Cloud is open. Or perhaps more accurately, many of the fastest growing and most widely deployed technologies currently playing out and evolving across the global cloudscape are open source.
The inherent openness that spans much of the cloud ecosystem creates a wide variety of gateways for deployment. The last two decades have seen us move rapidly through initial notions surrounding public and private cloud to (in so many instances) settle upon a realization that a hybrid combination of both is often the most prudent configuration.
As the distributed nature of hybrid cloud continues to widen, enterprises are adopting multi-cloud by using more than one Cloud Services Provider (CSP) and, in some cases, poly-cloud deployments, where single application and data services workloads are ‘separated out’ across multiple instances on multiple CSPs.
Widened Toolset Mechanics
Aiming to provide a new thread of security control management across the undeniably uneven and fragmented surface on planet cloud is Sysdig. The company used its appearance at KubeCon + CloudNativeCon North America 2021 this fall to explain how the Falco open source software project is widening its toolset mechanics.
Falco is a cloud-native runtime security project. Sysdig positions it as a ‘de facto’ detection engine for containers and Kubernetes robustness (it has over thirty million downloads, so perhaps not quite a de facto industry standard). Created by Sysdig and contributed to the Cloud Native Computing Foundation (CNCF), Falco is now an ‘incubation level’ hosted project.
Now aligning with Falco is AWS CloudTrail, an AWS service that helps organizations control aspects of governance, compliance, and operational risk auditing of their AWS account. A new Amazon Web Services (AWS) CloudTrail plug-in provides real-time detection of unexpected behavior and configuration changes, intrusions and data theft in AWS cloud services using Falco rules.
The Falco community developed this extension with Sysdig based on a new plug-in framework that allows any systems engineer or software developer to extend Falco to capture data from additional sources beyond Linux system calls and Kubernetes audit logs.
Consistent Distributed Threat Detection
Loris Degioanni, founder and chief technology officer at Sysdig points to the reality of organizations having to manage critical data across multiple clouds. He says they need consistent threat detection across their distributed environments.
Additional plug-ins will allow organizations to use a consistent threat detection language and close security gaps by using consistent policies for workloads and infrastructure. In addition, more than twenty new out-of-the-box policies supporting compliance frameworks were released.
Falco inspects cloud logs using a streaming approach, applying the rules to the logs in real time and immediately alerting on issues, without the need to make an additional copy of the data. This approach complements static cloud security posture management by continually checking for unexpected changes to configurations and permissions that can increase risk.
Today, security teams are forced to export AWS CloudTrail logs into a data lake or security information and event management (SIEM) for processing, and then search for threats and changes to configurations that can indicate a risk. This approach adds delay in identifying risks, as well as cost and complexity.
Cloud and security teams struggle with an ever-growing list of tools to master and manage. Falco provides a single tool for threat detection across container and cloud environments, reducing complexity by reducing the number of tools in the stack.
With this technology, users can use the same ‘rule language’ to create consistent policies for workloads and infrastructure, removing security gaps. Because there is a shortage of talent in both cybersecurity and DevOps, reducing the learning curve by using consistent tools for threat detection is critical.
Cloud’s Next Challenge
The story thread here, arguably, points to cloud computing’s next major step challenge (i.e., consistency in the face of interchangeability). We know that no two instances of clouds are necessarily equal—clouds can be optimized for quite radically operational performance parameters—and that’s just inside the delivery framework from a single CSP.
If we span that differentiation factor out over a handful of CSPs (it’s mainly only AWS, Google, and Azure, but there are some others) and think about the multi-poly cloud combos currently being built, then it’s easy to see where mismatches and incompatibilities will throw themselves up.
This is what we’re hearing so much about efforts to keep the Kubernetes container orchestration technology relevant wherever it is applied. We don’t want cloud connected ubiquity to fall over just because one database is configured in a different way to another one across different parts of an IT stack, so we need to be able to create a template and fit it with one set of spanners wherever we are working.
In Falco’s case that spanner is a threat detection tool, but there are wrenches and levers for all the internal mechanics of an operational cloud.
“The Falco plug-in capability gives DevOps and security teams a single threat detection tool with a single rules language across container and cloud environments. This allows users to create consistent policies for workloads and infrastructure and close security gaps,” says Chris Aniszczyk, CTO of Cloud Native Computing Foundation. “The basis is now in place for rapid innovation by the community to extend Falco to additional cloud environments.”
The new plug-in capability and framework have been contributed by the Falco community and Sysdig to the project over the last few months. As of now, the AWS CloudTrail plug-in is available for use in preview mode and contributors can build new plug-ins on the framework.
Cloud is still open, cloud is still interoperable and cloud is still eminently precision-engineered for interchangeable integration and interconnectedness, but we still have work to do. Nobody should be taking a lump hammer to a cloud connection point that at first appears to need forcing. This is precisely the type of action that can lead to vulnerabilities Falco is working to address.
A safer cloud is a more tuneful cloud. Even Amadeus himself would agree on that.