Cloud computing has modernized how financial organizations build, operate, and manage infrastructure and applications. Cloud computing has helped financial professionals quickly spin up or spin down resources to fulfill the increased demand for new application workloads. However, monitoring the security state of multiple, often ephemeral, workloads while meeting the growing number of compliance requirements can be challenging when working in a cloud environment. Many banks, insurance agency lenders, blockchain and cryptocurrency, and other fintech providers have turned to Cloud Security Posture Management (CSPM) providers to help prevent cloud drift in their public cloud environments.
CSPM is a relatively new term in the world of security capabilities. CSPM can detect issues, like lack of encryption, improper encryption key management, extra account permissions, and others, like configuration drift. In the last few years, CSPM has become popular as more organizations have adopted a cloud-first approach. CSPM allows an organization to monitor the state of their public cloud for security risks and remediate some security issues automatically. In simple terms, it governs the cloud environment and alerts the right team about issues and possible risks such as cloud misconfigurations, which has become a huge issue for organizations storing data in the cloud.
As the cloud environment grows, it is important to track and protect sensitive data against misconfigurations, but as the amount of data stored in the public cloud increases, so does the complexity of managing the identities and data within that organization. Successful organizations can use CSPM to create end-to-end visibility across their cloud for misconfigurations and identify areas of data exposure risk. In addition to identifying the risks, successful financial organizations use CSPM to enable continuous audit and compliance with frameworks such as PCI-DSS, SOC-2, NIST 800-53, and ISO 27001, among others.
How Cloud Configuration Drift Happens
For any financial organization, using applications and cloud services happens every day. As with all technology, new features must be added and existing functions updated. Whenever any type of change or configuration occurs, gaps can develop and accumulate over time, resulting in what is known as configuration drift. Without effective configuration drift detection, the business’s impact can be significant.
Your organization’s infrastructure, when implemented, is mapped out so that a DevOps or cloud team knows every aspect of the infrastructure. When changes are made, whether for strategic purposes, such as enhancing the customer experience or for tactical reasons, like adding or consolidating databases, team members may not be aware of these changes. As a result, this new infrastructure varies from the original security baseline. The team no longer has full visibility into the complete cloud environment because of these undetected and unknown changes.
Configuration drift can impact an organization’s identity, roles, systems, databases, access, and more. As drift increases, so does the need for efficient resource allocation, support from operations, streamlined collaboration and coordination across multiple teams, and governance. The lack of visibility only compounds these issues over time.
Anytime a resource drifts from its original state, crucial changes can go undetected by key operations groups, whether DevOps, CloudOps, or other infrastructure management teams. But what does that mean for IT leaders, users, customers, and the organization?
Mistakes Can Happen
When this happens, the number of adjustments required significantly increases within the public cloud over time. If security lacks insight into how resources or the environment has continued to evolve, this can lead to several issues that impact operational efficiency, security, access, and a variety of other critical functions.
Below are a few basic examples of how configuration drift can occur daily within an organization.
Common Drift Mistake #1: Resource Changes
A user adds an AWS EC2 instance with a non-compliant image which impacts the organization’s cloud compliance posture. The change violates your organization’s internal security baselines and PCI regulatory benchmarks. This might be easier to detect as a single resource, but in a typical environment with thousands of resources, it is very difficult. You will need a tool to identify the EC2 instance as non-compliant and remediate the issue.
Common Drift Mistake #2: Employee Errors
It’s Friday, and resources are spun up in a special project. Your employee doesn’t need the resource for long, so they manually provision an AWS S3 bucket. However, they forget to apply a critical policy; the bucket is left unprotected, and the information stored within it is open. It can be browsed by scripts and other tools. Since the information in the bucket may be sensitive, this poses a critical security risk
Common Drift Mistake #3: Non-People Issues
One of your developers uses the Lambda console to configure function settings and adds triggers to another service with which the Lambda function integrates, such as DynamoDB. As part of this setup, they must define which components are to be used (i.e., Lambda code, API, DNS, database, static web pages, etc.) and the permission policies regarding how these components interact with one another. However, the developers want to go fast and make a mistake in defining the resource-based and execution role policies – resulting in an “allow all actions for everybody.” This is an easy shortcut to get serverless components to communicate with each other, but it has created a clear security violation that is very difficult to detect. Making matters worse, every time the function is used, the mistake is propagated across the environment.
Managing Cloud Configuration Drift
While the idea of configuration drift can seem overwhelming, the good news is that it can be managed effectively. Any steps taken by a business to monitor changes within the cloud will help reduce many of the headaches that drift can cause.
In addition to addressing issues arising from configuration drift, poor or non-existent management can also impact other business areas. Effective drift management can ensure your cloud environment and workloads stay compliant, whether from security or regulatory standpoint, and enables proper management of your cloud resources, especially across a multi-cloud environment.
Drift management also ensures that the resources in place are being used appropriately and efficiently, giving teams greater capacity to collaborate and coordinate, whether in person or remotely, resulting in a better experience for internal clients and external stakeholders.
Whether leadership’s biggest concern is compliance and risk, or the effect on the client or customer experience, using a CPSM to monitor for continuously and address configuration drift once it is detected will reduce its overall impact on an organization. However, organizations without the proper resources in place can unnecessarily subject themselves to mistakes in the cloud that will lead to data loss or a data breach. For financial institutions, this alone can cause tremendous damage that can be irreparable depending on the scope and severity of their losses.