Cloud computing has modernized the way financial organizations build, operate, and manage infrastructure and applications. Cloud computing has helped financial professionals quickly spin up or spin down resources to fulfill the increased demand for new application workloads. However, when working in a cloud environment, monitoring the security state of multiple, often ephemeral, workloads while meeting the growing number of compliance requirements can be challenging. Many banks, insurance agency lenders, blockchain and cryptocurrency, and other fintech providers have turned to Cloud Security Posture Management (CSPM) providers to help in their public cloud environments to prevent cloud drift.
CSPM is a relatively new term in the world of security capabilities. CSPM can detect issues, like lack of encryption, improper encryption key management, extra account permissions, and others, like configuration drift. In the last few years, CSPM has become popular as more organizations have adopted a cloud-first approach. CSPM allows an organization to monitor the state of their public cloud for security risks and remediate some security issues automatically. In simple terms, it governs the cloud environment and alerts the right team about issues and possible risks such as cloud misconfigurations, which has become a huge issue for organizations storing data in the cloud.
As the cloud environment grows, it is important to track and protect sensitive data against misconfigurations, but as the amount of data stored in the public cloud increases, so does the complexity to manage the identities and data within that organization. Successful organizations can use CSPM to create end-to-end visibility across their cloud for misconfigurations and identify areas of data exposure risk. In addition to identifying the risks, successful financial organizations use CSPM to enable continuous audit and compliance with frameworks such as PCI-DSS, SOC-2, NIST 800-53 and ISO 27001 among others.
For any financial organization, using applications and cloud services happens every day. As with all technology, new features need to be added and existing functions updated. Whenever any type of change or configuration occurs, gaps can develop and accumulate over time, resulting in what is known as configuration drift. Without effective configuration drift detection, the business’s impact can be significant.
Your organization’s infrastructure, when implemented, is mapped out so that a DevOps or cloud team knows every aspect of the infrastructure. When changes are made, whether for strategic purposes, such as enhancing the customer experience, or for tactical reasons, like adding or consolidating databases, team members may not be aware of these changes. As a result, this new infrastructure varies from the original security baseline. The team no longer has full visibility into the complete cloud environment because of these undetected and unknown changes.
Configuration drift can impact identities, roles, systems, databases, access, and more throughout an organization. As drift increases, so does the need for efficient resource allocation, support from operations, streamlined collaboration and coordination across multiple teams, and governance. The lack of visibility only compounds these issues over time.
Anytime a resource drifts from its original state, crucial changes can go undetected by key operations groups, whether DevOps, CloudOps, or other infrastructure management teams. But what does that really mean for IT leaders, users, customers, and the organization as a whole?
When this happens, the number of adjustments required significantly increases within the public cloud over time. If security lacks insight into how resources or the environment has continued to evolve, this can lead to several issues that impact operational efficiency, security, access, and a variety of other critical functions.
Below are a few basic examples of how configuration drift can occur daily within an organization.
A user adds an AWS EC2 instance with a non-compliant image which impacts the organization’s cloud compliance posture. The change violates your organization’s own internal security baselines as well as PCI regulatory benchmarks. As a single resource this might be easier to detect, but in a typical environment with thousands of resources it is very difficult. You will need a tool that will identify the EC2 instance as non-compliant and remediate the issue.
It’s Friday, and resources are spun up in a special project. Your employee doesn’t need the resource for long, so they manually provision an AWS S3 bucket. However, they forget to apply a critical policy and the bucket is left unprotected and the information stored within it is open. It can be browsed by scripts and other tools. Since the information in the bucket may be sensitive, this poses a critical security risk
One of your developers uses the Lambda console to configure function settings and adds triggers to another service that the Lambda function integrates with, such as DynamoDB. As part of this setup, they must define which components are to be used (i.e., Lambda code, API, DNS, database, static web pages, etc.) as well as define the permission policies regarding how these components interact with one other. However, the developers want to go fast and make a mistake defining the resource-based and execution role policies - resulting in an “allow all actions for everybody.” This is an easy shortcut to get serverless components to communicate with each other, but it has created a clear security violation, one that is very difficult to detect. Making matters worse, every time the function is used the mistake is propagated across the environment.
While the idea of configuration drift can seem overwhelming, the good news is that it can be managed effectively. Any steps taken by a business to monitor changes within the cloud will help reduce a lot of the headaches that drift can cause.
In addition to addressing issues that arise as a result of configuration drift, poor or non-existent management can impact other business areas as well. Effective drift management can ensure your cloud environment and workloads stay compliant, whether from a security or regulatory standpoint, and enables proper management of your cloud resources, especially across a multi-cloud environment.
Drift management also ensures that the resources in place are being used appropriately and efficiently, giving teams greater capacity to collaborate and coordinate, whether in person or remotely, resulting in a better experience for internal clients and external stakeholders.
Whether leadership’s biggest concern is compliance and risk, or the effect on the client or customer experience, using a CPSM to continuously monitor for and address configuration drift once it is detected will reduce its overall impact on an organization. However, organizations without the proper resources in place can unnecessarily subject themselves to mistakes in the cloud that will lead to data loss or a data breach. For financial institutions, this alone can cause tremendous damage that can be irreparable depending on the scope and severity of their losses.