Sophos Cloud Optix – you can’t secure what you can’t see

09 May 2019
4 minute read
Best practice

Sophos Cloud Optix – you can’t secure what you can’t see

09 May 2019
4 minute read

Sophos, the British FTSE 250 security company, have launched a dedicated public cloud security product – Cloud Optix.

Cloud Security

As many benefits as the public cloud can provide, it can also offer an equal – perhaps greater – number of potential security threats. Managing assets in the cloud becomes a different proposition – with multiple cloud providers such as Amazon, Microsoft, and Google, and the ability to turn things on/off at the click of a button, it can be difficult to know a) what you have and b) where it is.

What does it do?

Sophos’ new offering aims to simplify the security management of multiple cloud environments by offering a “single pane of glad” – and it looks to have some benefits for ITAM too.

According to Sophos, Cloud Optix is “an agentless solution [that provides] complete network inventory, topology visualization and continuous asset monitoring” across Amazon AWS, Microsoft Azure, and Google Cloud Platform (GCP).

A cloud topology diagram from Sophos Cloud Optix

Cloud topology diagram via Cloud Optix online demo

 

It starts to generate a picture of the three cloud providers and shows what elements are live, such as:

  • Public access security groups
  • SQL Servers
  • Azure Databases
  • Amazon S3 Storage
  • Containers
  • User Accounts

According to the online materials, Cloud Optix will also highlight unused resources although, from playing around with the online demo, this appears to only look at unattached network security groups.

Regulatory Compliance

The service also monitors for regulatory compliance against such standards as:

  • CIS Benchmark – Center for Internet Security
  • SOC2 – Service Organisational Control 2
  • HIPAA – Health Insurance Portability and Accountability Act
  • GDPR – General Data Protection Regulation
  • PCI DSS – Payment Card Industry Data Security Standard
  • ISO 27001 – Information security management systems
  • FEDRAMP – Federal Risk and Authorization Management Program

using a range of out of the box policies. Interestingly, the bulk of these are Amazon AWS only, with just CIS, PCI DSS, and SOC2 being available for Microsoft Azure, and just CIS for Google Cloud Platform.

GDPR

The policy focuses on 2 specific articles of this EU regulation, “Article 25 – Data Protection by Design & Default” and “Article 32 – Security of Processing”.  There are 10 rules used to address both GDPR elements; they’re mainly focused on encryption such as:

  • Encryption for Amazon S3 buckets
  • Encryption for EBS volumes
  • Encryption at rest for RDS instances and Redshift clusters

PCI DSS

This features 12 different rules in Azure (31 in AWS) across 4 elements of the PCI DSS regulation, covering various points such as:

  • Extending firewall protections
  • Restricting internet access to SQL servers
  • Encrypting storage services
  • Setting log retention to over 365 days

General

Policies can also be customised where needed and “Guardrails” can be set to prevent certain changes taking place within your public cloud systems:

A view of security policies and guardrails in the console

Security policies and guardrails via https://www.sophos.com/en-us/products/cloud-optix.aspx

 

And inbuilt integrations with services such as Jira and ServiceNow help CloudOptix fit into existing workflows.

The Cloud Optix dashboard gives an overview of alerts – ranked by severity – and shows in which cloud provider and environment the problem exists.

The alerts dashboard

The alerts dashboard via https://www.sophos.com/en-us/products/cloud-optix.aspx

 

Any use for ITAM?

Yes, this is very much a security product but some of the information it provides can certainly be useful for ITAM purposes. Being able to get a total overview of resources across your Amazon, Microsoft, and Google public cloud environments may enable the identification of duplicate resources and also help with identifying things where they shouldn’t be – i.e. SQL servers in AWS when your policy says “all SQL server must be in Azure”.

This is a great opportunity to talk to your security team and discuss how you can work together. Even if they don’t intend to use Cloud Optix, you can use this as a starting point to understand how their other tool/s – for they surely must have such a tool soon if they wish to maintain security in the cloud – can plug into ITAM too.

Further Reading

Sophos Announcement – https://news.sophos.com/en-us/2019/04/09/sophos-cloud-optix-is-solving-the-toughest-challenges-in-public-cloud-security/

Cloud Optix site –https://www.sophos.com/en-us/products/cloud-optix.aspx

Can’t find what you’re looking for?