When it comes to cloud, planning is everything. This is the case when it comes to every aspect of a cloud migration, and includes in no small measure security as well. However (surprisingly, given the importance of security in a cloud migration), sometimes security and economic goals clash in a cloud deployment.
This happens because many cloud migration efforts are economically driven – and security isn’t free: either from a planning standpoint or from a control deployment standpoint. So the addition of controls can eat away at projected cost savings – especially when security parameters are not understood fully at the project outset. Because of this, security teams sometimes find themselves in a situation where they need to add controls to meet regulatory requirements or address risk areas, but because a migration is already “in flight,” those controls aren’t budgeted. Oops.
This leaves security organizations with two alternatives: 1) Do nothing and drop the control on the ground, or 2) Do something at minimal cost.
Doing nothing isn’t usually a recipe for success, so option 2 – doing something on the cheap – can be a lifesaver. Fortunately, there are a plethora of free tools – software and resources – that organizations can look to in a pinch to fill in gaps. Note that I’m not addressing soft costs here – staff time is staff time … and that’s never free (well, unless you have interns, I guess). I’m just talking about what you can do to meet controls without having to go back to the budgetary well.
I’ve tried to outline a few – that you can get up and running quickly – to address particular situations as they arise. These aren’t the only ones by any means. I’ve tried to pick out short term “gap fillers” for this list. There are literally hundreds (if not thousands) of excellent free tools out there that let you do everything from log correlation to asset management to monitoring in the cloud (and out of it for that matter). The difference is that not all of them are “spin up/spin down.” For example, you can use a tool like GroundWork (monitoring) or snort (IDS) that are every bit as feature rich as commercial counterparts – but once you have it up and running, are you going to want to spin it down again in three months? Probably not. So while those tools are great (can’t stress this enough), I didn’t include them on the list.
What I did include were tools that you can get up and running quickly, that fill an immediate need, and that doesn’t commit you long term. Meaning, you don’t lose (much) data or have to retool the environment (much) should you decide to stop using them later.
Free Data Discovery
Finding out where your confidential and/or regulated data is prior to (and let’s not forget during and after) a cloud move is always useful. You’d be surprised what data is located where in a large or even medium-size enterprise. There are a number of free tools out there that help you search assets and locate certain types of (usually regulated) data. MyDLP, OpenDLP and the cardholder-data focused ccsrch can help data in automated fashion. All of these tools have merit. Although I personally found the step-by-step installation instructions for MyDLP to be particularly helpful in getting up and running quickly – and the ccsrch tool’s simplicity and efficiency make it a good choice if you want to focus just on credit cards.
Free Compliance Tookits
Evaluating a vendor’s security posture and control deployment sometimes gets done prior to picking a vendor; but sometimes (like when security or IT isn’t consulted in that process), it doesn’t. But many regulatory requirements require specific validation of vendors. In that case, it’s on us to do that after the fact. Now sure, general-purpose information-gathering materials like the Shared Assessments (formerly FISAP) Standardized Information Gathering questionnaire are great, but let’s face it, they’re cumbersome when applied to a hosting provider. That’s why the Cloud Security Alliance’s GRC Stack – specifically the Cloud Controls Matrix (CCM) and the Consensus Assessment Initiative (CAI) can help. Why redo the work when you can reuse what’s already done for you?
Many organizations require two-factor access as part of remote access policy. Although it’s one of those things that many times organizations overlook in the planning process. WikID – an open source two-factor authentication platform might be something you can look to for meeting the requirement short-term. It’s easy to set up, and doesn’t require per-user hardware to provision in order to get up and running.
Free Network Analysis
Most folks probably already know about wireshark … you knew it was coming, right? Sometimes you just have to know what’s going on over the wire.
Fungible as many organizations perceive it, people are sometimes surprised when it comes to AV during a move. Why? Because many commercial AV platforms are licensed per client. A physical-to-virtual move many not result in a one-to-one mapping between existing physical hosts and virtual images. Particularly in the interim period while you stand up the virtual infrastructure. This means (sometimes) that you need more AV licenses – depending on your licensing arrangements with your current vendor.
What happens when you discover this mid-effort? Going off to secure funding for more AV licenses in the middle of a move isn’t a fun conversation – and because it’s a regulatory requirement (for example under the PCI DSS), just making do without isn’t a good idea. One solution is to leverage free AV tools like ClamAV in the interim. Yes, long-term management is an issue in supporting another product over/above commercial tools you might be using on-prem. But to fill a short-term need while you sort out the licensing? Why not?
Maybe some of these might be helpful – particularly in Q4 when budgets are frozen anyway.