Amazon answered many security and compliance prayers yesterday with the release of its Inspector tool.
Inspector scans applications launched in Amazon Web Services instances, looking for issues on two fronts: compliance with certain regulations such as the Payment Card Industry Data Security Standard (PCI-DSS); and vulnerabilities unintentionally introduced during development.
Inspector agents run on Amazon EC2 instances that host applications; Amazon Web Services chief evangelist Jeff Barr said in a blogpost announcing Inspector. Barr said Inspector monitors network, file system and processes, and watches over whether the app securely connects to AWS services and between instances.
“This information provides Inspector with a complete picture of the application and its potential security or compliance issues,” Barr wrote.
Any data siphoned up by Inspector is compared to a set of native rules that check for noncompliance with PCI 3.0, for example. Other rules in the first version of Inspector include Common Vulnerabilities and Exposures (CVEs), and best practices related to network security, operating system security, application security and authentication.
“I think the major problem they’re solving with AWS is that a lot of customers with various compliance issues, such as PCI, can find themselves facing issues with new instances that may be out of compliance or not secure because not up to patch levels,” said Jeremiah Grossman, founder of application security company WhiteHat Security. “Inspector gives them a way to set up rules and a scanner to see if their AMI [Amazon Machine Image] is configured securely and within compliance levels, or if there are vulnerabilities that should be patched.”
The introduction of Inspector could cause some market anxiety for companies that provide network- and infrastructure-level scanning, but for cloud users who just want a quick and easy compliance and security check, Inspector is likely to be a welcome sight.
“We only know the basics so far, but this is incredibly interesting. It combines in-server analysis (via agent) with direct analysis of the cloud infrastructure around it,” said Rich Mogull, founder of security consultancy Securosis. “It combines cloud platform vulnerability assessment, with host level vulnerability assessment, and correlates the results. It thus competes with host level VA and some of the new cloud vulnerability assessment tools, at least for AWS.”
One limitation that Grossman pointed out, however, is the tool’s focus for now on CVEs vulnerabilities.
“In the documentation, I’m not finding anything about cross-site scripting or SQL injection, they’re just talking about CVEs,” Grossman said. “And from looking at screenshots here, just patchable ones like from Microsoft. Nothing custom.”
Inspector has the potential to answer a lot of security challenges for cloud computing use cases, even in large enterprises, where even simple blocking-and-tackling procedures such as patch and vulnerability management can be a challenge.
“If you’re running one AMI, keeping that compliant is easy. If you’re running hundreds or thousands, it’s a completely different story,” Grossman said. “If this is a best practice compliance play, that’s what customers screaming for. They want to make sure they have a quick, easy scanner that determines if their AMIs are out compliance for X-Y-Z reasons and are updated on patches; that’s good enough get out of the compliance nightmare they may be in. And I imagine it’s at a much cheaper rate than they could get elsewhere.”