Sophos Cloud Optix Release: IAM Visualization and Much More

Today’s Cloud Optix release is packed with several new features to increase security and compliance of customer environments, including a breakthrough in IAM visualization.

 

 

Improving security for anyone running workloads on public cloud

Managing user roles, permissions, and role-based access to AWS services is an enormous challenge. The scale and interwoven nature of individual and group access to services means that organizations often a) simply can’t accurately see how their services can be accessed, and b) don’t proactively manage it – creating an endless loop to a).

And here’s the obvious punch line – attackers will exploit that gap in security. We saw this happen in a recent high-profile public cloud attack that exploited overprivileged user access to access 40,000 Social Security numbers and 80,000 bank account numbers.

 

Breakthrough in IAM visualization

Cloud Optix IAM Visualization is a breakthrough for organizations managing infrastructure on AWS. It enables customers to easily visualize the relationships between IAM roles, IAM users, and services.  

This innovative and differentiated new feature will allow customers to identify high risk users who have access to multiple services they rarely or never need. It helps answer questions like: Which IAM users in my AWS account have access to the S3 service, which might contain sensitive data? (either via assuming an IAM role, or directly with an in-line policy)? Which EC2 server instances can access the RDS service – your customer database? And much more. This helps organizations reduce their attack surface in the cloud dramatically.

 

Addressing a range of new threats

The latest security enhancements to Sophos Cloud Optix go even further to provide more depth than ever.

 

Detecting AWS, Azure, and GCP spend anomalies

Sophos Cloud Optix security-focused spend monitoring now makes daily and monthly cloud spend monitoring a breeze, identifying unusual activity indicative of abuse such as cryptojacking in AWS, Azure, and GCP cloud accounts. It highlights top services contributing to spend, allowing for faster decisions on whether increased spend equals malicious activity, and providing customizable spend threshold alerts for visibility.

 

Extending container security with Amazon EKS – Managed Kubernetes Service

Cloud Optix has provided automatic discovery of an organization’s assets across AWS, Microsoft Azure and Google Cloud Platform, and Infrastructure as Code environments for some time and added support for Native Kubernetes and Google’s managed Kubernetes Engine (GKE) in late 2019.

And now support for Amazon’s managed Elastic Kubernetes Service (EKS) has landed. Azure AKS managed Kubernetes service hot on its heels and coming soon

Amazon EKS nodes are now included in the topology visualization, as well as real-time inventory views of clusters, node groups, nodes, pods, containers, services, and more. While also enabling organizations to perform additional security benchmark checks on these container environments.

Additional security benchmark checks now included in Sophos Cloud Optix best practice policy for AWS:

  • AR-1500: Ensure private access is enabled for EKS Cluster
  • AR-1501: Ensure public access is disabled from EKS Cluster
  • AR-1502: Ensure EKS cluster Control Plane Security Group is only open to instances in its VPC on port 443
  • AR-1503: Ensure no two cluster Control Planes share a Security Group
  • AR-1504: Ensure logging is enabled for Cluster Api Server
  • AR-1505: Ensure logging is enabled for Cluster Audit
  • AR-1506: Ensure logging is enabled for Authenticator
  • AR-1507 Ensure logging is enabled for Controller Manager
  • AR-1508: Ensure logging is enabled for Cluster Scheduler 
  • AR-1509: Ensure EKS cluster Control Plane Security Group is not open to internet on any port

Important notes:

  • EKS clusters must be on-boarded to Cloud Optix after the parent AWS account, using a separate on-boarding script. This script is available on the Add Environment > AWS page. Separate on-boarding is required because the standard permissions required to add an AWS account to Cloud Optix do not apply to EKS clusters. 
  • The inventory will show partial information for EKS clusters before the EKS cluster is on-boarded. This is because certain information (i.e. cluster information) is retrieved using the existing API sync. The EKS cluster needs to be on-boarded using the separate script, to complete the population of the EKS inventory.

 

Additional updates

In addition to the headline updates, today’s Cloud Optix release is packed with several new features to increase security and compliance of customer environments:

  • Sophos Cloud Optix has been certified by Center for Internet Security (CIS) to accurately assess AWS and GCP system conformance with the security recommendations of the CIS Benchmark profile. By certifying Cloud Optix with CIS, Sophos has demonstrated its commitment to actively solve the foundational problem of ensuring secure standard configurations are used by customers. CIS Certified Security Software Products demonstrate a strong commitment to provide customers with the ability to ensure their assets are secured according to consensus-based best practice standards.
  • Superior public cloud traffic analysis, helping organizations to analyze outbound traffic anomalies with visibility of destination IP addresses including ISP, organization, country, and region. Watch the video
  • Azure VM Scale Sets inventory, enabling customers to see that hosts are part of Scale Sets, and filter to see hosts within a specific VM Scale Set.
  • Add AWS environments using AWS CloudFormation (in preview), as an alternative to running a script using the AWS CLI, or Terraform.