as “Cloud Compliance”, a cloud security startup in 2011. Only after adding cost optimization, billing, and expense reporting, in response to cloud sprawl, did we become CloudCheckr—a full cloud management suite. Cost management is increasingly important for fast growing cloud-enabled businesses, and security is mission critical—and not easily added to vendor solutions. This is something cost-only providers are finding out the hard way. And unlike security-only offerings, it becomes evident that CloudCheckr pays for itself many times over, thanks to the cost savings identified.
Let’s define what a modern Cloud Management Platform (CMP) needs. It starts with reducing costs. More specifically, a CMP should help optimize cloud spend by identifying idle, underutilized and even completely unused resources. Plus, a CMP should make recommendations for Right Sizing instances and purchases of Reserved Instances and Spot Instances. A modern CMP must help service providers and businesses automatically create invoices to charge or “show back” different departments. And because the cost of a security breach can be far more expensive than any cost savings identified, a CMP also needs to ensure security and compliance in the public cloud.
Security is More than AWS Trusted Advisor
But how do you define “cloud” security features? AWS Trusted Advisor checks are a great start. Users who are paying for Trusted Advisor should certainly leverage those security checks. That’s why CloudCheckr also includes the AWS Trusted Advisor checks, but with full attribution to AWS, side-by-side with hundreds of our own internally-developed checks. CloudCheckr’s native security checks are more thorough, customizable, and flexible because we have developed them internally.
CloudCheckr’s S3 security checks outnumber competitors by a factor of 20:1. Plus many of CloudCheckr’s checks offer Self-Healing Automation to fix vulnerabilities upon detection.
Check Your Buckets
Competitors may have a single check for S3 Bucket permissions, perhaps the most written about vulnerability of the past two years. CloudCheckr has more than 20 distinct checks for S3 security. It’s not just a question of if your buckets are public or private (a check we provide to the public for FREE with S3Checkr.com and BlobCheckr.com) but do you have permissions properly set for Read, List, Upload/Delete, View Permissions, Edit Permissions? Do those rules apply to Everyone or just AWS authenticated users? Are the buckets encrypted? Do they contain sensitive data? These variations and others result in a need for dozens of different checks.
Many of CloudCheckr’s security checks support self-healing automation, via Fix Now and Always Fix. With Fix Now, those vulnerabilities can be fixed at the click of a button, without having to login to the AWS Console to manually correct the issue. With Always Fix, CloudCheckr can fix the issue every time it detects it, even while you are sleeping, and send you an email letting you know of the fix. Competitors direct users to the AWS Console with a link to Amazon’s help. CloudCheckr has context-sensitive help, built-in to the app, and detailed explanations of what CloudCheckr will do via automation.
Once you fix a security issue, it doesn’t necessarily stay fixed. In addition to our Always Fix option, CloudCheckr provides Change Monitoring, Perimeter Assessment, Visualization tools and Security Alerts, which can integrate with ServiceNow, Slack, SNS, PagerDuty, Jira and email. CloudCheckr can even initiate a Lambda function for a completely custom response.
Parroting what AWS provides does nothing to address Microsoft Azure Security. CloudCheckr delivers internally-developed Security Best Practice Checks for Microsoft Azure, side-by-side with Azure Security Center recommendations, again with full attribution.
CloudCheckr now offers Total Compliance, featuring graphical charts and a compliance score. We map our hundreds of best practice checks to 35 different regulations including HIPAA, PCI-DSS, CIS, NIST and more, accessible via the user interface and API.
With CloudCheckr, you can see, at-a-glance, your security posture specifically scored for the regulations in your industry. This is possible because of the hundreds of checks CloudCheckr has developed internally. Other vendors cannot deliver this by relying on AWS Trusted Advisor.
Must-Have Cloud Management and Security Checks
At CloudCheckr, we know that performing cloud security checks should not be an add-on or an afterthought. It needs to be integrated, robust, actionable and automated if you are truly going to have a healthy cloud.
See where you can improve your security best practices. Get a free Cloud Check Up only from CloudCheckr.
About the Author
Todd Bernhard has been with CloudCheckr handling Product Marketing and Technical Evangelism roles since 2017. He holds multiple certifications including AWS Solutions Architect Associate, Microsoft Azure Fundamentals, Google Cloud Associate Engineer and FinOps Certified Practitioner. Prior to joining CloudCheckr, Mr. Bernhard was an award-winning, bestselling mobile app developer and entrepreneur and previously worked for Sun Microsystems, as an Evangelist, Sales and Technical Trainer and Product Marketing Manager for Sun’s high-end data center servers.
Cloud Resources Delivered
Get free cloud resources delivered to your inbox. Sign up for our newsletter.