The rapid adoption of cloud services, along with an increasing number of cloud infrastructure and platform services, has created an explosion in complexity and unmanaged risk. While IaaS providers deliver basic configuration and risk assessment capabilities, they only address their own services, which doesn’t account for the hybrid and multi-cloud capabilities that most enterprises require. And although the underlying cloud provider infrastructure is secure, most enterprises don’t have the processes, tooling maturity or scale to use the cloud securely.
In this article we’ll discuss cloud security posture management best practices.
How One AI-Driven Media Platform Cut EBS Costs for AWS ASGs by 48%
Cloud security posture management
The cloud has fundamentally changed the way organizations build, operate, and manage applications. The uniqueness of cloud requires security teams to rethink classic security concepts and adopt approaches that better address dynamic and distributed cloud infrastructure.
Unfortunately, many security teams have yet to rethink how existing security practices within their organization are ill-fitted for the cloud world. Practices such as asset management, incident response, and internal training/education, which were originally built for on-premises environments, are now outdated and unable to support proper security posture for cloud infrastructure.
According to Gartner, by 2020, 95% of cloud security issues will be the result of misconfiguration and you can see that businesses face tremendous challenges ahead. As organizations look to migrate applications and data to the cloud, they are realizing that many of their IT staff lack cloud security expertise. The cloud represents a fundamentally different approach to computing and the security differences between the cloud and traditional on-premise infrastructures are night and day, and many IT staff lack cloud security expertise to ensure their new infrastructures are properly protected.
As the cloud grows, so too does the playing field of participants. Between infrastructure management (IaaS, PaaS, fPaaS, SaaS, Raas) security, CI/CD, and trying to navigate all of the nuances in between, it’s difficult to keep track of what each category of tooling includes. Within the cloud security space alone there are CASBs – Cloud Security Access Brokers, CWPPs – Cloud Workload Protection Platforms, and CSPM – Cloud Security Posture Management.
At the very top of the pyramid of cloud services are CMPT, or Cloud Management Platform and Tools. This is a huge umbrella of categories and as a subset is a CMP or Cloud Management Platform that includes numerous categories.
These include:
- Provisioning & Orchestration
- Cost Management & Resource Organization
- Cloud Migration, Backup, and Data Recovery
- Identity, Security, and Compliance
- Packaging and Delivery
- Monitoring & Analytics
- Inventory & Classification
- Service Requests
According to Gartner, CASB, CSPM and CWPP tools offer an overlapping set of capabilities to address cloud risks, but no single group performs all the features of any one of the others. CSPM concentrates on security assessment and compliance monitoring, primarily across the IaaS cloud stack.
Cloud Security Posture Management (CSPM) automatically assess your cloud environment against best practice and security violations to provide the steps required to remediate them – often through automation.
With the widespread adoption of IaaS, data breaches through mismanagement of IaaS usage are becoming a commonplace. Nearly all successful attacks on cloud services resulted from customer misconfigurations. The main use is to verify that cloud configurations are following security best practices such as CIS AWS/Azure/GCP benchmark.
Cloud security posture management solutions
Most common CSPM solutions:
- Identify your cloud environment footprint and monitor for the creation of new instances or buckets (i.e., shadow IT).
- Provide policy visibility and ensure consistent enforcement across multiple cloud providers.
- Scan your compute instances for misconfigurations and improper settings that could leave them vulnerable to exploitation.
- Scan your storage buckets for misconfigurations that could make data accessible to the public.
- Audit for adherence to appropriate compliance mandates.
- Perform risk assessments vs. frameworks and external standards such as the International Organization for Standardization (ISO) and National Institute of Standards and Technology (NIST).
- Verify that operational activities are being performed as expected (e.g., key rotations).
- Automate remediation or remediate at the click of a button.
Typical CSPM services conduct these activities on a continuous basis and can include automation capabilities to correct issues without human intervention or delay.
Cloud security posture management best practices
Automate compliance and align with cloud standards
Assessing your security and compliance in the cloud requires your approach to take into consideration the dynamic nature of cloud objects and benchmark against rules specific to the cloud provider and service type
Recommendations:
- Continuously monitor your cloud’s security posture against established best practices with the help of cloud-specific benchmarks from the Center for Internet Security (CIS).
- Leverage a cloud security posture management solution to automate benchmarking against multiple compliance frameworks at once.
- Ensure that your security tools and procedures account for the dynamic nature of your cloud environment and provide real-time visibility necessary to audit ephemeral cloud infrastructure.
Prioritize security violations by quantifying risk
The amount of violation alerts security owners receive everyday can be overwhelming.
Recommendations:
- Begin with violations that impact your critical cloud assets first, especially those that could expose data publicly or lead to unauthorized access.
- Work with a cloud security expert to build a custom plan to selectively enable security checks and policies that are most critical for your environment. You can gradually roll out new controls as you begin to feel confident about existing security hecks and operational process in place.
Enforce security checks in Dev pipelines
The lifespan of many objects in the cloud can be extremely short-lived. How do you enforce security in the cloud when your applications are constantly spinning up and down new resources every other minute? Even if your applications are not dynamic, figuring out security gaps late in production can be extremely expensive.
Recommendations:
- Define misconfiguration checks as a pipeline to find violations immediately after your deployment pipelines are executed.
- Embed remediation steps into the re-deployment pipeline to correct configurations.
- Continuously gather feedback from the pipeline to identify trends in violations, if any, to update your policies.
Conclusion
The uniqueness of cloud requires security teams to rethink classic security concepts and adopt approaches that better address dynamic and distributed cloud infrastructure. Cloud Security Posture Management (CSPM) automatically assess your cloud environment against best practice and security violations to provide the steps required to remediate them – often through automation.
If you have any questions about how we can help you optimize your cloud costs and performance, contact us today to help you out with your performance and security needs.