By Ed Moyle, and Azure Security News
Security teams need a complete picture of the cloud services in use in their organization. This view should consolidate visibility across service providers, offer easy and seamless integration and comparison, and include granular measurements down to the smallest workload.
Achieving this perfect level of cloud visibility, however, is not always easy or even possible in many instances.
Cloud monitoring dashboards have thus become compelling both from a security and broader management point of view. They promise to enable better visibility and more informed decision-making and to help meet operational targets, such as availability, performance and budget. But they aren’t always a silver-bullet answer to the cloud visibility challenge.
Here, explore these tools’ features and security benefits, as well as the pros and cons of three deployment options.
Cloud monitoring dashboard security use cases
Monitoring is, of course, beneficial to security — dashboarding tools, in particular. First, monitoring can provide operational-level telemetry regarding workloads, such as log events. Obtaining this telemetry can help security teams accomplish the following tasks:
- Ensure workloads are in line with policies. For example, it can be used to determine whether VMs or containers are misconfigured.
- Isolate issues and gather information during incident response. For example, teams can review log information about individual components within an application.
- Establish a known security baseline. For example, using it to compare previous activity patterns with current ones can make clear whether an activity is in line with normal behavior.
Second, the visibility gained from cloud monitoring dashboards can combine the operational picture with the following security features and products offered by cloud providers:
- security features at the workload level, such as information about firewall rule usage, security groups or authentication events;
- native threat detection capabilities operating across workloads, such as Amazon GuardDuty and Azure Defender;
- security-specific service offerings, such as AWS CloudTrail or Azure Sentinel; and,
- provider-specific dashboards, such as AWS Security Hub or Azure Security Center.
Using this information to augment overall operations ensures it is factored into operational decision-making. Cloud monitoring dashboards also enable decision-makers to obtain relevant information when needed.
Lastly, cloud monitoring dashboards can yield information to security teams that would not be available otherwise. For example, usage-level information can be informative for managing cloud sprawl. Knowing when a business or technical team starts using a new cloud service can also indicate the beginning of an unexpected initiative. Seeing new workspaces, services or resources suddenly appear can inform the security team early on about development work that may require additional investigation.
Build, buy or use what’s there?
Security leaders have three major deployment options available for incorporating cloud monitoring functionality into the organization’s operational profile: cloud-native, third party and open source. Considering these options’ requirements, as well as their similarities and differences, is important to finding the best option for a given company.
Cloud-native monitoring services
Implementing native monitoring services offered by cloud service providers in use is a helpful place to start for cloud customers. These services, including Amazon CloudWatch, Azure Monitor and Google Cloud Monitoring, provide a view into the services employed from the given service provider. Organizations may choose to use cloud-native monitoring services because they already have access to this capability through their cloud providers and because they require little additional work for security teams to understand. Security teams can use default information provided in the out-of-the-box configuration or customize dashboards and supporting data points to fit their organization’s usage.
Organizations with multi-cloud environments may experience challenges with this option. From an operational standpoint, difficulty may arise when elements span multiple providers within the same workflow or when components or services within the same application do so. For example, an organization might have a web application where edge assets, such as images or static pages, are in a content delivery network and a web server in Azure VMs that incorporates RESTful functions from AWS Lambda and sends data to a back-end platform, like Salesforce.
Third-party monitoring services
Cloud monitoring as a service may be a better option to achieve better visibility into multi-cloud environments. Commercial services, such as Datadog or CloudMonix, collect and track metrics across multiple platforms and across multiple service providers. In this deployment option, organizations can tie together data sources from disparate providers. With a unified view of similar services offered by different providers, such as AWS Fargate and Azure Containers, organizations can normalize data points to enable an apples-to-apples comparison.
Implementing third-party monitoring tools can be beneficial because it helps mitigate vendor lock-in, as measurements are no longer reliant on the underlying provider. The downside is that it requires additional expense. Additionally, some smaller cloud providers may not be natively incorporated in the commercial product, thereby requiring integration work. Before making a buying decision, make sure the desired data elements necessary to track are included in the vendor’s offering.
Open source cloud monitoring tools
Another option is to roll your own tools using open source cloud monitoring tools and components, such as Grafana for analytics and visualization. This can be accomplished without the licensing or usage costs associated with a commercial tool. However, it does require additional expertise to undertake the extraction of key data elements from the cloud provider in-house. This becomes significantly more complicated when multiple providers are in use.
Regardless of the chosen deployment option, cloud monitoring dashboards can provide value to the security operations team, provided careful forethought is put into determining which metrics are most useful to track.