Building Your Own Cloud Security Remediation System? Not so Fast!

AllCloud Blog:
Cloud Insights and Innovation

Security is the “job zero” function for all cloud providers. Bar none, it’s the single most important requirement they must meet before anything else happens on the platform.  

This is especially true for Amazon Web Services (AWS), where the critical importance of cloud security to the business is ingrained in the very first onboarding day that all Amazonians go through and then is reinforced continuously in the number of new services and features that AWS releases for security teams.

Let’s take a look at why this is the case and why stepping in to build your own cloud security remediation system is typically not a good idea.

Why Security is the Top Priority for Cloud Providers: Because it’s Exceptionally Difficult

Cloud security, and all cybersecurity more generally, is flat-out difficult. There are countless nuances and points of entry, and the opponents who want to compromise and steal data to embarrass companies or profit off them are extremely professional, government-level actors who continue to develop new approaches.  

So how does an enterprise, much less an SMB, possibly defend itself when a government-level actor wants access to your data and systems?  

Some say it’s just impossible: at some point or another, it’s inevitable that these bad actors will strike, whether it’s a Zero Day or APT attack or anything else. Thanks to their deep pockets and ability to fill multi-story buildings with huge teams of hackers.  

But even Zero Day attacks are preventable in many circumstances if you have layered protection. The key to protecting against these types of attacks is to make yourself a hardened target, so that even if you are vulnerable in some ways, you aren’t easy prey. In that case, even if you are specifically targeted, your existing security measures should at least slow the progress of would-be attackers. It’s certainly not ideal, but it buys your organization time to patch, remediate and counter attack efforts. Sometimes, buying this time can make all the difference between a business-impacting attack and a non-event.

Why Building Your Own Cloud Security Remediation System May Not be the Best Idea

This is not a soliloquy on theoretical attacks on your cloud platform. Rather, it is a petition to not attempt to build your own custom security vulnerability detection and remediation system.

The issue is this: if you choose to build your own cloud security remediation system, you will spend thousands of hours creating a monster of technical debt and tens (if not hundreds) of thousands of lines of code that will be increasingly impossible to manage and maintain. Your new hires will suffer trying to understand the nuances and massive code base, increasing the ramp-up time to months before they are productive. It may regularly break due to CSP changes and updates, or just errors in the complex logic and require at least 2-5 full-time employees to maintain.  

It doesn’t stop there. Whenever a framework is updated (like the updates from CIS Benchmarks 1.2.0 to 1.3.0), you will need to update your ever-growing codebase. This is simply not scalable or efficient in any shape or form and it actually hinders cloud adoption and innovation by diverting critical resources. Developers probably won’t like it, management will scream that cloud is too costly (“you need ANOTHER cloud engineer?”) and the infrastructure team may lose the ability to provide solid, streamlined guardrails for development teams to thrive.

What You Should Do Instead: Leverage Cloud-native Security Services and Partners Whenever Possible 

If cloud security is so exceptionally difficult and organizations should avoid building systems to remediate it themselves, what should a security-conscious organization do? 

The answer is to build a strong foundation by tapping into the expertise of providers like AWS through their cloud-native security and management services. AWS tools like Control Tower, GuardDuty, Config, Inspector, Detective, Security Hub and CloudTrail provide the necessary guardrails to protect your company while also leaving room to grow and innovate in the cloud. These services remove the need for those thousands of lines of code, or at least 80-90% of it. And they leave AWS teams (for whom security is a core competency), not your own resources, responsible for updating the base policies, standard remediation functions and compliance to meet the ever-changing needs of cybersecurity frameworks.

From there, if you still need a higher level of protection, you can turn to partners in the Cloud Security Posture Management (CSPM) space to provide additional capabilities like endpoint protection and vulnerability management to get your company to the security posture it requires. For example, you might also look to born-in-the-cloud companies such as Turbot, Rapid7 Divvy, Dome9, Fugue and Prisma that can enhance the cloud native options, all without the huge maintenance and overhead that come with building your own system.  

If you still have identified gaps in your cybersecurity requirements with all those measures in place, then — and only then — you should start to utilize AWS Lambda, Step Functions, CloudTrail logs and EventBridge to create your own remediation functions. But remember: This approach is not easy, it’s not scalable and it doesn’t provide great value to the business, so you should use it sparingly and only when you can’t do something with the native platform services or your CSPM tool. Ultimately, even though AWS provides the tools to build your own remediation system, that doesn’t mean it’s a good idea to do so.

So You’ve Tried AWS Security Tools Before? Try them Again (and Again)

If you’ve tried AWS security tools without much success, you’re not alone. I’ve heard this before as the reason that companies start down the path to build their own cloud security remediation system. But please do me a favor and try them again.

AWS is a company that releases new services in a minimal viable product (MVP) format and enhances those services based on customer feedback. As a result, what you tried a few years or even a few months ago will change very quickly.

Control Tower is no exception here. If you first started down a multi-account, minimal blast radius AWS setup, you may have tried out AWS Landing Zone (a precursor to Control Tower) or an early version of Control Tower and found it lacking in features and customization. But I urge you to take another look, as Control Tower has progressed from its MVP stage to a much easier service that allows you to add extensions as needed and is available in many more regions. 

After all of that, if you still want out-of-the-box functionality enhancements that AWS doesn’t provide today, it’s still important to turn to a partner who has the scale and experience to help versus building your own cloud security remediation system. For example, AllCloud offers a Next-Gen Landing Zone that includes dozens of extensions to Control Tower, including additional network and IAM security controls, SSO integration to 3rd party IDPs, VPC sharing and automated setup, compute factory and detective controls. We also provide all of our custom code enhancements for you to modify as you wish. 

Ready to Get Started on Cloud Security? Just Don’t Go it Alone

This is not a post to sell you on AllCloud services. Rather, it is a call-to-action to rely on expert partners, whether that’s AWS, CSPM providers or anyone else, for your cloud security rather than trying to build your own cloud security remediation system. Building your own system will not be a pleasant or cost-efficient experience for your organization and sooner or later there will be a reckoning that requires you to pivot your foundational security controls to a more scalable and manageable option.

Jon Keeter

VP, AWS Delivery and Architecture, North America

Read more posts by Jon Keeter