Architecting for FedRAMP/FISMA/CMMC Compliance: Third-party vs AWS Native Tools

Organizations continue to migrate and adopt AWS Cloud Services and offer digital services to their customers and stakeholders. Service providers especially in compliance-focused markets such as healthcare, financial services, and public sector markets must adhere to security best practices to ensure the integrity of their information assets. AWS provides a wide range of tools and services to help users implement security best practices. In addition to AWS native tools, there are a plethora of tools available providing similar capabilities. If you have any questions relating to the AWS architecture recommendations for FedRAMP, FISMA, or CMMC compliance, we are here to help.

Let’s dive deeper into these tools and do a comparison to analyze which tools are relevant for your use case and compliance framework. In this blog post we cover some common tools and scenarios that we constantly encounter – these include 1) Amazon Inspector versus Tenable Nessus, 2) AWS CloudWatch Synthetics versus PagerDuty and 3) Splunk versus AWS CloudWatch (and associated services).

1. Amazon Inspector vs Tenable

Amazon Inspector is an automated security assessment service that helps improve the security and compliance of applications deployed on AWS. Amazon Inspector automatically assesses applications for exposure, vulnerabilities, and deviations from best practices. After performing an assessment, Amazon Inspector produces a detailed list of security findings prioritized by level of severity. These findings can be reviewed directly or as part of detailed assessment reports which are available via the Amazon Inspector console or API.

Using a native tool like Amazon Inspector would not only help in overcoming the technical challenges but also makes sense financially. Although Amazon Inspector does not advertise itself to be a full-fledged Vulnerability Assessment Scanner, it does claim to help one understand the risk posture of servers, be it public facing or privately hosted.

Setting up Amazon Inspector needs reasonable effort to get going as it requires agent installation, asset tagging, and defining of roles.

Installation & Running the Assessments:

To get started one needs to install the software agent on all the servers (ec2- instances) and initiate the scan from the AWS Web Console. The agent can be installed via command line and it is available for Linux as well as Windows flavors. Amazon Inspector requires read-only access to resources in the account.

Following operating systems are supported:

Linux OS:

  • Amazon Linux (2015.03, 2016.03, 2016.09)
  • Ubuntu (14.04 LTS, 16.04 LTS)
  • Red Hat Enterprise Linux (7.2)
  • CentOS (7.2)

Windows OS:

  • Windows Server 2008 R2
  • Windows Server 2012
  • Windows Server 2012 R2

Supported AWS regions:

  • US West (Oregon)
  • US East (N. Virginia)
  • EU (Ireland)
  • Asia Pacific (Incheon)
  • Asia Pacific (Mumbai)
  • Asia Pacific (Tokyo)
  • Asia Pacific (Sydney)

Please check the AWS webpage for the latest information given that the services are constantly evolving and being rolled into new regions.

Depth of scan:

Unlike the different scan templates available in the Vulnerability Assessment tools like Advanced Network Scan, Configuration Audits, PCI Scans, etc, AWS classifies its scanning depth based on the time. A point to note is that the more the duration, the comprehensive will be its scan and consequently the outcome too.

You can set your duration to any of the following available values:

  • 15 minutes
  • 1 hour (recommended)
  • 8 hours
  • 12 hours
  • 24 hours

Scoring

Vulnerabilities determined from the scans are classified as following:

· HIGH

· MEDIUM

· LOW

· INFORMATIONAL

There are a number of other vulnerability scanner solutions in the marketplace. A lot of our FedRAMP focused projects use Tenable Nessus. Tenable provides multiple product options.

Tenable Products:

  1. Tenable.io is a subscription-based service. It allows different teams to share scanners, schedules, scan policies, and scan results. Tenable also contains what was previously known as Nessus Cloud, which used to be Tenable’s Software-as-a-Service solution. Tenable.io also allows for the customization of workflows for effective vulnerability management. For organizations seeking FedRAMP, FISMA, or CMMC compliance, it is essential to ensure that Tenable.io be FedRAMP accredited.
  2. Nessus Agents provide a flexible way of scanning hosts within your environment without necessarily having to provide credentials to hosts. The agents enable scans to be carried out even when the hosts are offline. The application areas of these agents are wide. Consider environments that lack traditional malware protection, such as antivirus solutions — the overhead these agents exert within hosts is quite small. Here, agents take up minimal system resources within the hosts they are installed in, whilst still providing adequate malware protection.
  3. Nessus Professional is the most commonly deployed vulnerability assessment solution across the industry. This solution helps you perform high-speed asset discovery, target profiling, configuration auditing, malware detection, sensitive data discovery and so much more. Nessus Professional runs on client devices such as laptops and can be effectively used by your security departments within your organization.

These products discussed above offer multiple services that range from Web application scanning to mobile device scanning, cloud environment scanning, malware detection, control systems auditing (including SCADA and embedded devices) and configuration auditing and compliance checks.

Our Pick:

Given both AWS Inspector and Tenable Nessus have similar capabilities, it depends on what you are looking for. You can use Amazon Inspector to run security assessments on regulated workloads and sensitive data hosted on Amazon EC2 instances in the AWS GovCloud (US) region. Amazon Inspector is formally approved by the Federal Risk and Authorization Management Program (FedRAMP) Joint Authorization Board (JAB) as an approved vulnerability scanning tool for AWS services built on EC2, implying that if you are looking to comply with FedRAMP architecture requirements, this would be our top pick. AWS Inspector can also be integrated with AWS Security Hub. Overall, Amazon Inspector has shown consistency across all nodes and seems like a reasonable pick.

2. Amazon CloudWatch Synthetics vs PagerDuty

Amazon CloudWatch Synthetics allows you to monitor application endpoints more easily. With this feature, CloudWatch now collects canary traffic, which can continually verify your customer experience even when you don’t have any customer traffic on your applications, enabling you to discover issues before your customers do. CloudWatch Synthetics supports monitoring of your REST APIs, URLs, and website content, checking for unauthorized changes from phishing, code injection, and cross-site scripting. 

PagerDuty

PagerDuty is an incident management tool providing powerful visibility, reliable alerting, and improved collaboration. PagerDuty is an alarm aggregation and dispatching service for system administrators and support teams. It collects alerts from your monitoring tools, gives you an overall view of all of your monitoring alarms, and alerts an on-duty engineer if there’s a problem.

Our Pick:

In terms of pricing options and ease of setup, Amazon CloudWatch Synthetics would be our top pick. Additionally, considering integration with CloudWatch Metrics and the ability to work with FedRAMP Moderate/High or regulated workloads, Amazon CloudWatch definitely tops the list. Again, if you are looking to comply with FedRAMP architecture requirements, this would be our top pick.

3. Splunk vs Amazon CloudWatch, Config, CloudTrail

Splunk is a software platform widely used for monitoring, searching, analyzing, and visualizing machine-generated data in real time. It performs capturing, indexing, and correlating the real time data in a searchable container and produces graphs, alerts, dashboards, and visualizations. Splunk provides easy to access data over the whole organization for easy diagnostics and solutions to various business problems.

Amazon CloudWatch

Amazon CloudWatch is a monitoring and observability service built for DevOps engineers, developers, site reliability engineers (SREs), and IT managers. CloudWatch provides you with data and actionable insights to monitor your applications, respond to system-wide performance changes, optimize resource utilization, and get a unified view of operational health. CloudWatch collects monitoring and operational data in the form of logs, metrics, and events, providing you with a unified view of AWS resources, applications, and services that run on AWS and on-premises servers. You can use CloudWatch to detect anomalous behavior in your environments, set alarms, visualize logs and metrics side by side, take automated actions, troubleshoot issues, and discover insights to keep your applications
running smoothly.

AWS Config

AWS Config is a service that enables you to assess, audit, and evaluate the configurations of your AWS resources. Config continuously monitors and records your AWS resource configurations and allows you to automate the evaluation of recorded configurations against desired configurations. With Config, you can review changes in configurations and relationships between AWS resources, dive into detailed resource configuration histories, and determine your overall compliance against the configurations specified in your internal guidelines. This enables you to simplify compliance auditing, security analysis, change management, and operational troubleshooting.

AWS CloudTrail

AWS CloudTrail is a service that enables governance, compliance, operational auditing, and risk auditing of your AWS account. With CloudTrail, you can log, continuously monitor, and retain account activity related to actions across your AWS infrastructure. CloudTrail provides event history of your AWS account activity, including actions taken through the AWS Management Console, AWS SDKs, command-line tools, and other AWS services. This event history simplifies security analysis, resource change tracking, and troubleshooting. In addition, you can use CloudTrail to detect unusual activity in your AWS accounts. These capabilities help simplify operational analysis and troubleshooting.

Our Pick:

AWS Tools help provide real time alerts with no additional deployments or license requirements. Splunk also offers a vast number of capabilities especially around customized compliance reporting, ad-hoc analysis, etc. The ideal selection depends on budget, use case, and specific reporting requirements.

If you are interested in learning more about the AWS architecture recommendations for FedRAMP, FISMA, or CMMC compliance or are looking to learn more about our work in helping customers achieve these compliance authorizations, compliance frameworks, then do contact us by filling out this form.

Author: Yash Shah, DevOps Engineer at stackArmor

SHARE

MOST RECENT

CONTACT US