Saturday, October 13, 2018

CIS 3.1 in Azure - Cloudneeti

In a previous post, we discussed the concept of vulnerability scanning in Azure and how tools such as Azure Security Center can provide valuable insight into best practices for configuring your environment. In addition to built-in tools (such as ASC), there are a host of 3rd party tools that can provide similar functionality.  The one that I will focus on today is Cloudneeti.

Full disclousure, cloudneeti has not paid for this blog post, and this is also not a recommendation.  I simply want to highlight the options available in the marketplace and how they differ from the built-in tooling.  Big thanks to cloudneeti for putting up with my tardiness and provisioning me an instance that I could fool around with.

Connecting up cloudneeti is actually quite easy.  Log in to a provisioned instance with appropriate credentials and connect it up to your subscription.  It essentially creates an application inside your AAD that has appropriate level of access.

Signing in, you get a pre-created dashboard that gives you some interesting facts about your subscription.





It seems like we are using resources in over 6 different Azure datacenters.  I have no idea why, time to book a meeting with the team!

One of the core features of products such as Cloudneeti is the mapping to your Azure posture to various frameworks.  This also happens to be one of the main reason why you would pick this type of tool over ASC.  Effectively think about it this way.  ASC gives you a list of recommendations, but doesn't tell you where any of those recommendations came from.  As far as you know, somebody in the basement at Microsoft threw darts at the wall and selected a set of controls to run on your environment.  With a product such as cloudneeti, you can draw a clear line with recommended controls against desired frameworks.

GDPR is all the rage these days, and luckily cloudneeti has a GDPR benchmark already coded.  Lets see how my subscription meets those requirements.


Woah, looks like I have quite a bit of work to do. Cloudneeti provides detailed information for each of the controls.  Here is what one of them looks like.

 

Like ASC, the cloudneeti product provides detailed information on the control, how to audit, how to remediate, and what resources are affected/identified by the control.  Cloudneeti also allows you to download reports.  You also get super annoying (read: helpful) emails about the status of your subscription.

At time of writing, here were the following benchmarks that I could use against my Azure environment.

- CIS Benchmark
- NIST CSF
- CSA CCM V3.0.1
- GDPR
- HIPAA
- PCI DSS 3.2
- FFIEC CAT
- NIST 800-53Rev 4
- ISO 27001
- UK NCSC

If you are looking for a more compliance focused monitoring approach, tools such as cloudneeti may fit the bill perfectly.  There are likely a ton of more features to the product that I have not had a chance to discuss here.