October’s nearly over, and for many of us that means an evening full of cobwebs, costumes, candy, tricks, and treats as we prepare for Halloween night. It also means that today is the final day of National Cybersecurity Awareness Month! It’s a fitting pairing, as few things are scarier to an IT professional than the havoc a security flaw can cause in their environments.
That same fear is often compounded as our environments grow, and we adopt new technologies. As organizations increase their cloud adoption, determining how to consistently and effectively evaluate security within a hybrid or multi cloud estate is particularly crucial.
Earlier this month I was joined by Google software engineer Sam Levenick to deliver a webinar to help demystify cloud security on Google Cloud Platform.
Auditing Cloud Resources
Cloud providers like GCP feature cloud-native solutions for functionality like networking, storage, and identity management. These solutions greatly simplify designing and deploying complex environments, but it can be difficult to determine how to effectively and comprehensively evaluate those environments’ security. The challenge of auditing these environments is twofold — we need to be sure we’re following our cloud provider’s best practices, and that each user-defined resource we create can be validated.
Chef helps our customers address the first challenge by providing a library of pre-built compliance profiles based on benchmarks created by the Center for Internet Security (CIS). These CIS benchmarks cover a wide variety of common operating systems and technologies, including best practice recommendations for Google Cloud Platform. During the webinar, I demonstrated how, with just a few clicks in Chef Automate, you can create continuous audits of your entire GCP estate to ensure those best practices are being followed.
These audits are run with Chef InSpec, an automation engine for executing security and compliance tests as code. Chef InSpec includes resources for evaluating a wide variety of GCP solutions, in addition to the VMs running therein. To wrap things up, Sam demonstrated how InSpec can be used to automatically generate a custom profile from a running cloud environment, ensuring comprehensive audit coverage without needing to manually capture hundreds, or even thousands of resources individually.