AWS cloud security got an open source boost from one of Amazon's biggest customers this week with the introduction...
of Netflix Security Monkey.
Some large AWS customers have built their own versions of Security Monkey, but said the open source project will probably be an improvement over homegrown tools.
"We're very excited about it," said Alexi Papaleonardos, senior security operations engineer for Sony Network Entertainment based in Los Angeles. "I'm interested in seeing what kinds of checks we haven't thought of that they've built in. … We can rely on their work and contribute to it, and I hope it will be a vibrant project."
The open source software package that rolled out this week has three main components: a Watcher that detects and records changes to configurations in AWS offerings, such as the Simple Storage Service, Identity and Access Management and the Elastic Compute Cloud; a Notifier that sends notifications when an item has changed; and an Auditor component that compares a set of business rules to AWS configurations in search of discrepancies. Security Monkey users can also add their own business rules to the ones Netflix has already written.
This software joins the Simian Army line of open source projects from Netflix. Previous versions included utilities such as Chaos Monkey, which allows cloud customers to proactively launch attack code against their own infrastructures to test availability.
AWS cloud security a shared responsibility
"CloudTrail provides verbose data on API [application programming interface] calls, but has no sense of state in terms of how a particular configuration item (e.g. security group) has changed over time. Security Monkey provides exactly this capability," according to a Netflix blog post. "Trusted Advisor has some excellent checks, but it … provides no means for the user to add custom security checks."
IT pros shouldn't expect big cloud service providers like Amazon to tailor policies to individual tenants in the cloud, said Edward Haletky, analyst with The Virtualization Practice LLC, based in Austin, Texas. To do so would be prohibitively expensive for the cloud provider and not as effective as user-side customization.
This is part of the shared responsibility for AWS cloud security that Amazon often talks about -- and tools like Security Monkey fall firmly on the user side of the equation, Haletky said.
"When the rubber hits the road, when a breach happens, regardless of where the data is, it's my own corporate policies that are important, not the cloud provider's," Haletky said.
Security Monkey might have helped a company like Code Spaces, which was forced out of business by a hack from outside its organization last month, according to Papaleonardos.
"It would be trivial to add things like IP address restrictions, so even valid credentials can't be misused outside your organization," he said.
There are other cloud security and auditing tools on the market that can -- and should -- be combined with a free utility like Security Monkey. CloudPassage, which checks the security of Amazon Machine Images, is one of them. Papaleonardos said he plans to use services from Evident.io, a regulatory compliance-friendly auditing system and Dome9 Security Ltd., which includes a feature that can easily track and manage Amazon's security groups within virtual private clouds. Security Monkey can be downloaded from GitHub free of charge.
Amazon did not provide comment.