Table of Contents
Share this entry
Governance and Security must be integrated to meet the challenges of the public cloud. The rapid adoption of cloud providers, like AWS, Azure, GCP and Kubernetes, along with an increasing number of cloud services, has created an explosion of data and identity complexity with unmanaged risk. While cloud providers deliver basic configuration capabilities, they only address their own services, which leaves out the multi-cloud capabilities that most enterprises require. And although the underlying cloud provider infrastructure is secure, most enterprises don’t have the processes, tooling maturity or scale to govern their cloud securely. Using first-generation Cloud Security Posture Management (CSPM) may not be enough for enterprise companies.
The Technology Landscape Has Changed
One of our client deployments had 80,000 pieces of compute; 20,000 active at any time; 250 AWS and Azure accounts; 100s of cloud services, including database services, 1000s of service roles, and many DevOps teams continuously dropping 100s of workloads and infrastructure as code. This is amazingly powerful, but complex. The ways we conceive of, design, develop, deploy, and operate has changed from stem-to-stern. We have gone from monolithic applications to microservices; Waterfall development to Agile; IT control to DevOps control; Data centers to software defined Cloud infrastructure. If how we create technology value has changed dramatically then surely we must reimagine how we deliver security for these applications.
A Look At First-Generation Cloud Security Posture Management Solutions
At the foundation of the CSPM pyramid lies the first generation cloud services. In the past, you may find first-generation CSPM automatically assessing your cloud environment for best practices and security violations against basic baseline controls and cloud misconfigurations. Most common first-generation CSPM solutions would feature:
- Identifying your public cloud environment footprint
- Assessing your cloud for misconfigurations and control violation
- Auditing and reporting on misconfiguration and violations
First generation CSPM services conduct these activities on a continuous basis and might include simple automation capabilities to correct issues. However, as the complexity of the public cloud grew, first generation CSPM tools simply couldn’t keep up. What they lacked was context-based analysis.
Gartner recommends that security and risk management leaders invest in CSPM tools to avoid misconfigurations that can lead to data leakage.
Cloud Security Posture Management Grows To Include Context
Context is most often determined by how and/or where a cloud service, Identity or Resource is implemented. Based on this context, your cloud environment controls could be implemented and monitored to a much more granular level. An example of this is not just looking to see if encryption is enabled for your data stores, but looking to ensure that encryption is enabled on your data stores that contain sensitive data. Today’s CSPM with context-based anlaysis would include features from the first generation CSPM as well as:
- Continuous visibility into multiple public cloud environments of policy violations
- Optional ability to perform automated remediation of misconfigurations to ensure continuous compliance and protect critical cloud assets
- Out-of-the-box compliance libraries of common standards or best practices, such as CIS Foundations Benchmarks, SOC 2, PCI, NIST 800-53, or HIPAA, to verify that cloud configurations are compliant
- Integration with additional security tools
While today’s CSPM context-based approach enforces granular access control based on a user’s identity and context of the request, it leaves out the non-person identities.
The Future of Cloud Security Tools: Intelligent Cloud Security Posture Management
Many organizations are still lacking key identity-related security controls and the few forward-thinking companies that have started applying proper access controls are typically focusing on human users – not non-person identities. Non-person identities are identities that act on behalf of a person. They can be pieces of code, such as AWS Lambda functions, or pieces of compute, such as Azure VMs or other public cloud services. Regardless of how you define them, they are extremely useful and often represent the vast majority of identities found in cloud deployments. They do, however, present some unique challenges that are only solved with intelligent CSPM.
With intelligent CSPM, organizations can continuously discover and monitor every possible relationship between identities and data that exists across the public cloud. Further, identifying security and compliance issues to help you improve the visibility and control of your cloud.
By uncovering all possible access points across many different paths, including group membership, SCP policies, object permissions, resource statements, and many other controls, your organization can get to and maintain Least Privilege. With an intelligent CSPM solution you are able to identify and visualize all access paths including access paths you didn’t know existed as well as risky unused rights to data you should remove. You can’t do this without Effective Permissions – the permissions that are granted by all the policies that affect the user or role.
By uncovering all potential access paths to your data – regardless if by human or non-human identities, and categorized by privilege, your organization can get to and enforce Least Access. Monitoring for public ‘buckets’ is important but it’s not enough. Your CSPM should extend monitoring to all data, resources, and microservices so you can answer key questions on your data like “Where is it?”, “What is it?”, “Who has access to it?”, “What has accessed it?”, “What did they do?”, and “Where did it move?”
Your CSPM platform should automate the process of assessing your cloud against hundreds of configuration and security best practices identifying critical risks in your environment in human and non-person identities. These checks may include basic policies, like ensuring each account sends its logs to a secure log repository, requiring all admin users to log in with multi-factor authentication, or making sure no administrative identities are open to the public.
With intelligent CSPM, more complicated best practices can be assessed as well, including looking for excessive account permissions, making sure access to storage buckets only comes from authorized identities, or even detecting when an Identity has the ability escalate their privileges based on their Effective Permissions. Running a cloud at scale requires you to quickly and reliably identify when your cloud deviates from security policies, and provide an instant notification within the tools you use to manage Operations, including HashiCorp, Slack, and Jira.
Gartner Recommendations on CSPM
Gartner recommends that security and risk management leaders invest in CSPM tools to avoid misconfigurations that can lead to data leakage.
You might have already begun your CSPM journey with the aim of protecting against misconfigurations caused by human error or you may have invested in a first generation CSPM. Regardless of where you are on your journey, the need for this type of Intelligent CSPM solution is evident.
Learn more about “Secure Multi-Cloud Environments: Intelligent Cloud Security Posture Management” in our upcoming webinar.
THE ARCHITECT
The Newsletter for Cloud Security Leaders. 1x a month.
Get a Comprehensive Cloud Identity Audit
Request Your AuditRead the latest news and insights
Sonrai cloud security platform, products and services are covered by U.S. Patent Nos. 10,728,307 and 11,134,085, together with other domestic and international patents pending. All rights reserved.