As organizations move to the cloud, many are finding that cloud security isn’t as perfect as they hoped. Businesses, both large and small, continue to experience data breaches and to have misconfigurations exploited.
Tools specifically designed for cloud security and management can help you find and correct these vulnerabilities. In this article, you’ll be introduced to seven tools or toolsets that can help you monitor and secure your cloud services. With marked exceptions, these tools are open-source and free for use.
1. Infection Monkey
Infection Monkey is a zero-trust breach and attack simulation tool you can use to test environment vulnerabilities. It works by attempting to self-propagate across your environments using predefined passwords, logical exploits and password stealing. Infection Monkey can test for SSH, SMB, WMI, Shellshock, Conficker, SambaCry and Elastic Search exploits. You can use Infection Monkey with private and public cloud environments.
Infection Monkey is most helpful for:
- Organizations with in-house security expertise
- Adding breach and attack simulations to your existing security processes
2. Center for Internet Security (CIS) Toolset
The CIS toolset is a collection of cybersecurity tools you can use to secure your cloud environments and track threats. It is not open-source but several free tools are available in addition to a paid membership option.
Free tools offered by CIS include:
- CIS Benchmarks – a set of best practice configuration guides for securing your systems. These benchmarks are also available in pre-configured in pay-per-use hardened images.
- MS-ISAC – a threat advisory database and feed.
- CIS-CAT Lite – an automated assessment tool that you can use to compare your system configurations against CIS Benchmarks.
- CIS RAM – enables you to model threats and analyze vulnerabilities based on custom “attack paths”.
- CIS CSAT – enables you to track and prioritize the implementation of CIS controls.
The CIS toolset is most helpful for:
- Organizations that need guidance on developing and evaluating security best practices
GitLeaks is a tool you can use to search your git repositories for secrets and other sensitive data. It includes features for auditing uncommitted code changes, pull/merge request scanning, bulk scanning and environment-specific customization. GitLeaks enables you to output data in JSON format for use in other tools. You can use GitLeaks directly using Go, in a Docker container or on a Windows or Linux machine.
GitLeaks is most helpful for:
- Development teams using Git source control protocols
- Teams looking for a tool to ensure repositories don’t contain sensitive data that can be abused
Dependabot is a tool you can use to automate dependency scanning and updates. It works by scanning your dependency files and automatically creating pull requests for any that are out of date. You then review and merge requests after testing compatibility and verifying changelogs.
Dependabot monitors security advisories for Ruby, Python, JS, Java, PHP, .NET, Rust and Elixir. It compiles dependability scores for each update based on all users’ test results for better reliability. Although it was formerly a paid product, Dependabot was recently acquired by GitHub. It is currently being directly integrated into GitHub services and is available for free.
Dependabot is most helpful for:
- Teams looking for an integrated GitHub, GitLab, or Azure DevOps dependency scanning solution
- Development teams using open source components
Anchore is an engine that inspects, analyzes and certifies Docker images. After scanning an image, it will report back the CVE information of any vulnerabilities found. It can also report on included artifacts to allow security compliance checks.
You can run Anchore as a standalone Docker image or with an orchestration platform like Kubernetes. You can also integrate it with Jenkins to add image scanning to your continuous integration continuous delivery (CI/CD) processes.
Anchore is most helpful for:
- Organizations hosting or creating containerized applications
- Teams looking for a solution that addresses vulnerability, secrets, and dependency scanning in one tool
OpenSCAP is a set of tools for ensuring compliance. These tools enable you to load, scan, validate, edit and export security content automation protocol (SCAP) documents. You can use OpenSCAP to perform automated vulnerability measurement and management, and to evaluate policy compliance. You can also use it with a systems management solution to centralize compliance across your organization.
OpenSCAP provides both free and paid tools. Free tools include:
- OpenSCAP Base – enables configuration and vulnerability scanning from the CLI. NIST certified.
- OpenSCAP Daemon – enables you to continuously monitor your infrastructure compliance based on a chosen policy.
- SCAP Workbench – enables you to create a custom security profile and remotely scan systems.
- SCAPTimony – enables you to centralize scan results.
- OSCAP Anaconda Add-on – enables you to create a compliant system image before install.
OpenSCAP is most helpful for:
- US government projects required to implement SCAP protections
- Organizations wishing to identify and monitor compliance requirements
7. Cloud Custodian
Cloud Custodian is a rules engine for cloud environments. You can use it to optimize cloud costs, verify security configurations, manage governance and modify resources. It enables you to centralize your scripting and provides unified reporting and metrics.
You can integrate Cloud Custodian with a suite of additional tools for added functionality. This functionality includes policy change logging, multi-account management and retroactive resource tagging. You can use Cloud Custodian with AWS, Azure and GCP. To run Cloud Custodian, you can either use serverless services from your cloud provider or you can run it as a cron job on your own server.
Cloud Custodian is most helpful for:
- Organizations looking to automate and centralize cloud service orchestration
- Organizations with complex infrastructures including those with hybrid cloud storage or multiple cloud accounts
As more workloads move to the cloud, better tools are being developed to secure both data and environments. Traditional security tools are often less effective in the cloud but cloud-native services and integrations can help fill this gap.
Hopefully, this article introduced you to some tools that can help you better monitor and secure your cloud in 2020. These tools can help you add coverage to your current systems and address specific areas that you may have missed before.