News

ObserveIT Seeks to Fill AWS Security Gaps

"In the IaaS model, the responsibility for securing the applications and data on the customer's virtual machines rests with the customer, not the service provider (in this case AWS)."

That statement from ObserveIT explains why the company has launched CloudThreat, a free tool to augment the baked-in security of the Amazon Web Services Inc. (AWS) cloud Infrastructure-as-a-Service (IaaS) platform providing virtual machines (VMs) for Elastic Cloud Compute (EC2) computing.

CloudThreat integrates with some of that baked-in security -- the AWS CloudWatch service -- to provide additional protective measures above the system level. The tool monitors user behavior and provides associated analytics to help protect applications and data on VMs, the company said, noting that OSes, networks, firewall configurations and identity management are all the responsibility of the customer.

Released last week, the tool provides a lightweight Linux agent that runs on any Linux Amazon Machine Image (AMI). It tracks user behavior and feeds data into AWS CloudWatch to leverage that service's management and notification functionality.

How CloudWatch Fits In
[Click on image for larger view.] How CloudWatch Fits In (source: ObserveIT)

The AWS CloudWatch site says: "Amazon CloudWatch can monitor AWS resources such as Amazon EC2 instances, Amazon DynamoDB tables, and Amazon RDS DB instances, as well as custom metrics generated by your applications and services, and any log files your applications generate."

ObserveIT exec Dimitri Vlachos said his company's tool provides just such log files to fill in the gaps in the AWS security model. "AWS CloudTrail doesn't collect or aggregate activities within your servers and applications," he said last week in a blog post. "Today, AWS CloudWatch is primarily focused on performance monitoring rather than security."

By providing visibility into application-level user actions, Vlachos said, CloudWatch provides additional data such as the actual commands entered by a user and other command-and-control information. Its real-time monitoring provides instant detection of cyber attacks and sounds an alarm upon identifying suspicious activity such as a server log-in, uploading of software, running root commands, accessing sensitive data, making critical system configuration changes, adding or modifying user accounts, and so on. The tool even tracks user activity after a user has elevated his privileges to root level.

"With the introduction of ObserveIT CloudThreat, ObserveIT has improved cloud security by proactively identifying security threats, before they turn into major security incidents, using user activity monitoring and behavioral analytics," the company quoted customer Lena Kannappan at 8KMiles as saying. "8KMiles is pleased to include ObserveIT in its cloud security framework to enhance the security posture for our customers, especially those who have stringent compliance requirements, in such markets as biopharma, healthcare and financial verticals."

The free CloudWatch tool from the nine-year-old Boston company is available now for download and is available on the AWS Marketplace.

About the Author

David Ramel is the editor of Visual Studio Magazine.

Featured