Managing Your Cloud Security Posture on DigitalOcean

Security in the cloud can be intimidating. There are multiple layers to consider, from simply protecting your cloud account login down to hardcore Linux operating system security. Founders and developers at technology companies looking to scale quickly often wear many hats, security included. At DigitalOcean we believe you shouldn’t need to be a security expert to do the basics in protecting your cloud infrastructure, and we’re constantly working to abstract security complexities out of your infrastructure. And when we do leave choices up to you as a developer, we want to make the secure choice the simple choice.

As you scale your footprint and your business on DigitalOcean, it’s almost a certainty that you will need to test your security configurations. This is both a healthy security best practice, and also demonstrates to your customers, auditors, and partners that you’ve taken a thoughtful approach to cloud security. To help on your security journey, we’ve published guidance on the basics like Securing Your DigitalOcean Account and Securing Your Infrastructure, which are excellent starters.

For those who are looking for something more comprehensive in assessing your infrastructure, we work with great partners, including marketplace options like Kloudle, and open source options for cloud security posture management. One of these open source options is ScoutSuite, and we’ve contributed to the inclusion of DigitalOcean security posture scanning in the latest release of ScoutSuite, which we’ll outline below.

With major security features coming up from DigitalOcean like VPC, Spaces per bucket keys, and fine-grained access management with RBAC, we’ll continue to refresh the simple-secure guidance for configuring your DigitalOcean cloud.

The remainder of this blog will go into the details of our contributions into ScoutSuite, covering 27 common security configurations across 7 DigitalOcean services. Our hope is to familiarize you with how to approach security across DigitalOcean projects, and arm you with knowledge in how to evaluate which cloud security posture management tool (commercial or open source) will be right for you and your business.

Understanding cloud security posture management

Cloud security posture management (CSPM) comprises security tools and practices designed to ensure that cloud environments adhere to security best practices, compliance regulations, and organizational policies. It provides continuous monitoring, assessment, and remediation capabilities to help organizations proactively identify and address security risks in their cloud infrastructure.

In an age where digital transformation is driving businesses to the cloud, ensuring the security of cloud environments is paramount.

ScoutSuite: Your multi-cloud security companion

ScoutSuite stands out as a versatile open source multi-cloud security-auditing tool designed to assess the security posture of cloud environments comprehensively. With support for various cloud service providers like AWS, GCP, Azure, Oracle, Alibaba. ScoutSuite empowers organizations to identify and address misconfigurations and security risks proactively.

Closing the gap: DigitalOcean integration

DigitalOcean has become a popular choice for developers and businesses alike, offering simplicity, scalability, and affordability. However, previously, DigitalOcean customers lacked a free and open-source solution for performing quick security assessments of their cloud configurations. The addition of DigitalOcean support in ScoutSuite [5.14.0] bridges this gap, providing customers with a valuable tool for enhancing the security of their DigitalOcean environments.

Key features and benefits

The initial release of DigitalOcean support in ScoutSuite includes scanning for 27 misconfigurations across 7 DigitalOcean services:

• Droplet service

• Database service

• Firewall service

• Load balancer service

• Domain service

• Spaces service

• Kubernetes services

These misconfigurations cover a range of security concerns, from publicly exposed databases and missing backups to overly permissive firewall rules and insecure Kubernetes settings. By scanning for these misconfigurations, ScoutSuite enables DigitalOcean customers to identify and remediate potential security risks before they can be exploited by malicious actors. A few additional examples of such misconfigurations are given below.

• Database users having Legacy MySQL 5.x encryption

• Droplets operating without essential firewall protection

• Spaces buckets with publicly readable permissions

• Firewalls configured with risky quad-zero rules, etc

For a comprehensive list please check ScoutSuite/providers/do/rules/findings.

Empowering developers and security professionals

With ScoutSuite, developers and security professionals gain valuable insights into their DigitalOcean environments, allowing them to:

• Identify misconfigurations and security risks across multiple DigitalOcean services.

• Prioritize remediation efforts based on the severity of detected issues.

• Support compliance with industry regulations and best practices.

• Enhance overall security posture and reduce the risk of security breaches.

Getting started with ScoutSuite for DigitalOcean

Setting up ScoutSuite on your system is straightforward, provided you have Python 3 already installed:

Installation via PIP

$ virtualenv -p python3 venv

$ source venv/bin/activate

$ pip install scoutsuite

$ scout --help

Sample usage with DigitalOcean

$ scout do --token <TOKEN>

If your environment has Spaces object, then you will need an access key and its secret

$ scout do --token <TOKEN> --access_key <ACCESS KEY> --access_secret <SECRET KEY>

How do I get the token required?

The token here is simply a read-only scoped personal access token which can be generated at https://cloud.digitalocean.com/account/api/tokens

Conclusion

In today’s rapidly evolving threat landscape, cloud security is non-negotiable. With the integration of DigitalOcean support in ScoutSuite, organizations using DigitalOcean can now leverage a powerful tool to enhance the security of their cloud environments. By proactively scanning for misconfigurations and security risks, ScoutSuite helps empower DigitalOcean customers to stay one step ahead of potential security misconfigurations and safeguard their valuable assets and data in the cloud.