Missed our recent webinar? There’s an on-demand recording available for our “Secure Multi-Cloud Environments: Intelligent Cloud Security Posture Management” webinar.
On September 22, we hosted a webinar with Eric Kedrosky, Director of Cloud Security Research and CISO of Sonrai Security, and Dan Woods, Principal Analyst at Early Adopter Research. Our cloud experts offered a refreshing forward thinking view of Cloud Security Posture Management. Here we breakdown some key takeaways on Intelligent CSPM.
Gartner recommends that security and risk management leaders invest in CSPM tools to avoid misconfigurations that can lead to data leakage. The reason for this recommendation is to meet the governance and security challenges the public cloud brings. With the rapid adoption of cloud providers, like AWS, Azure, GCP and Kubernetes, along with an increasing number of cloud services, the public cloud has created an explosion of data and identity complexity with unmanaged risk. While cloud providers deliver basic configuration capabilities, they only address their own services, which leaves out the multi-cloud capabilities that most enterprises require. And although the underlying cloud provider infrastructure is secure, most enterprises don’t have the processes, tooling maturity or scale to govern their cloud securely. Using first-generation Cloud Security Posture Management (CSPM) may not be enough for enterprise companies.
The New Perimeter For Cloud Security
The public cloud is amazingly powerful, but complex. The ways we conceive of, design, develop, deploy and operate has changed completely. We have gone from monolithic applications to microservices; Waterfall development to Agile; IT control to DevOps control; Data centers to software defined Cloud infrastructure. If how we create technology value has changed dramatically then surely we must reimagine how we deliver security for these applications.
Organizations of all sizes are harnessing the operational and cost benefits of public cloud. Unfortunately, cloud platforms like AWS, Azure, GCP, and Kubernetes provide a wide range of identity and access management (IAM) based configuration options, that can be disastrous if not properly architected. The risk is very different (and sometimes much higher) than old-world enterprise IAM leading to identities becoming the new perimeter.
A Brief History of CSPM
In the past, you may find first-generation CSPM automatically assessing your cloud environment for best practices and security violations against basic baseline controls and cloud misconfigurations. Most common first-generation CSPM solutions would feature:
- Identifying your public cloud environment footprint
- Assessing your cloud for misconfigurations and control violation
- Auditing and reporting on misconfiguration and violations
Rapidly, CSPM has grown to include Context. Context is most often determined by how and/or where a cloud service, Identity or Resource is implemented. Based on this context, your cloud environment controls could be implemented and monitored to a much more granular level. Today’s CSPM with context-based analysis would include features from the first generation CSPM as well as:
- Continuous visibility into multiple public cloud environments of policy violations
- Optional ability to perform automated remediation of misconfigurations to ensure continuous compliance and protect critical cloud assets
- Out-of-the-box compliance libraries of common standards or best practices, such as CIS Foundations Benchmarks, SOC 2, PCI, NIST 800-53, or HIPAA, to verify that cloud configurations are compliant
- Integration with additional security tools
While today’s CSPM context-based approach enforces granular access control based on a user’s identity and context of the request, it leaves out the non-person identities.
Many organizations are still lacking key identity-related security controls and the few forward-thinking companies that have started applying proper access controls are typically focusing on human users – not non-person identities. Non-person identities are identities that act on behalf of a person. They can be pieces of code, such as AWS Lambda functions, or pieces of compute, such as Azure VMs or other public cloud services. Regardless of how you define them, they are extremely useful and often represent the vast majority of identities found in cloud deployments. They do, however, present some unique challenges that are only solved with intelligent CSPM.
Learn more about “Secure Multi-Cloud Environments: Intelligent Cloud Security Posture Management” in our webcast discussion.