Cybersecurity, DevOps, and compliance professional's guide to Cloud Security Posture Management (CSPM).
The evolution of cloud computing in the past decade has fundamentally changed organizations' IT infrastructures, software development processes, and cybersecurity strategies. New cloud technology, especially the public cloud, has allowed limitless scaling potential & elastic IT costs for companies of every size.
However, it's not all sunshine and rainbows in the cloud. This new technology has introduced critical infrastructure weaknesses like lack of visibility, cloud sprawl, misconfiguration risk, andcompliance complexity. Or as Gartner plainly stated in 2019:
"The rapid adoption of cloud services, along with an increasing number of cloud infrastructure and platform services, has created an explosion in complexity and unmanaged risk." (Gartner 2019)
Cloud Security Posture Management, or CSPM, in the foundation of any cloud security & compliance strategy to combat cloud complexity and cyber risk.
In this comprehensive guide, we'll explain what exactly CSPM is, how the modern enterprise cloud strategy has evolved, and how you can use CSPM technology to help secure your cloud infrastructure, optimize your DevOps/DevSecOps team, andmake compliance painless.
"CSPM offerings continuously manage cloud risk through the prevention, detection, response and prediction of where excessive cloud infrastructure risk resides based on common frameworks, regulatory requirements and enterprise policies."
In simpler terms, a CSPM helps organization's prevent a data breach by automatically discovering, assessing, and assisting the remediation of cloud infrastructure vulnerabilities.
Cloud Infrastructure Misconfigurations
These infrastructure vulnerabilities, often called misconfigurations, are a result of the constant cloud infrastructure changes that organizations undergo while developing software and maintaining existing systems.
Cloud misconfiguration are often the result of organizations not using DevOps methodologies, and instead building software in piecemeal fashion causingcloud resources to be configured differently and unsystematically.
When using DevOps methodologies, misconfigurations still occur due to the speed and scale of enterprise software development, causing these vulnerabilities to be overlooked. In fact, Gartner states:
Nearly all successful attacks on cloud services are a result of customer misconfiguration, mismanagement and mistakes.
Amazon Web Services (AWS), for example, has over 160 different services each with unique security setups. It's impossible to manage security configurations across these services when companies are building & supporting dozens of applications with millions of users and hundreds of engineers making changes.
Critical misconfigurations can go undetected for months due to alert fatigue. With misconfigurations, malicious entities simply walk right through the front door.
Here are just a few recent misconfiguration that resulted in massive data breaches, costing companies millions of dollars.
These highly publicized and expensive breaches are enough to make any Chief Information Security Officers (CISO) wonder,
“What are we doing to protect ourselves from misconfigurations?”
When setting a security strategy, CISOs should prioritize infrastructure misconfiguration discovery & remediation as a foundation for further security services.
Gartner agrees and suggests CISOs should “Prioritize a CSPM project in 2019.”
Key Themes of Cloud Security Posture Management (CSPM)
Since there’s dozens of cloud security tools from both cloud service providers (CSPs) and cybersecurity vendors, we need to identify what the core value of CSPM technology:
Cloud Infrastructure Risk Prevention
Continuous Configuration Discovery
Assisted Misconfiguration Remediation
While top vendors each have a unique way of delivering this core value with a host of unique bells and whistles, these are the table stakes of a modern CSPM solution.
But before we get into that, let’s take a step back and look at how CSPM technology falls in-line with the modern enterprise cloud strategy.
Understanding the Modern Enterprise Cloud Strategy
Cloud Computing 101
If you're already familiar with cloud computing ideas, click here to skip this section.
Cloud computing has ignited the digital transformations we've seen in the past decade and allowed both startups and enterprise to create virtually limitless applications and new technologies.
The main benefits of cloud computing are:
On-demand availability of computing power and storage space
Scalable and elastic IT infrastructure costs
Increased agility in building software
Amazon first commercialized cloud computing in 2006 with the creation of Amazon Web Services (AWS) and the Elastic Compute Cloud (EC2). A few years later, Microsoft and Google launched public cloud services Microsoft Azure and Google Public Cloud (GCP). These three platforms are the major public cloud providers and together generated over $185 billion in revenue in 2018.
In Deloitte's "The Future of Cyber Survey 2019" report, "Cloud Transformation" was the top digital transformation initiative for enterprise c-suites. This further shows that cloud adoption and maturity will continue to grow as more and more large companies adopt the cloud to become more agile.
While most large enterprises leverage public cloud technology for infrastructure-as-a-service (IaaS), it is important to understand the entire cloud services landscape.
This common diagram shows the progression of responsibility in managed IT services from traditional on-premises to SaaS:
Companies use AWS, Microsoft Azure, and Google Public Cloud (GCP) as their IaaS in order to build SaaS applications.
The Shared Responsibility Model
The foundation of a cloud security strategy is understanding the Shared Responsibility Model. Essentially, the public cloud provider is responsible for security of the cloud, while the customer is responsible for security in the cloud.
As you can see in the diagram from AWS, the customer is responsible for its customer data first-and-foremost, followed by its network, applications, access controls, configuration, and infrastructure.
The public cloud provider is responsible for securing its data centers and the hardware within. With this in mind, let's dig into what a cloud security strategy looks like.
The Cloud Security Landscape
There are many ways to look at cybersecurity, but here is a simple hierarchy of how to think about cloud security.
From the customer perspective, secure infrastructure and configuration is the biggest concern (shown in red).
This is the first layer of customer responsibility within the Shared Responsibility Model and as mentioned before, the most vulnerable to misconfigurations.
The main activity of cloud infrastructure security is continuous confirmation monitoring, meaning automated auditing of assets and workload configurations for vulnerabilities. To have real-time configuration insights, an automated monitoring solution is required.
Workload protection and access control is the next priority in cloud security. Cloud workload protection platforms (CWPP) and cloud security access brokers (CASB) are the main solutions here. When looking at CSPM, CWPP, and CASB solutions there is often overlap in services due to the complex nature of cloud security.
What is a CWPP?
CWPPs are host-centric security offerings that secure workloads in public, private, and hybrid data centers. Gartner explains "CWPPs should provide consistent visibility and control for physical machines, virtual machines, containers, and server-less workloads regardless of the location.
CWPP offerings protect the workload from attacks, typically using a combination of network segmentation, system integrity protection, application control, behavioral monitoring, host-based intrusion prevention and optional anti-malware protection." CWPPs are typically agent-based.
What is a CASB?
CASBs primarily operate at the control plane and were originally designed to give enterprises visibility and control over SaaS applications such as Office 365 and Salesforce. Today, CASB's scope of coverage extends to IaaS and PaaS. CASBs can be deployed on-prem or via an API and sit between cloud service consumers and cloud service providers in order to govern security policies as cloud-based assets are accessed.
Per Gartner "CASBs use auto-discovery to identify cloud applications in use and identify high-risk applications, high-risk users and other key risk factors. Cloud access brokers may enforce a number of different security access controls, including encryption and device profiling." CASBs generally provide a central location for policy governance across multiple cloud services.
Now that we know what processes & technologies are important to the modern enterprise cloud strategy, let's examine the key players: DevOps & DevSecOps.
What is DevSecOps? And Why Should You Care?
Before we dive into DevSecOps, let's first define DevOps:
DevOps represents a change in IT culture, focusing on rapid IT service delivery through the adoption of agile, lean practices in the context of a system-oriented approach. DevOps emphasizes people (and culture), and seeks to improve collaboration between operations and development teams. DevOps implementations utilize technology— especially automation tools that can leverage an increasingly programmable and dynamic infrastructure from a life cycle perspective. -Gartner
This diagram below is common representation of the different stages of the DevOps cycle.
The DevOps process is meant to be continuous, ever improving, and often times assisted by technology automation.
Deloitte recently reported that 85% of enterprises are using DevOps practices to build software and accelerate their digital strategies.
So what’s the problem? With DevOps continuously changing the cloud infrastructure to support new, faster deployments this leaves cloud workloads extremely vulnerable to the risky misconfigurations discussed earlier.
So how can an enterprise solve this modern security challenge?
DevSecOps to the Rescue
Just like DevOps sit at the intersection of development & operations, DevSecOps span development, security, & operations. The purpose of DevSecOps is to have dedicated engineering resources focused on securing the CI/CD pipeline.
DevSecOps mostly have the same responsibilities as cloud security posture management (CSPM) solutions: Embed cybersecurity into the CI/CD pipeline. This means:
Preventing cloud vulnerabilities at scale
Building systems to automatically discover cloud misconfigurations
Systematically assisting in the remediation of cloud misconfigurations
In a perfect world, any enterprise utilizing DevOps methodologies would have a dedicated team of DevSecOps to support. Unfortunately, technology has accelerated at a pace that human capital can not keep up with.
More plainly, there is a massive shortage of DevSecOps engineers.
This means DevOps, which are generally not security professionals have to make security decisions in the cloud every day. This is a recipe for a costly data breach.
So what should modern enterprises do to fix this gap in security?
They can implement an intelligent CSPM to automate and assist in securing the CI/CD pipeline to either support the DevSecOps team or as a placeholder for DevSecOps if resources are constrained.
Interested in bringing DevSecOps to your organization?
Innovating on First Generation CSPM Solutions
Cybersecurity products are always evolving to solve new threats. In 2015, the first generation of cloud infrastructure monitoring products emerged and were categorized as Cloud Infrastructure Security Posture Assessment (CISPA). This first wave of products met the market need for multi-cloud visibility, but introduced alert fatigue, complex user interfaces, and product rigidity.
Most of these products were acquired by larger security or cloud provider companies as " bolt-on" tools to their other offerings. This stalled innovation, paving the way for second generation solutions.
Second Generation CSPM Innovations:
Optimized remediation & configurable auto-remediation to reduce alert fatigue
Custom policy & rules engine enforceable across a multi-cloud environment to implement security strategy into cloud operations
Infrastructure security embedded into CI/CD pipeline for proactive security
What is "Alert Fatigue" and How to Stop It
If you're a security professional, you know exactly what alert fatigue feels like - countless emails, tickets, and alerts buzzing your phone and piling up in your inbox. Alert fatigue is the frustration that engulfs security teams when multiple security tools are sending too many alerts for the team to realistically address.
Alert fatigue cripples decision making, introduces bias to vulnerability investigation, and demoralizes security teams.
Auto-generated remediation plans reduce alert fatigue and ultimately reduce attack surface by first considering your security team's remediation aptitude, and then automatically creating a plan of the most critical misconfigurations that your team can realistically remediate in a given day.
This helps DevOps and DevSecOps manage the constant security vulnerabilities that arise due to agile software development.
Build Security Strategy into Practice with Custom Policies Engine
With the first generation of cloud infrastructure technologies mainly providing multi-cloud visibility, enterprises still needed a way to implement security strategy into cloud operations.
Each company has a different security strategy and without a multi-cloud policy builder, its extremely repetitive and cumbersome to implement these policies.
To help companies achieve this, SECBERUS built a custom policy & rules engine so security teams can implement strategy from the office of the CISO into cloud operations.
This innovation in cloud security is what we call "Policy-as-a-Service". We explain this fully in the following section.
Infrastructure Security Monitoring for Proactive Security
When building cloud infrastructures, best practice suggest the use of infrastructure-as-code to maintain consistency in configuration across environments.
AWS has a in-house tool called CloudFormation and Azure has Azure Resource Manager (ARM) that allows users to model and provision infrastructure-as-code templates into their public cloud environment. Terraform is another common, more robust 3rd party infrastructure-as-code tool.
Second generation CSPMs "Shift Security Left" by checking these infrastructure-as-code templates for secure configurations prior to deployment to production environments. This proactive approach helps prevents misconfigurations from ever being deployed so DevOps teams can move faster with confidence.
Policy-as-a-Service for a Unified, Custom Cloud Strategy
As touched on above, Policy-as-a-Service is a major innovation that SECBERUS brought to the CSPM market.
Other CSPM providers use a patchwork of policies, both security & custom, to deliver risk visibility from a policy perspective.
SECBERUS realized that security leaders implement their strategy through policies, and therefore delivers industry-first Policy-as-a-Service.
Policy-as-a-Service solves 3 key problems for security teams:
Ability to build & implement custom policies throughout the CI/CD across an organization's entire cloud environments (multiple cloud accounts and cloud providers)
Comprehensive visibility for security & compliance policies instead of siloed views
Ability to build one policy and implement across any environment, instead of manually building custom policies across every environment
Implementing Policy-as-a-Service unifies your security posture, allows for customized security strategies to be implemented & continuously monitored, and saves your DevOps & DevSecOps team valuable time.
Putting it All Together
Cloud Security Posture Management (CSPM) technology helps enterprises stay secure and compliant in the new era of cloud computing.
By embedding pro-active security across the CI/CD pipeline, Policy-as-a-Service, and optimized remediation techniques, security teams can better secure their multi-cloud environments to prevent a costly data breach.
Get Started with SECBERUS, the CSPM for the Modern Enterprise