Three great things that do not always work great together.
In the beginning there were large computer systems that few organizations could afford. Over time these systems became smaller and cheaper and many (if not most) organizations took advantage of them. Some just at the end-user level (i.e. the IBM PC on the desk), some only at the high-end level (i.e. a mainframe in the data center with terminals on desks), and some in a combination of both (anyone remember Reflection?). More recently, we have reached a point where compute resources are being moved into what is commonly referred to as the cloud. But how well do monitoring tools deliver deep, cloud-based visibility?
Cloud means different things to different people, and I am most certainly not here to get into an in-depth discussion around what cloud computing means (and you can totally forget about whether cloud is good or bad). I am going to focus on public cloud and specifically two providers, Microsoft Azure and Amazon Web Services. Even more specifically, I am going to talk about why it is important to have extensive visibility into what resources you are using in cloud.
Some people think that once they move to the cloud they are done. No need to monitor what is there or if they do need to monitor they can use the tools provided by the cloud provider themselves. While these tools are certainly functional, there are a few challenges.
Public Cloud vs 3rd-Party Monitoring
Public cloud provider monitoring tools are nowhere near as robust as what is available from third parties. Compare native Azure monitoring (basic monitoring available via the Azure Portal) to a tool like Netreo. You’ll find Azure comes up quite a bit short:
- Lack of historical dashboards
- Lack of configuration templates
- Lack of fast and easy setup
- Lack of maintenance windows
- 30 day metric retention/90 day activity logs (versus 3 years of both)
- Limited to four 3rd-party integrations (versus unlimited)
- Lack of uptime statistics
- Lack of executive summaries
- Lack of customizations
- Lack of lifecycle management
- Lack of advanced incident management functions
- Inability to monitor multi-cloud and hybrid environments
This one may just be me, but I have a certain hesitancy to trust an organization to monitor itself. Let’s be honest, how much incentive does Microsoft (or any organization in truth) really have to tell you that something is horribly wrong? I feel that way about most things in my life, not just cloud computing.
I get a report e-mailed from my car manufacturer every month with a combination of how well things are going with the car and how I definitely need to take it into the dealer for various, costly maintenance issues. I’m sure it is accurate, but I’m also sure a third-party opinion, and cost, will benefit me more.
Back to the Cloud
Without proper management, cloud resources can get out of hand. This can be from multiple aspects, including:
- Cost – How many VM’s do you have out there running that are no longer being used and just costing money?
- Security – Not simply are your VMs up to date, but are you and your VMs using any resources that have been compromised?
Many of the items I listed I would consider pretty self-explanatory. Historical data is historical data, you have it or you don’t, or you want it or you don’t. Personally, I’d say you should want it, but I leave that to you. Similarly, spending money on VM’s that you are not using is pretty straightforward – you are wasting money that could be used elsewhere.
When it comes to other things on the list, however, it gets more complicated. One reason I’ve heard to use the cloud is that it is more secure than doing it yourself. Sure Microsoft and Amazon may have plenty of security people who are charged with ensuring their environment is secure, as well as a fair amount of incentive to be as secure as possible (pretty sure no public cloud provider has any interest in having a major security breach). But the other side of that coin is big companies are much bigger targets, attracting significantly more breach attempts.
The idea that the cloud will save you money (at least around security) is also worth inspecting. Moving to the cloud may save a bit of money on security but probably not as much as most people think or would like. I still need to secure any on-premises environments I have. I still need to secure any endpoints out there. Perhaps worst of all, I am trading the well-known environment of my data center for the potentially much more complex environment of a public cloud provider with different security approaches, rules and needs.
What’s Really Going on in the Cloud
So, how does all this relate back to cloud visibility? If you are an organization of any significant size with a significant cloud presence, you have lots of different resources in the public cloud. These resources are being managed by many different people and groups within your organization (and possibly some outside your organization). Do you really know about every resource you are using? Do you know which services, products and tools you are using in Azure and AWS? If you don’t know about every one – and I mean every single one – how do you know resources are secure? How do you know the many, many security breaches that have impacted public cloud providers haven’t impacted your data?
Digging in a Little Deeper
I went to Mitre’s CVE (Common Vulnerabilities and Exposures) website, and ran a search for Azure. I got 164 results from 2011 through 2022. Of these, approximately 30 were not directly related to Microsoft but other vendors using Microsoft resources. The following graph shows how many CVE’s for each year were reported:
As you can see, things started off nice and smooth with only two CVE’s in 2011. No CVE’s were reported in 2012-2014, one in 2015, and two in 2016. Unfortunately, things went downhill from there with 2019-2021 having an average of 40 CVE’s each year. 2022 isn’t over yet, and so far things are looking about the same as last year. With 19 CVE’s reported in the first five months, we’re looking at roughly 45 CVE’s this year. While my extrapolation isn’t scientific, I think you’ll agree the total will be about the same as last year.
To provide more context, I then went to the CVE Details site and ran some similar reports looking for Microsoft Azure vulnerabilities. After some data manipulation to get only the Microsoft Azure vulnerabilities, I was left with 134 results (hence my comment above). These spanned 35 different products within Azure as the following chart shows:
A similar search and report for AWS yielded 146 results with the same caveat as for Microsoft – not all these results are related directly to AWS. I took the data, parsed it, and charted it:
Here we can see a similar pattern to what we saw with Azure. Namely, AWS experienced few CVE’s early on, but more and more as time went on. I did try and pull data from the CVE Details site on AWS. However, Amazon has so many different areas of focus (shop, affiliate stuff, music, etc.), getting accurate data was nearly impossible.
Fortunately the point of this post is not impacted by the lack of easily searchable CVE data. But once again you may be sitting there wondering, when am I going to get to the cloud visibility stuff. Good news … right now!
Looking at all the vulnerabilities found in Azure and AWS, it is important to remember that these are not all found in the same product. The Microsoft Azure data shows around 35 different products with vulnerabilities. Sure, some are more likely to have a vulnerability (Azure Sphere shows 28 while most products show a single vulnerability), but just because a service only has one vulnerability does not mean it is not an issue. So, how many different AWS and Azure services is your entire organization using right now? Does anyone in your company know?
Even if you do know the number, what are the chances it won’t change over the next day, week, month or year? Pretty low most likely. As new services are introduced and organizations expand their public cloud footprint, new points of vulnerability are added, too. The point is, if you don’t know exactly what services and resources you’re using in the cloud you may be far more vulnerable than you think. Having a robust visibility solution that provides deep cloud-based visibility across multiple clouds is imperative. Getting the big picture view across clouds and on-premises environments is also a must. Without comprehensive, end-to-end visibility, it’s impossible to manage those estates, know and understand what resources you are using, and have the data you need to know where your system may be vulnerable.