What is a Cloud Access Security Broker (CASB)?

A cloud access security broker (CASB) is a software security service that acts as an intermediary between business cloud users and cloud providers. CASBs monitor data flow to and from cloud platforms, ensuring that cloud use comply with information security policies and regulations.  Much as a firewall enables businesses to enforce security policies for incoming and outgoing network traffic, a CASB enables them to enforce infrastructure and information security policies for cloud use. 

Before the advent of cloud computing, IT infrastructure was hosted in on-premise or colocated data centers. IT and security professionals could enforce security policies because they controlled the hardware and software stack. Businesses have less control over hardware and software in the cloud era, but a CASB allows them to extend security policies from on-premise environments to cloud environments.

What Does a Cloud Access Security Broker Do?

A CASB is a security service hosted either on-premise or in the cloud. It mediates connections between devices used by employees and cloud services. The primary purpose of CASB security systems is to reduce the risk of sensitive data being insecurely stored, accessed, and processed on cloud platforms. 

CASBs are sophisticated platforms that can enforce a broad range of security controls. CASB capabilities include:

  • Authentication and identity management with SSO and IAM integration
  • Risk assessment and data governance in line with regulatory frameworks
  • App discovery to ensure the business is aware of cloud applications accessed by employees
  • User activity monitoring
  • Behavioral analytics to identify and mitigate threats
  • Cloud configuration auditing
  • Malware detection
  • Encryption
  • Key management
  • Monitoring and alerting
  • Device profiling

CASBs are designed to solve a specific set of problems, so they may not include all of the features in this list. When selecting a CASB, businesses first assess their needs and then choose a CASB security solution that addresses their use case. Platform compatibility is one of the most critical factors. CASBs interact with cloud providers via APIs, which differ between platforms. For example, a business that uses AWS will choose a CASB that supports Amazon’s cloud platform, such as Bitglass.

Why Do Cloud Users Need a CASB?

Cloud platforms—whether SaaS, PaaS, or IaaS—attract businesses and employees because they reduce complexity, offer a versatile range of services, and are less expensive than self-managed infrastructure. However, companies quickly discover that a lack of “walled garden” control makes securing cloud environments more complex. 

Employees often use unsanctioned cloud services to circumvent security restrictions and limitations in approved software. This is the well-known shadow IT problem. In 2019, a McAfee study showed that businesses use hundreds more cloud services than they know about. These services are not subject to security policies, compliance oversight, or internal governance processes. 

CASBs were initially developed to address the shadow IT problem by helping businesses to gain visibility into the cloud applications employees use. Over time, they have been enhanced with numerous other features that empower businesses to take back control of infrastructure security and cloud compliance.

What Are the Four Pillars of CASB?

The Gartner IT research consultancy describes CASB solutions as having four main pillars of functionality:

  • Compliance. Cloud platforms provide IT services, but businesses are responsible for using them in compliance with relevant regulatory frameworks. CASB solutions help businesses identify potential compliance risks for regulations such as HIPAA and PCI DSS.
  • Visibility. CASBs monitor cloud services and applications for use that contravenes data security policies. They provide risk analyses and allow businesses to control, limit, or prevent access depending on the application, the user’s access levels, and other factors.
  • Data security. CASBs offer data security features to observe and protect data as it moves between on-premises infrastructure and cloud environments.
  • Threat protection. Because CASBs have visibility into data and app usage patterns, the software can identify and mitigate potential threats such as unauthorized access, data exfiltration attempts, and malware infections.

How Does a CASB Promote Compliance in the Cloud?

Cloud access security brokers facilitate secure and compliant cloud use. Because CASBs provide visibility into and control over data use in the cloud, businesses can more effectively enforce cloud security controls that support regulatory compliance goals. 

However, CASBs are only part of a comprehensive cloud security program. They are one component of a layered approach to cloud security that also includes security awareness training and cloud security audits conducted by qualified information security auditors. 

To learn more about cloud security and cloud compliance audits, visit KirkpatrickPrice’s cloud security resources, including dozens of educational videos and our free AWS security scanner.

DDoS Protection: How to Survive a Distributed Denial of Service Attack

You’re sitting at your desk when the first notification arrives. Uptime monitoring has detected unusually long response times for the servers hosting the business’s primary web app. Soon after, your manager calls to say customer support is getting complaints—many users can’t sign in and the app is slow for those who can.  You try to open the app to see for yourself, but the browser times out. 

With increasing concern, you check the network monitoring dashboard, which shows the app struggling to cope with thousands of connections from hundreds of IP addresses in locations around the world. You are the target of a massive Distributed Denial of Service (DDoS) attack. Ten minutes later, all customer-facing services go offline.

DDoS attacks can devastate a business, and any company that depends on IT infrastructure is vulnerable. There were more than 5.4 million DDoS attacks in the first half of 2021, costing $20,000 to $40,000 per hour. The good news is that DDoS protection services can mitigate the worst consequences, but only if businesses prepare before the attack hits. 

What is a DDoS Attack?

Denial of Service attacks exploit the fact that server and network resources are limited. No service has infinite resources, and, even if that were possible, the cost would be astronomical. Bad actors exploit these limitations with attacks that consume a service’s available resources, leaving it unable to serve legitimate users.

The “Distributed” in Distributed Denial of Service indicates that the attack comes from many directions at once. Attackers also have resource limits, and it’s straightforward to block attacks coming from a single source once it’s identified. In a DDoS attack, the attacker uses thousands of hacked servers known as bots to access massive amounts of bandwidth and computational power. 

DDoS attacks are much more difficult to mitigate because the source is constantly changing. Their distributed nature  also allow attackers to access many times the bandwidth. Last November,  the biggest ever DDoS attack leveraged 10,000 hacked devices to generate 3.7 terabytes per second—a flood of data that threatens even the biggest and most well-resourced online services.  

5 DDoS Mitigation Strategies

Stopping DDoS attacks at the source is beyond the capabilities of most businesses. However, it is possible to implement DDoS protection strategies, also known as DDoS prevention or DDoS mitigation, to help your services to survive a DDoS attack.  

1. Reduce Infrastructure Exposure to DDoS Attacks

The first step is to limit your service’s attack surface area. Attackers will exploit any opportunity. For example, WordPress websites expose an XML-RPC endpoint and a REST API. These are useful, but they can be targeted in DDoS attacks. If they aren’t used, they should be disabled. The same goes for unused network services, ports, protocols, and applications on your servers. 

2. Hide Key Services from the Internet

Businesses can use several strategies to protect origin servers by placing them behind resilient front-line services that take the brunt of a DDoS attack. They include content distribution networks, load balancers, and bastion servers. 

A content distribution network (CDN) is a geographically distributed cache. A service’s assets are cached on many servers worldwide. Users access the assets from their nearest cache and not the server hosting the service. One benefit of using a CDN is that it reduces traffic to the origin server and distributes it to multiple sources that can better cope with excess traffic. 

Load balancers distribute traffic over multiple origin nodes which are not directly connected to the internet. The load balancers can be used to monitor and drop potentially malicious traffic, and the origin servers behind the load balancers can be scaled to handle increasing resource demands. 

Bastion servers perform a similar function for businesses that want to expose potentially vulnerable services without putting origin servers at risk. For example, an SSH bastion server mediates SSH access to servers hosting an application. Only the bastion server is impacted if the SSH service comes under attack. 

3. Deploy Web Application Firewalls

Web applications firewalls (WAFs) monitor web app traffic and block malicious connections. Standard firewalls operate at the network layer. They can, for example, block all incoming connections to a specific port, but blocking all HTTP requests would knock a targeted website offline.

A WAF, in contrast,  blocks malicious HTTP traffic at the application layer. They offer a more flexible approach to DDoS mitigation based on the nature and contents of individual web requests. For example, a WAF could block malicious requests targeting and overloading a log-in page. 

4. Leverage Infrastructure Redundancy and Scaling

Until other DDoS mitigation strategies are implemented, a business’s only option may be to scale resources to absorb the additional traffic. Scaling can be an expensive proposition, but if an online service is essential to your business’s operations, growing server resources and network bandwidth will ensure that users can still access it. 

It’s worth noting that not all hosting providers can scale to support large DDoS attacks. Smaller hosting providers may instead take services offline to protect their network. Larger cloud providers like AWS and Microsoft Azure can scale to absorb large attacks, but even they struggle to accommodate very high bandwidth denial of service attempts. 

5. DDoS Protection Services

Finally, your business can utilize specialist DDoS protection and DDoS mitigation services. These often function much like a CDN. The DDoS mitigation provider’s infrastructure acts as an intermediary layer between your infrastructure and the internet. Their software detects DDoS attacks and drops suspect traffic before it reaches your infrastructure. Some of the best-known DDoS mitigation services include Cloudflare, AWS Shield, Fastly, and Akamai

How KirkpatrickPrice Helps Businesses To Secure Online Services

DDoS attacks are only one of the many security threats companies face in 2022. KirkpatrickPrices helps businesses to maintain security and compliance with services that include:

Contact an information security expert today to begin your journey to more secure online services.

How to Create a Positive Information Security Culture for Your Workplace

What are the most significant security risks facing your organization? Your answer might include common external threats, such as brute force attacks, phishing attacks, ransomware, supply chain attacks, and attacks against vulnerable software, among many others. But the focus on external security risks misses an important point: External attacks often exploit vulnerabilities created by poor internal security controls and practices.  

According to the 2021 Verizon Data Breach Incident Report, 85% of breaches involve a human element. Brute force attacks succeed when employees use easy-to-guess passwords. Phishing attacks succeed when employees click on malicious links in emails from unverified sources. These risks can be mitigated when your organization integrates information security practices into all elements of its organizational culture. 

An organization with a dedicated information security culture aims to mitigate internal risks by giving employees the knowledge, support, and motivation to follow information security policies and procedures. 

What is Security Culture?

Culture is the norms, values, and attitudes shared by a group. These factors matter because they influence behavior—people act according to their beliefs and incentives. A security culture is one in which norms and values are aligned with information security policies and best practices. 

In more concrete terms, that means:

  • Employees understand the security threats relevant to their role and what they can do to mitigate risk. 
  • They feel supported and encouraged to report security threats and vulnerabilities. 
  • They believe the business prioritizes security relative to other values, such as efficiency. 
  • They feel encouraged to help colleagues and employees they manage to be more secure. 
  • Security is a significant component of business communication, onboarding, and training. 

A security culture encourages employees to make information security part of their day-to-day activities and rewards them for doing so. 

How to Foster a Positive Security Culture in Your Organization

A positive security culture doesn’t arise organically; businesses must make a proactive effort to foster a security culture within their organization. Let’s consider four ways your company can begin to lay the foundations of a positive security culture today. 

1. Create Simple, Transparent Information Security Policies

Information security policies and the procedures built on them are the foundation of an effective security culture. But it’s not enough to write security policies. They must also be communicated to employees, enforced within the organization, and supported by organizational structures. 

For example,  there is little benefit to implementing a vulnerability reporting policy if: 

  • Employees don’t know who to report to.
  • There is no system in place to act on reports.
  • Employees receive negative feedback for reporting.
  • Security policies and procedures are too technical for employees to understand. 

A thriving security culture is a holistic endeavor where employees and managers work together to implement security policies. Policies only support a security culture if they are accessible, achievable, and endorsed by leaders at all levels of the organization. 

2. Empower Employees with Security Awareness Training

Without training, many employees—especially those in non-technical roles—lack awareness of security threats and the knowledge required to mitigate risk. Lack of security awareness is the root cause of many security incidents. Around half of all security breaches are the result of employee error

To take just one example, 61% of breaches used authentication credentials that were shared, leaked, or otherwise exposed to the attacker. Security awareness training can significantly reduce this and many other security risks by helping employees to understand the threat and their role in mitigating risk. 

3. Make Information Security a Company Priority

If information security isn’t a priority for managers, it won’t be a priority for employees. Many of the biggest security breaches of recent years were caused, at least in part, by a company’s unwillingness to focus on and invest in security. 

There is a short-term cost to improving security, which some companies would prefer to avoid. However, security breaches cost businesses an average of $4.24 million. The long-term costs of a major security breach far outweigh the cost of an ongoing investment in fostering a positive security culture. 

4. Reward Employees for Contributing to a Positive Security Culture

Effective security cultures are based on positive reinforcement that encourages employees to follow security best practices. People are more willing to devote time and effort when they are rewarded for doing the right thing than when they are punished for making mistakes. 

There are many ways a company can reward secure behavior. Security awareness experts at the SANS Institute recommend public recognition. Use security-related communications such as newsletters to praise employees for reporting vulnerabilities and following security best practices. Managers can implement the same incentives by highlighting security issues and praising employees for improving security throughout the organization.  

KirkpatrickPrice Helps Businesses to Achieve a Positive Security Culture

KirkpatrickPrice offers information security services to help businesses improve their security culture, including:

We also offer a comprehensive range of security compliance audits for SOC 2, PCI DSS, HIPAA, FISMA, and more. To learn how KirkpatrickPrice can help your business to strengthen and verify security and compliance, contact our information security specialists.

Protecting Your AWS Cloud Infrastructure with AWS Network Firewall

AWS Network Firewall is a flexible managed firewall and intrusion detection service. It allows AWS users to control network access to resources within an AWS Virtual Private Cloud (VPC). We explored AWS Network Firewall and how it complements other AWS firewalls in What is AWS Network Firewall? In this article, we’ll dig a little deeper and show you how to deploy an AWS Network Firewall instance within a VPC hosted on your AWS cloud environment. 

At a high level, the process for deploying AWS Network Firewall involves the following four steps:

  1. Create rule groups with networking filtering rules.
  2. Create a firewall policy that includes your rule groups.
  3. Create a firewall that uses your firewall policy. 
  4. Configure VPC route tables so the firewall endpoint can process traffic as it moves between an internet gateway and subnets within your VPC. 

The details of Step 4 differ depending on how your VPC is configured, so we’ll focus on the first three steps here. 

AWS Network Firewall is a highly configurable service, and secure configuration depends on factors unique to your environment, including how your VPC, subnets, and gateways are configured. This article should not be taken as a guide to setting up a secure firewall for your AWS infrastructure. 

AWS Network Firewall Prerequisites

To follow the steps outlined here, you will need an AWS VPC with the following characteristics:

  • At least two subnets, one of which will be used only for the AWS Network Firewall. 
  • An Internet Gateway with routing configured to send incoming traffic to the other subnet, which should be configured to send outgoing traffic through the gateway. 

The firewall subnet must have at least one available IP address. Amazon calls this configuration a simple single zone architecture with an internet gateway.

Configure Firewall Security Rules 

Protecting Your AWS Cloud Infrastructure with AWS Network Firewall

The first step is to create firewall rules groups to contain your traffic filtering rules. For example, you might want to block incoming SSH traffic to your subnet. To do so, you would create a rule telling the firewall to drop SSH connections. 

  1. Open the AWS VPC console and select Network Firewall Rule Groups from the Network Firewall section of the sidebar menu. 
  2. Click the Create Network Firewall rule group button and give the group a name. 
  3. In the Capacity field, enter a number that represents the number of rules you expect to add to this group. If you’re experimenting, 10 should be sufficient, but be aware that you cannot change this number if you want to add more rules later. 
  4. Choose whether to create a stateless or stateful rule group. 
  5. Scroll down to the Add Rule section and enter the new rule’s protocol, name, and source and destination IP and port. 
  6. Choose whether packets matching the rule are dropped or passed. 
  7. Click the Add Rule button. 
  8. Add additional rules as required, and then click Create Stateful/Stateless Rule Group at the bottom of the page. 

Learn more about how to create security rules from Amazon’s documentation. 

Create a Firewall Policy

Now that you have created a rule, you can add it to a Firewall Policy. 

  1. Select Firewall Policies from the Network Firewall section of the VPC console. 
  2. Click the Create firewall policy button. 
  3. Enter a name and optional description before clicking Next. 
  4. Scroll down to the Stateless rule group or Stateful rule group forms. 
  5. Click the Add Rules Groups button, then Add my own stateful/stateless rule groups. 
  6. Choose the rule group you created in the previous step. 
  7. Click through the subsequent dialogs and then click Create firewall policy on the Review and create page. 

Learn more about firewall policies from Firewall policies in AWS Network Firewall.

Deploy AWS Firewall on Your Virtual Private Cloud

The next step is to create a firewall that uses the firewall policy created in the previous step. Once the firewall is configured, it will be deployed into the firewall subnet of the VPC. 

  1. Select Firewalls from the Network Firewall section of the VPC console. 
  2. Click the Create Firewall button. 
  3. Give the firewall a name and choose your VPC from the drop-down menu. 
  4. Select the availability zone that contains your firewall subnet and then the subnet itself. 
  5. In the Associated firewall policy section, choose Associate an existing firewall policy and then choose the policy created in the previous section from the dropdown. 
  6. At the bottom of the page, click Create Firewall. 

AWS will now deploy your firewall into the chosen subnet. However, the firewall does not automatically begin filtering content. To use the firewall, you must configure the VPC’s routing tables so that incoming and outgoing traffic is sent through the firewall’s endpoints. The specifics depend on how your VPC and subnets are configured, but you can learn more about VPC routing tables in Managing route tables for your VPC

Cloud Security and Compliance with KirkpatrickPrice

KirkpatrickPrice can help your business to secure its cloud infrastructure. Our cloud security audits and remote cloud security configuration assessments ensure your AWS infrastructure is configured for optimal security and compliance. To learn more, contact a cloud security and compliance specialist or visit our cloud security resources.

What is AWS Network Firewall?

Firewalls are among the most useful information security and compliance tools. Their role is to monitor traffic moving between network borders to determine whether it should be allowed to pass. Among other responsibilities, firewalls prevent unauthorized access to networks on which sensitive data is stored, making them an essential tool for businesses seeking to comply with regulations and standards that include HIPAA, PCI DSS, GDPR, SOC 2, and more. 

This article explores the AWS Network Firewall, a firewall available to businesses that host sensitive data on the Amazon Web Services (AWS) platform. 

What is the AWS Network Firewall?

AWS Network Firewall is a managed, auto-scaling firewall and intrusion detection and prevention service that protects Amazon Virtual Private Clouds (VPCs). It monitors and filters unwanted and unauthorized traffic into and out of VPCs. AWS Network Firewall is one of several firewalls available on the AWS platform, including Security Groups, Network Access Control Lists, and the AWS Web Application Firewall.

The AWS Network Firewall is designed to be straightforward to use and to require minimal infrastructure management following the initial deployment. As a managed service, it can be deployed quickly. It scales automatically with network traffic, removing the need for businesses to build and operate infrastructure to support essential network traffic monitoring and filtering. 

AWS Network Firewall is in scope for a wide range of AWS compliance programs, which means it can be used as part of a secure system that complies with HIPAA, PCI DSS, FedRAMP, and other frameworks. However, it should be emphasized that using AWS Network Firewall is not sufficient to achieve compliance with any framework; compliance is ultimately the responsibility of AWS users. 

AWS Network Firewall Features

We’ve already discussed some of AWS Network Firewall’s headline features: it’s a managed service for monitoring and filtering network traffic to and from Amazon VPCs. But there are other features that set it apart from alternative firewall services on the platform. 

  • AWS Network Firewall operates as both a stateless and stateful firewall. Users can configure stateless rule groups that examine packets in isolation or stateful rule groups that consider the packet’s context; for example, is the packet a response to a request from a particular IP address?
  • It is a high-availability auto-scaling firewall. As a managed service, Amazon handles redundancy and scaling, so users can rely on their firewall’s infrastructure to grow and shrink in line with demand. 
  • AWS Network Firewall includes an intrusion detection and prevention system. It monitors the flow traffic in real-time and can adapt to protect networks against vulnerability exploits and brute force attacks. 
  • AWS Network Firewall integrates with other AWS security services, including the AWS Firewall Manager, allowing users to consistently organize and manage rule groups and policies. 
  • Users can take advantage of managed rule groups, predefined rules that Amazon automatically updates to account for new software vulnerabilities. Managed rule groups significantly reduce the time and effort required to keep rules up-to-date. 

We’ve highlighted some of the most attractive features here, but you can see a complete breakdown of AWS Network Firewall features in the service’s documentation

Is AWS Network Firewall Layer 7?

AWS Network Firewall operates at Layers 3-7. These numbers refer to the OSI Model, which divides network communications into seven layers. Traditional firewalls operate at Layer 3, the network layer. They can inspect and filter packets traveling over the network, but they cannot, for example, identify attacks that exploit vulnerabilities in web applications—they have no insight into protocols that operate at Layer 7, the application layer.

In contrast, AWS Network Firewall can filter VPC network traffic at the network, application, and other layers. It is a flexible network filtering and intrusion detection service that complements AWS’s other firewall services. 

What Are AWS Network Firewall Deployment Models?

To understand AWS Network Firewall deployment models, we first need to discuss how the firewall works. In short, network traffic to the VPC is routed to a firewall end-point to be examined before it enters or exits the network. The firewall endpoint is deployed within a subnet of a VPC. Ingress and egress traffic flows through the firewall endpoint subnet and then to other protected subnets containing your cloud infrastructure. 

Deployment models influence where the firewall endpoint subnet is deployed. In a typical distributed deployment model, a firewall subnet is deployed into each virtual private cloud—each VPC has its own firewall subnet. This model allows VPCs to have an independently managed firewall with a unique firewall policy. It is typically used to monitor and filter traffic between the internet and a protected subnet, although there are other use cases. 

In contrast, a centralized deployment model uses a centralized VPC into which one or more firewall subnets are deployed. This model is often used to inspect traffic flowing between VPCs or between a VPC and a business’s on-premises infrastructure. You can read more about deployment models in Deployment models for AWS Network Firewall.

AWS Network Firewall vs. Security Groups and NACLs

AWS Network Firewall is one of several firewall services available on AWS. 

  • Security Groups are stateful firewalls that filter traffic to Elastic Network Interfaces typically used with EC2 instances. Security groups provide granular filtering for individual instances.
  • Network Access Control Lists (NACLs) are optional stateless firewalls associated with one or more subnets within a virtual private cloud. 
  • Amazon WAF is a web application firewall that filters traffic for web applications and APIs, allowing users to block common attacks such as those included in the OWASP Top Ten.

You might be wondering why AWS needs so many firewalls. They each play a distinct role. AWS Network Firewall protects the perimeter of your virtual private cloud. It controls inbound and outbound traffic for the entire network. 

In contrast, security groups are associated with individual EC2 instances and some other services. NACLs are an additional firewall that controls traffic to and from subnets, allowing users to configure rules that apply to multiple groups of instances and control traffic flowing between subnets. 

Together, these firewalls give users enormous flexibility in configuring access to instances, subnets, and VPCs. For example, you may want to allow connections of a specific type into your VPC with AWS Network Firewall, but to have Network Access Control Lists that deny similar connections access to particular subnets or instances. Another use case for multiple firewalls is to run production and testing subnets, which should be able to receive requests from external networks but should not be able to communicate directly with each other. 

AWS Network Firewall is one component of a layered approach to cloud security. To learn more, visit our extensive cloud security and compliance resources or contact a cloud security specialist to discuss KirkpatrickPrice’s cloud security audit and compliance audit services.