blog
Building a Health Plan for your AWS Environment
Neil Hildreth, Senior Product Manager, Hyperscale Cloud
Tuesday, January 02, 2018

Vulnerability scans are important for all the same reasons people get regular checkups with their doctor: we want to hear that we're in tip-top shape – and if there are problems, we want to know about them right away so we can make the changes needed to get us back to full health. (As long as we don't have to lose weight, that is!)

In the same way, vulnerability scans are regular “house calls” for network security. Without them, businesses can't know whether their network-connected devices, software and subnets are secure from attack.

More change means more checkups

Annual checkups may be enough for you, but your network needs them a lot more often. Vulnerability scans are the foundation of an information security management program. According to the Breach Level Index, 74% of security breaches in H1 2017 were the result of attacks by external perpetrators hacking through vulnerable systems. Now with the EU's General Data Protection Regulation (GDPR) coming online in 2018, understanding where you're vulnerable is a must.

With Amazon Web Services (AWS), agility is built in. Developers and DevOps engineers can launch applications and deploy software changes at blistering speeds. Servers, instances and resources can be added and altered with a few mouse clicks. For your IT organisation and business, these advantages require even broader commitments to security with greater frequency. This is where consistent vulnerability scans come in.

How do scans work?
What exactly is a vulnerability scan? It's a useful way of reducing your exposure to external threats by cataloging and monitoring all your assets, and then hunting for vulnerabilities caused by configuration issues in assets or software.

Let’s go back to the doctor's office for a moment. Your general practitioner might think you look fine on the outside: your color is good and your reflexes sharp. But she won't stop there: she will take your pulse, draw blood, perhaps even order a chest X-ray or an MRI to see how you're doing internally. Then in future visits, she will compare what she found to earlier baselines.

In the same way, vulnerability scanning checks will look for vulnerabilities in the external part of your network perimeter or Web applications. That includes scans of private and public IP addresses within EC2 and Amazon VPC, private IP addresses connected to Amazon, and public internet IP addresses.

Then internal vulnerability scanning looks for potential sickness inside the "body" of your system. Using a pre-authorized scanner (available as Amazon Machine Images, or AMIs) in the AWS Marketplace, such as Qualys, allows you to bypass the AWS requirement to obtain explicit permission. With proper authentication credentials, the scanner will assess the operating system, installed software, ports, looking for issues such as misconfigurations and missing security patches.

What AWS doesn't do

But wait, you say: I thought AWS have great security on its own?

It absolutely does. If you were at re:Invent 2017 in November, you saw Amazon launch GuardDuty, the latest AWS threat detection service. It's powered by machine learning, clear evidence that AWS is putting serious resources into its security future.

But security on AWS is also based on a shared responsibility model. Amazon is responsible for the security of its data centers and physical servers, while you are responsible for the security of your instances and environments.  To put it another way: Amazon looks after the cloud, but not what you put into the cloud.

This can include things like client- and server-side encryption, operating system security, firewalls and access management. By design, AWS doesn't have admin or root-level access to your environments, so that part of vulnerability management is on your shoulders.

The daily wellness regimen

Discovering you have high cholesterol is one thing. Doing something about it (like changing your diet) is something else altogether.

In the same way, scanning is great for detecting vulnerabilities in AWS, but detection is only one part of the process.

The next part, the cure, can be daunting: enterprises may be overwhelmed by the volume of the ongoing fixes needed to stay secure. When that happens, it's all too easy to prioritize the wrong risks. For example, you definitely should fix cross-site scripting and SQL injection issues right away; attacks that are common and rampant. Even worse, potentially devastating risks can slip through the cracks altogether.

A healthy future

An ounce of prevention is worth a pound of cure, as they say. Vulnerability scans are that ounce of prevention. They keep your AWS network-connected devices healthy and secure.

New to AWS? Don’t have a clear vulnerability management plan? Partner with an audited AWS Managed Service Partner for expert help with your network security. 

About the Author

As a Product Manager for Managed AWS services, Neil is responsible for the strategy and development of services for Ensono’s Managed AWS product line.  He focuses on understanding the real world problems clients to develop and deliver market leading value to new or existing clients who are using AWS.  Joining Ensono from the acquisition of Attenda, Neil architected the Attenda managed AWS services and brings a wealth of experience across differing operational, service architecture and product management roles at ADP, Madge Networks, and Barclaycard.