Facebook Google Plus Twitter LinkedIn YouTube RSS Menu Search Resource - BlogResource - WebinarResource - ReportResource - Eventicons_066 icons_067icons_068icons_069icons_070

Tenable Blog

Subscribe

The Challenges of Multi-Cloud Compliance

The Challenges of Multi-Cloud Compliance

Organizations that use public clouds like Amazon Web Services (AWS), Microsoft Azure and Google Cloud Platform (GCP) understand that each platform does things its own way, and those differences create challenges for securing them all. In a recent episode of the Tenable Cloud Security Coffee Break webinar series, we talked about those challenges and how Tenable Cloud Security can help. Check out the highlights of our discussion.

Automation and infrastructure-as-code tools like Terraform have helped organizations large and small change how they deploy and manage systems in public clouds, but it’s also led to cloud sprawl and misconfigurations that lead to security problems. Different teams and workloads can become scattered, making it hard to know about and fix security problems before they become security disasters.

The problem is made worse by multi-cloud adoption, the increasingly popular practice of organizations choosing to use two or more public cloud platforms to avoid placing all their eggs in a single basket. While this diversification has its benefits, it also creates a security challenge, because each platform does things in slightly different ways. Securing them typically requires experts to manage each separately.

That doesn’t scale well and isn’t practical as cloud infrastructure grows and becomes more scattered. During a recent episode of Tenable’s Cloud Security Coffee Break webinar series, we sat down with Tenable’s Senior Manager of Information Security Phillip Hayes and Tenable Senior Manager of Security Engineering Alex Feigenson to talk about some of these challenges and how multi-cloud compliance gets done. 

Automation: There’s some bad with the good

Terraform, AWS CloudFormation, Dockerfiles, Helm charts and other infrastructure-as-code tools make it easy and fast to automate the provisioning of systems, but they also make it easy to create instances that aren’t compliant with a company’s security policies.

“There are a lot of really great automation tools out there, and you could pick from any number of them, like Terraform and AWS CloudFormation, but there are really just no sane defaults for a lot of it,” said Feigenson. 

A few lines of Terraform code can stand up one, hundreds or thousands of instances in AWS or Azure in minutes. Some of the default settings you use might be secure, but you’re just as likely to find dozens of default settings that aren’t.

“Maybe you grab some Terraform sample code off the web and you’re like, ‘Oh, man! I just stood up machines on AWS. Look how easy that was!’,” Feigenson said. “And the next thing you know, you're getting a phone call from the security team.”

Discovering cloud environment misconfigurations that expose your organization to security risks is bad enough, but figuring out what’s causing them – and how to fix them all – is an even greater challenge. “When you multiply that out by multi-cloud, it just gets much, much worse,” Feigenson said.

For Hayes, avoiding these kinds of scenarios is part of his everyday job as head of information security. It’s a problem that’s become harder to wrangle, particularly over the past 10 years.

“It's beautiful that you're able to do that type of automation in this day and age at such a low cost and at high speed,” Hayes said. “But you unknowingly may be deploying things that are insecure, or perhaps AWS released a new feature you had no idea about and all of a sudden what was secure 72 hours ago suddenly isn’t.”

Securing multiple clouds usually means multiple tools

The public cloud vendors recognized this problem and developed tools to help their customers secure their environments and the workloads running in them. But as the scale of everything grows, security teams using multiple clouds have to rely on different tools – often provided by each cloud vendor – for each platform. 

To be efficient, Hayes and his team didn’t have to go far to find the tool that fit their needs. They adopted Tenable Cloud Security, formerly Tenable.cs, and provide user feedback to the Tenable Cloud Security engineers on how to meet their needs. Tenable Cloud Security uses cloud APIs to gather data from different cloud platforms, aggregate the data, scan it for security problems and unify the results. It provides an apples-to-apples view across cloud resources – and all the security misconfigurations affecting them.

“There are so many clouds out there,” Hayes said. “Aggregation and centralization very quickly becomes a necessity.”

Tenable Cloud Security provides a single interface for multiple clouds

Tenable Cloud Security provides a unified view across AWS, Azure and GCP so security teams can see everything they have running in public clouds, identify the most critical problems, and begin the process of remediation with integrated Jira tickets and Git pull requests.

Security teams also can take advantage of more than 1,500 built-in policies that support compliance for a variety of security frameworks, including from the Center for Internet Security (CIS), the National Institute of Standards and Technology (NIST), and Systems and Organization Controls (SOC-2), as well as regulations like the General Data Protection Regulation (GDPR) and the Health Insurance Portability and Accountability Act (HIPAA). Filters quickly show cloud resources that are compliant – or not.

“This helps on a daily basis,” Hayes said. “Whether we're triaging an incident or maybe somebody is having an issue with a resource, or too much access, or they don't know where something lives. This is when aggregation quickly comes into play. It’s highly efficient for our needs compared to the individual cloud tools.” 

Tenable Cloud Security also makes security-audit reporting much faster and easier, he said. Built-in reporting makes it possible to provide governance and compliance teams with detailed summaries.

“It saves a lot of time because we don't have to build tools to do all these checks and show where we're compliant or non-compliant,” Hayes said. “That is an ongoing aspect of our jobs that we have to constantly be responding to, and a tool like this helps make it efficient.”

Learn more about CSPM and Tenable Cloud Security here.

Related Articles

Cybersecurity News You Can Use

Enter your email and never miss timely alerts and security guidance from the experts at Tenable.

Tenable Vulnerability Management

Formerly Tenable.io

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy.

Your Tenable Vulnerability Management trial also includes Tenable Lumin and Tenable Web App Scanning.

Tenable Vulnerability Management

Formerly Tenable.io

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Purchase your annual subscription today.

100 assets

Choose Your Subscription Option:

Buy Now

Tenable Vulnerability Management

Formerly Tenable.io

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy.

Your Tenable Vulnerability Management trial also includes Tenable Lumin and Tenable Web App Scanning.

Tenable Vulnerability Management

Formerly Tenable.io

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Purchase your annual subscription today.

100 assets

Choose Your Subscription Option:

Buy Now

Tenable Vulnerability Management

Formerly Tenable.io

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy.

Your Tenable Vulnerability Management trial also includes Tenable Lumin and Tenable Web App Scanning.

Tenable Vulnerability Management

Formerly Tenable.io

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Purchase your annual subscription today.

100 assets

Choose Your Subscription Option:

Buy Now

Try Tenable Web App Scanning

Formerly Tenable.io Web Application Scanning

Enjoy full access to our latest web application scanning offering designed for modern applications as part of the Tenable One Exposure Management platform. Safely scan your entire online portfolio for vulnerabilities with a high degree of accuracy without heavy manual effort or disruption to critical web applications. Sign up now.

Your Tenable Web App Scanning trial also includes Tenable Vulnerability Management and Tenable Lumin.

Buy Tenable Web App Scanning

Formerly Tenable.io Web Application Scanning

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Purchase your annual subscription today.

5 FQDNs

$3,578

Buy Now

Try Tenable Lumin

Visualize and explore your exposure management, track risk reduction over time and benchmark against your peers with Tenable Lumin.

Your Tenable Lumin trial also includes Tenable Vulnerability Management and Tenable Web App Scanning.

Buy Tenable Lumin

Contact a Sales Representative to see how Tenable Lumin can help you gain insight across your entire organization and manage cyber risk.

Try Tenable Nessus Professional Free

FREE FOR 7 DAYS

Tenable Nessus is the most comprehensive vulnerability scanner on the market today.

NEW - Tenable Nessus Expert
Now Available

Nessus Expert adds even more features, including external attack surface scanning, and the ability to add domains and scan cloud infrastructure. Click here to Try Nessus Expert.

Fill out the form below to continue with a Nessus Pro Trial.

Buy Tenable Nessus Professional

Tenable Nessus is the most comprehensive vulnerability scanner on the market today. Tenable Nessus Professional will help automate the vulnerability scanning process, save time in your compliance cycles and allow you to engage your IT team.

Buy a multi-year license and save. Add Advanced Support for access to phone, community and chat support 24 hours a day, 365 days a year.

Select Your License

Buy a multi-year license and save.

Add Support and Training

Try Tenable Nessus Expert Free

FREE FOR 7 DAYS

Built for the modern attack surface, Nessus Expert enables you to see more and protect your organization from vulnerabilities from IT to the cloud.

Already have Tenable Nessus Professional?
Upgrade to Nessus Expert free for 7 days.

Buy Tenable Nessus Expert

Built for the modern attack surface, Nessus Expert enables you to see more and protect your organization from vulnerabilities from IT to the cloud.

Select Your License

Buy a multi-year license and save more.

Add Support and Training