Cloud security automation: Benefits and best practices

Why cloud security automation is important

In cloud environments, particularly PaaS and Iaas clouds, security teams have a wealth of tools to automate various security controls and processes. Automating security across cloud development, deployment and operations is becoming a much more critical element in many organizations' security programs today. The nature and scale of cloud deployment are such that many security operations and architecture teams just can't keep up, especially in areas such as investigation and vulnerability analysis, where some degree of manual involvement has traditionally been needed. Cloud deployments change more often, and cloud infrastructure tends to be much more dynamic than traditional on-premises environments. To enable and facilitate security practices at every step, security controls need to be embedded and automated in all stages of cloud design, deployment and runtime. Finally, through the concept of guardrails, security teams can implement always-on automated controls that ensure a secure state, regardless of changes in an environment. This is a critical concept that enables a much more stable and consistent cloud state that is less prone to accidental misconfiguration and exposure.

But what makes the most sense to automate, and why? Every security team's needs differ to some extent, but there are some well-known controls and processes that most teams can automate without disrupting operations. Others require more alignment and collaboration with cloud engineering and DevOps teams.

Steps for success in cloud security automation

While there's not necessarily one right way to approach security automation in the cloud, organizations that have seen success in developing and applying automation in cloud controls and processes often take the following steps. Except for the first item listed below, these steps aren't necessarily in order.

Plan a strategy and build standards

The first step in cloud security automation should be to define a strategy and determine which standards to enforce. For every category of control or cloud asset and service, some policies are better to start with than others. For example, automated vulnerability assessments of cloud workload images should result in a list of bugs in various categories. Which images are acceptable to push forward into deployments?

Look at existing internal standards from the Center for Internet Security, NIST, third-party vendors and others that are applicable to current and planned cloud deployments, and map them to your cloud assets. Then, develop new standards for cloud control plane services or cloud-native services based on best practices or compliance requirements. Look at what you've relied on in-house and where these controls can apply, and be willing to adopt new standards that are relatively tried and true in the cloud now that the industry has had a number of years of experience with large-scale deployments.

One thing to note is that there are more converged solutions available than ever before, which might aid in automating a variety of cloud security controls. These include cloud-native application protection platforms (CNAPPs) that often encompass workload protection, pipeline security controls and some end-user protection in accessing cloud resources, as well as security service edge and secure access service edge technologies that offer protection for cloud and on-premises infrastructure, access controls and end users. The market is changing rapidly, so be sure to have discussions with invested stakeholders to determine where the priorities lie, as this might aid in choosing a more comprehensive tool the organization can grow into.

Automate workload security controls

Cloud security automation should begin with instance and container configuration management. As all instances and containers are software-based with images defined in template formats, security teams can work to implement configuration hardening guidelines and standards in the images. Orchestration tools, such as Puppet, Chef and Ansible, can then implement these standards automatically. The additional benefit of using orchestration tools is that each configuration profile is defined in a template that can be continuously reevaluated to account for changes as they occur. While these tools can be used effectively on premises, there are even more automation options in the cloud. There are also integration opportunities between these platforms and cloud-native systems, including AWS OpsWorks, which offers managed instances of Puppet and Chef. For traditional VM instance workloads, focus on the following to define and implement approved system images:

• Specific tags applied to workload images and running instances.
• OS vulnerabilities and patch levels that are acceptable for deployment.
• Package and application components.
• Services and accounts on these systems.
• Approved and installed security agents.
• Specific metadata associations and attributes.
• Applied privileges and policy.

For containers and serverless functions (PaaS workloads), define and configure the following controls:

• Specific tags applied to workload images and running instances.
• Local users and groups.
• Application components in use.
• Approved container images.
• Orchestration controls, such as Kubernetes and Docker Swarm.
• Serverless code.
• Serverless input and output for services and APIs.
• Serverless permissions.

A cloud workload protection platform, a tool often bundled with a CNAPP, offers a variety of controls that handle runtime protection, configuration validation and maintenance. In addition, all major network and application vulnerability scanners can function in major cloud environments and can often integrate with cloud provider APIs to enable continuous scanning and monitoring of assets in the environment. When new assets appear, event monitoring and alerting trigger automated scans.

Integrating agents into system images can also lead to automated reporting and even policy application with some tools. Once the environment is up and running with defined service configurations, use cloud-native tools, such as AWS Config or Capital One's open source Cloud Custodian, to automate the assessment and maintenance of cloud environments.

Through defined rules and policies, these tools can check to see whether Amazon Simple Storage Service buckets have been made public, for example, and then change the settings back to a desired state. Through cloud security automation, both the assets and the environments themselves can be assessed and remediated continuously.

Use infrastructure as code to automate infrastructure controls

Another practical step in automating cloud security operations and cloud environment configuration is the use of infrastructure as code (IaC). All major cloud providers support these templates either natively, such as in AWS CloudFormation, Azure Resource Manager or Google Cloud Deployment Manager, or through third-party platforms, such as HashiCorp Terraform. With many environment and asset configurations defined in a template format, security teams can ensure smooth and consistent deployments, audit template files to adhere to standards and automate security configuration items and infrastructure deployments. In addition to unique cloud environment-specific service definitions and configuration, core security elements that should be defined and codified in these templates include networking and storage controls.

For networking controls, define and implement the following:

• Access controls in security groups.
• Subnet-subnet access if different from above.
• Firewall appliance images and configuration.
• Cloud-native edge configurations in services like AWS Network Firewall, Azure Firewall and Azure Web Application Firewall.
• Route table and Virtual Private Cloud/Virtual Network definitions.
• Load balancer and gateway definitions.

For storage node and service controls, use IaC templates to define and instantiate the following:

• Encryption enablement and keys.
• Access controls.
• Logging and event generation.
• Exposure configuration for public and nonpublic access.
• Database security capabilities and controls.
• Retention configuration settings.
• Archival configuration settings.

Making liberal use of IaC helps to define and implement core controls and also acts as a fundamental guardrail model since IaC templates can be routinely applied and validated once infrastructure is up and running. This changes any assets and services that have shifted or drifted from a desired state back to standardized configurations.

Enable control plane guardrail automation

There are many types of cloud guardrails that security teams can enable to automate defenses within the cloud control plane. In essence, defensive guardrails come down to the following:

• Intrusion detection and prevention for networking and workloads.
• Identity and access management (IAM) policies and roles.
• Cloud-native monitoring services in each account or subscription to monitor cloud assets and cloud control plane configuration.
• Full-scope cloud logging and automated responses around alerts, detection and response actions.

IAM, in particular, is a big area to tackle. Enabling IAM monitoring tools and services to continuously scan IAM policies and roles -- and to then issue a warning about those with excessive privileges or access -- is recommended. Enforcing only the approved policies and role assignments can be accomplished in a highly automated way with IaC templates, as well as native services, such as AWS Organizations and Azure Policy, among others.

You can automate guardrails by automating asset tagging based on specific security conditions detected in the environment. One of the top advantages of the cloud is the ability to enable cloud control plane logging, which effectively logs everything in the environment and stores logs in a central location. Once services such as AWS CloudTrail, Azure Log Analytics, Azure Monitor and Google Cloud Logging are enabled, security teams can build monitoring filters on top of them to detect suspicious activities or events.

These activities trigger serverless functions that tag running instances or even user accounts with metadata. Metadata is used to track assets and quickly discover possible investigation opportunities. Once assets are tagged, any number of automated or semiautomated security strategies can be pursued. Strategies include isolating systems by changing their network access control policies, collecting forensic evidence from the systems, performing system suspension or termination, and disabling user accounts.

What are the main benefits of cloud security automation?

Automating security in the cloud has a number of benefits. Some of the most critical are the following:

• Accuracy and consistency. With automation controls and processes, many mistakes or errors in configuration can be caught and corrected without human intervention or after-the-fact assessments. Validation of approved images and infrastructure definitions can also be performed continuously throughout all phases of cloud development, deployment and ongoing operations.
• Velocity. One of the primary benefits of a software-based infrastructure is the ability to rapidly develop and deploy infrastructure and applications. Cloud environments represent an entire ecosystem of software services and components that can be rapidly manipulated and used to stage applications. In many cases, speed and security don't mix well, as controls can be forgotten or misconfigured. Automating controls can accelerate the velocity of cloud deployments, while ensuring security is enabled and effective.
• Effectiveness of security controls application. In traditional data center environments, applying security controls has been notoriously sporadic in some cases, with missing patches, lack of workload protection, configuration management lapses, weak credentials and overly privileged accounts. Infrastructure sprawl and a lack of visibility contribute to these issues.
• Monitoring and reporting. Visibility is consistently ranked as one of the biggest challenges in cybersecurity. Fortunately, it's easier to automate logging and observability controls in the cloud than in most on-premises deployments, as monitoring functionality is tied to the same cloud fabric as all the services and assets deployed there. Security operations teams can enable logging and monitoring of all API calls with a few services and also integrate SIEM and other tooling at scale with minimal effort.
• Scalability. Automation can help accommodate changes to workload processing and network and application traffic volume, creating much more effective scalability than in traditional environments. Load balancing, provisioning of additional workloads to handle more traffic and requests, and dynamic backups and data synchronization efforts can be created in cloud environments, along with automated failover operations and high availability architecture design.

While most of these benefits are largely centered around operations and some compliance benefits, there are a few secondary benefits. Through consolidated platforms, like CNAPPs, cloud security posture management (CSPM), cloud access security brokers and SaaS security posture management (SSPM), some types of automated monitoring and reporting can facilitate more unified governance across a range of stakeholders. For example, a cloud center of excellence might include business stakeholders, application owners and operations teams who could be given access to platform dashboards and metrics for their specific areas of interest. Compliance and audit teams can also benefit from an automated output of state-based controls when working with regulators, external auditors and insurers.

Future of cloud security automation

There are definitely some clear trends in the marketplace and from the cloud providers themselves related to cloud security automation. For example, continuing convergence in the product and service market for cloud-oriented protection includes a plethora of automation capabilities. In particular, the CNAPP space is enveloping more types of cloud-specific security tooling, including cloud workload protection, vulnerability management that includes container images, IaC scanning and CSPM. All these capabilities offer opportunities to implement automation and often intersect and integrate with each other, as well as other solutions.

In addition, more services that automate specific cloud security functions are emerging. These include SSPM, cloud identity and entitlements management, data security posture management, and cloud detection and response. Many of these solve a specific need but are rapidly integrating into existing cloud controls and workflows and slowly merging into CNAPPs and other multifaceted cloud security solutions. Expect this convergence to continue and these products to evolve rapidly in the coming months and years.

Editor's note: This article has been updated and expanded to include changes in the cloud security automation market since its original 2021 publication date and to improve the reader experience.

Dave Shackleford is founder and principal consultant with Voodoo Security; SANS analyst, instructor and course author; and GIAC technical director.