Speedy innovation and disruptions to traditional business has created the potential for extraordinary value in the tech world. However, moving too quickly to the cloud without the proper security practices in place can get you into trouble.
Fortunately, the security field is evolving alongside this growth, and today we see new breeds of technology helping to secure and organize cloud environments. When speaking with our customers, we’ve noticed there is some confusion between all the cloud security technologies. It’s understandable given the avalanche of acronyms coming at anyone tasked with securing the public cloud.
In this blog, we’ll review several top solutions including, Cloud Workload Protection Platforms (CWPP), Cloud Security Posture Management (CSPM) and Cloud Infrastructure Entitlements Management (CIEM). After a brief synopsis distinguishing each solution, we’ll concentrate on how these three concepts work in unity to protect your cloud holistically.
CWPP for Cloud Security Teams
As defined by Gartner, CWPP is “workload-centric security solution that targets the unique protection requirements” of workloads in modern enterprise environments. At its core, it is intended to scan all the workloads in your environment for vulnerabilities. Vulnerability scanning is nothing new, but the concept has now adapted to the cloud. CWPP takes a concept that is familiar to our security forefathers – risk reduction – and makes it cloud-friendly.
Today most enterprises are running on hybrid or multi-cloud environments, making it difficult to ensure that all the right controls are in place for a number of workloads. CWPP can be used to unify that management and find vulnerabilities across any application in any environment. Once a vulnerability is discovered, CWPP can provide remediation, like access controls to block malicious activity.
Capabilities of CWPP solutions include:
- Vulnerability scanning
- Blast radius analysis
- System hardening
- Host-based segmentation
- Workload protection through single console
- Serverless protection
- Containers protection
- System integrity assurance
There are a myriad of benefits and outcomes when leveraging a CWPP solution, but the strongest include faster resolutions, enabled visibility and control over workloads, increased collaboration between DevOps and SecOps teams, and understanding the blast radius of potential threats. It’s even possible to get full blown context into how your vulnerabilities connect to the identities, workloads, and data in your environment when CWPP is integrated with other solutions like CSPM and CIEM.
Recorded limitations of CWPP solutions include a lack of identity and access management control, a lack of overall management services across different deployments and event monitoring outside of workload protection. Fortunately, Some vendors, like Sonrai Security, have integrated solutions that provide additional benefits and remedy these CWPP limitations.
CSPM for Cloud Security Teams
CSPM refers to a class of tools that identify misconfigurations in the cloud, and assist with their remediation, to reduce the overall risk in your cloud environment. Simply put, CSPM automates security assessments and helps enterprises enforce best practices to strengthen their cloud security posture. CSPM solutions will continuously monitor and detect any irregular behavior or misconfigurations taking place within your environment. Common, and often devastating misconfigurations including datastores directly exposed to the internet, logging not being enabled, and a lack of encryption.
Once risks are identified, the solution then serves to alert the necessary team. A strong CSPM solution with intelligent workflows alerts the right teams to unauthorized access or suspicious activity as it happens, enabling better response and increased accuracy with fewer false alerts.
This method incorporates an API to identify risks and provide remediation for those risks. It can use compliance guidelines and frameworks to identify particular risks and provide details where better security protocols should be used and addressed.
Capabilities of CSPM include the following:
- The ability to ensure log collection from host operating systems
- Ensure API event logs are on
- Use compliance protocols and benchmarks to configure data
- Issue alerts when there’s a risk to the cloud environment or connected entities
- Streamlines alerts and reduces false alerts
- Monitor and regulate operational activities
- Continuously audit the cloud for security risks and misconfigurations.
- Provides actionable response and auto-remediation.
- Achieve consistent security across AWS, Azure, and Google.
- Track and enforce configurations to meet the necessary policy.
- Prevent cloud drift (post-provisioning environment change.)
- Detect resources directly accessible from the internet.
- Detect when logging is not turned on to monitor critical activities such as network flows, database access, or privileged user activity.
- Detect a lack of encryption on databases, data storage or application traffic
- Improper encryption key management.
- Lack of adherence to compliance regulations and controls.
- No multi-factor authentication or password enabled on critical system accounts.
As you can see, the use cases and their benefits are extensive. The true power of a CSPM solution is its ability to provide visibility across all cloud environments, with a unified approach that simplifies the traditionally disparate process of monitoring and analyzing data from multiple sources and vendors.
Whether it’s an external threat or someone leaving sensitive data exposed or unsecured within any environment, CSPM can effectively mitigate these issues and prevent theft, misconfigurations, and data breaches.
CIEM for Cloud Security Teams
We often say identity is the new perimeter of security. With the right digital identity, malicious actors can essentially do whatever they want in your environment. CIEM has emerged as the leading solution managing identities in the cloud. The rise of CIEM solutions became necessary as Identity Access Management (IAM) challenges have become more complex in the cloud.
CIEM refers to next-generation cloud security technology that grants, resolves, enforces, revokes, and administers access. CIEMs purpose is to manage entitlements, remediate cloud access risk, and enforce the principle of least privilege across multi-cloud environments to reduce excessive permissions, access, and cloud infrastructure entitlements.
By leveraging a CIEM, enterprise organizations can lock down and secure data at the scale and speed of the cloud. Using the identity inventory and their effective permissions (cloud entitlements) from a CIEM tool, organizations can now determine what data identities can access, how they can access the data, and what they can potentially do with the data. With this continuous visibility, teams can effectively determine where they have risks and then, in turn, manage the risks to ensure that the cloud environment and the data within it stay secure.
CIEM is critical to managing cloud risk in your environments. However, not all solutions are created equal. The right CIEM needs to not only be able to inventory your people and non-people identities and determine their effective permissions, but also work at the scale and speed of your cloud.
CIEM proves to be incredibly important in modern cloud deployments by providing teams with the capability to keep up with rapid identity growth – whether it’s growth of your employee pool as your company scales, or an expanding number of non-person identities. That last part is especially important today as non-person identities, like virtual machines and EC2 instances, far out number person identities.
Some capabilities of CIEM include the following.
- Inventory all identities in your environment
- Map out all data and resources identities can access
- Detect any identities inappropriately providing access to a resource
- Detect suspicious activity and identify it by using data deletions or privilege escalation activity.
- Remove cloud access to identified risks using policy modification
- Identify any permission gaps related to permissions within the platform
- Continuous monitoring of all people identities (users)
- Continuous monitoring of all non-people identities (machines, vm, etc)
- Continuous monitoring of all identities across accounts
- Continuous monitoring of all identities across multi-cloud platforms
- Graph all trust relationships
- Granular entitlement management
- Automated audit of dormant accounts
- Easy integration across cloud providers
- Remediation abilities
- Automated notification to responsible team when out of policy behavior occurs
- Customizable and flexible features
In summary, CIEM safeguards the cloud environment by expressing that connection between identity and data at the most granular level. Rest assured your data cannot fall into the wrong hands when you’ve deployed a mature CIEM solution.
How do CWPP, CSPM & CIEM Work Together?
Each of these three solutions are great tools to protect against security risks in their own respective use cases. But there is a larger story to tell when securing today’s modern enterprise – one in which these three solutions work in harmony.
Let’s consider a common narrative of an evolving threat in the cloud native world:
There is a vulnerability on a workload, a virtual machine, and a malicious attacker exploits it and gains access(cue: CWPP.) There is a non-person identity on this workload that is grossly over permissioned and has access to a bunch of data stores containing some very sensitive information(cue: CIEM.) Once an attacker has exploited the vulnerability, now they have access to this non-person identity. It gets worse. With the identity in hand, the attacker now enumerates the data stores looking for sensitive data. Bingo, they’ve found the data they’re looking for, and again, with the compromised non-person identity, and therefore all the permissions of that identity, they can exfiltrate the sensitive data out of the environment.
To put salt in an open wound, because secondary audit is not enabled on the data stores involved, the affected company is entirely unaware of any of this (cue: CSPM.) In fact, they know nothing of it until a 3rd party informs them that their data is for sale on the internet.
As you can see, it takes a perfect storm of multiple misconfigurations, and lack of protection for an attacker to ultimately breach your company’s environment. Multiple little factors need to all be possible for it to take place – but it is very easy for this perfect storm to happen. You can see how CWPP, CIEM and CSPM all overlap in the larger story, and how each solution acts as a line of defense. It leads you to wonder if the easiest and most efficient way to protect your cloud is to find one tool that integrates all of these solutions together.
Taking An Integrated Approach
Today’s enterprise teams need cloud security tools capable of addressing advanced risks in an ever-growing and complex environment. All three solutions, CWPP, CSPM and CIEM offer security solutions for different risks, but are a part of the same story. They all integrate into the security stack with ease to provide greater control and identification in real-time.
The best way to ensure the highest level of security for cloud-based companies is to team up with top cloud security and IT security companies with the tools and experience to offer the best solutions for specific needs.
It’s important to remember that using the cloud to operate and store data is a true asset for flexibility and convenience. However, it poses new and evolving risks from bad actors capitalizing on the weaknesses and blind spots from organizations using outdated security to secure their environment, identities and data.
All Three Trusted Solutions in One with Sonrai
Sonrai Dig is designed to address the full cloud security story. One integrated product brings you end-to-end protection through visibility and monitoring. Sonrai Dig’s CWPP capabilities provides your organization a full view into vulnerability risks. It is backed by our identity graphing technology that reveals every identity and its path to your data and foundational CSPM checks. With Dig, security and cloud teams have a unified view of vulnerabilities and even gain prioritization of those risks.
When risks seem to be endless today, understanding what a vulnerability could mean to your business, or its full blast radius, is critical in determining remediation efforts. Sonrai Dig will notify your team of risk amplifiers, or issues that increase the potential blast radius of your vulnerability so you know where to work first.To see the potential of Dig, request a demo today – it won’t disappoint.