You’re likely familiar with the problem of cloud misconfigurations. In short, more workloads are moving to the cloud, and environments have become a labyrinth of services and APIs that few can navigate. The result is that risky misconfigurations are everywhere: research published by Zscaler in 2022 found that 98.6% of organizations run misconfigured cloud resources that pose critical risks to their data and infrastructure.
The scale of the problem is such that an entire ecosystem of tools now exists primarily to detect misconfigurations in cloud environments (‘security posture management’). However, post-hoc detection can never catch every vulnerability; what’s more, it’s not even clear that we want them to. Very high detection rates create new problems, including prioritizing an endless backlog of stuff to remediate and deciding who is responsible for fixing the issues (dev/sec/ops).
Prevention > Remediation
It seems obvious that you’d generally want to prevent a misconfiguration before it gets deployed – but surprisingly few security tools tackle this aspect. The exception is infrastructure-as-code (IaC), where you’ll have solutions that scan your code and prevent developers from making questionable choices before these choices are pushed to production.
However, according to Palo Alto’s State of Cloud Security Report (PDF), only 33% of cloud deployments are using cloud-native deployment methods. For other workloads, the console is still king; and in the console, nothing is stopping a developer from unticking a box that accidentally exposes customer PII in an S3 bucket, for example.
Our new Tamnoon Prevent tool is here to close the gap – allowing organizations to tackle misconfigurations earlier and prevent them from being deployed in the first place.
Meet the Chrome Extension that Protects AWS Users from Bad Security Choices
Tamnoon Prevent is a simple Chrome browser extension that stops users from deploying resources with risky misconfigurations. It runs in the background, detects when users are creating a new resource in the console, and – based on the organizational settings – will either highlight the non-secure configuration or block the user from hitting ‘deploy.’
Beyond merely blocking the deployment, Tamnoon Prevent offers additional expert guidance in the form of clear, developer-friendly instructions on how to correctly configure the resource. This guidance is based both on general cloud security best practices, which the Tamnoon team has learned from working on hundreds of cloud environments, as well as customer-specific CNAPP policies.
For example, Tamnoon Prevent would block / highlight the following:
- Unencrypted instance of Amazon RDS
- S3 storage bucket open to the public
- Instance where Security Group is open to 0.0.0.0/0 (potential public internet exposure)
- Admin IAM user defined without MFA
The extension currently supports dozens of policies across popular AWS services, and we will be adding more regularly.
Expert Guidance: Delivers clear and actionable insights into correcting misconfigurations as they are being deployed to the cloud.
and
Developer-Friendly Awareness: Integrates seamlessly with the browser, featuring prevention and detection modes, following cloud security best practices, and adhering to your unique CNAPP policy.
What Are the Benefits?
-
- Compliant and secure cloud infrastructure from the start: Less misconfigured resources = smaller risk of data breaches and other security incidents.
- Less remediation overhead: Preventing the vulnerability in advance minimizes the need for remediation and the associated friction between teams.
- Clear and frictionless policy enforcement: Reduces tension between security and development teams by providing clear, real-time guidance on secure configuration options within the AWS console.
- Less alert noise: Using Tamnoon Prevent will significantly reduce the number of alerts generated by misconfigured resources, which allows security teams to focus on more critical issues and removes the need for a separate prioritization effort.
- Scalable: Tamnoon Prevent can support growing AWS environments and user bases, with new policies added regularly to cover additional services and policies.
>> Want to see a demo of Tamnoon Prevent, and sign up to be one of the first to receive access? Schedule time with our team today.
