Data breaches through mismanagement and misconfigurations in the cloud are becoming commonplace. Gartner has predicted that “through 2022, at least 95% of cloud security failures will be the customer’s fault.” In fact, nearly all successful attacks in the cloud to date, including the recent high-profile Capital One breach, involved customer misconfigurations.
To avoid costly mistakes, enterprises must stop relying on manual checks and transition to the use of automatic tools. And that is where Cloud Security Posture Management (CSPM) comes in. CSPM is a continuous compliance checking of cloud platform accounts. CSPM tools verify that cloud configurations are following the security best practices and compliance standards such as CIS, Azure and GCP benchmarks and PCI, or HIPAA frameworks.In short, CSPM solutions automatically assess your cloud environment against best practices and compliance standards and help remediate issues, often through automation. As companies are increasingly moving to the cloud, CSPM is becoming a necessary aspect of security.
CSPM tools play a pivotal role in helping organizations stay compliant with major mandates or frameworks and help organizations to address accidental risk, such as:
- Mistakes that lead to exposure of databases containing sensitive information
- Misconfigurations and incorrect settings that lead to noncompliance with a major regulation which your organization is subject to
- Missettings that allow unauthorized users to access data, applications or servers
The Need for an Updated CSPM Approach
We believe the standard definition of CSPM is lacking. It isn’t defined by ‘what you need’ but rather, by ‘what the current tools can provide.’
Let me demonstrate with an example. Imagine that you are running an Ubuntu server which is connected both to the Internet and the internal VPCs. The server was never patched, and as a result it is running a vulnerable web server OS that was already infected with crypto miner. In addition, the server is allowing authentication with weak authentication methods.
What issues will your CSPM alert on? As it stands today, zero. Despite the fact that software vulnerabilities, misconfigurations in the OS and App layer are critical parts of your security posture, they aren’t handled by today’s CSPM.
CSPM will detect a machine connected to both the Internet and internal VPC, but it won’t alert to the patch issues, present malware and weak authentication problems that are present on the server. These issues are simply outside the scope of current CSPM tools. Contemporary tools will alert about control plane misconfigurations (for example, if you gave wrong permissions to a bucket) but not OS and App level vulnerabilities. So whether you are running a vulnerable web server, as described above, or have a compromised asset, your CSPM tool won’t alert you.
Defending an organization in the cloud era requires organizations to equip themselves with tools capable of protecting their assets from intentional attacks. Misconfigurations in the cloud settings on every level, including OS and App level vulnerabilities, make the success of these cyberattacks much more likely:
- Attacks targeting known software vulnerabilities, like a vulnerable web server
- Attacks utilizing security misconfigurations, such as weak encryption keys and easy to guess credentials
- Brute-force attacks, when one uses weak password policies APT attacks involving stolen credentials
- Web application attacks (e.g., SQL injection, cross-site scripting, cross-site request forgery attacks, and remote file inclusion)
The bottom line is to look at your cloud use cases and security requirements. If your organization is putting sensitive data in the cloud, a holistic approach to security is required. CSPM solutions need to be redefined as solutions that do, indeed, manage the cloud security posture, going above control plane misconfigurations into everything that is part of the IAAS and PAAS security posture; including detection of malware, vulnerabilities, and advanced persistent threats across all layers; network, OS and applications.
CSPM conceived this way helps organizations to address the accidental side of security and compliance when deploying applications and data to the cloud, as well as protect their assets against an intentional attack.
The Cloud Demands Cloud-native Solutions
The move to the cloud hasn’t solved the problems that existed in the pre-cloud era. Vulnerabilities, misconfigurations, and compromised assets are still very much an issue. However, the cloud brings with it better ways to handle those problems.
CSPM cannot be complete without addressing the intentional threats and the capability to provide a true evaluation of where an organization stands. Security policies that define how security teams deal with asset visualization, inventory and management, incident response, and internal training and education were originally built for on-premise environments, and do not support the cloud environment security posture in a cloud-native way.
Cloud Security posture management means managing the posture of your entire cloud deployment, throughout the technology stack.To live up to their name, CSPM solutions need to be supplemented with deeper defense and threat detection capabilities to truly address all aspects of security and compliance for your workloads in the cloud. To help achieve this, consider the following four questions.
1. How many tools will I need to avoid misconfigurations in the cloud?
To properly address security posture in the cloud, you need a macro view of risk and the level of drift from established policies. Let’s have a look at the following common use cases:
- Misconfigured S3 bucket that makes your data publicly available
- Internet-facing server running vulnerable web instances
- Infected asset within your network
- A machine that holds critical data but publicly accessible from the Internet, protected by an easy to guess password
In order to improve your security posture in the cloud, a centralized view of all your assets and servers in one place is essential in order not to miss critical misconfigurations, policy violations, and mistakes.
2. Will I be able to get results in context?
At the end of the day, security teams are overwhelmed by the avalanche of alerts, and fixing security holes comes down to context that enables prioritization. Manual integrations of multiple data points are simply not feasible.
To determine your security posture in the cloud you need a good understanding of what’s going on, and the ability to contextualize the findings.
For example, if you are using one tool to detect whether a machine is running a vulnerable web server and another tool to determine the machine location, then you need to manually assess the alert using data derived from two separate tools. As a result, you may find ten vulnerable web servers, and start patching them right away. The issue is that only one of them is Internet facing, and your valuable resources will be wasted on issues that are not the highest priority.
To strengthen your remediation capabilities, it is simply not enough that security solutions alert to potential areas of risk or threat. Your team must have an easy and automated way to prioritize those alerts and assess threats in context.
3. What is your TCO?
The Total Cost of Ownership (TCO) is another important piece of the puzzle. When considering the various solutions for assessing your security in the cloud, ask yourself:
- How long will your team need to work in order to implement the tool?
- How much intra-organization friction will it cause? How many integration points will I need to perform?
- Will I get good enough coverage after spending this amount of time? Will I need to invest additional resources as my cloud environment grows to have this coverage?
Since CSPM solutions provide key capabilities for DevOps, Security, IT, and GRC teams alike, you need tools that contribute to the required collaboration necessary to achieve security and compliance outcomes in the future without wasting precious resources.
4. Are these tools born to the cloud and are they cloud-native?
As we discussed above, cloud security differs from what we are used to with on-prem environments. The same issues have both a different meaning and a different mitigation strategy on-prem and in the cloud.
For example, if you have 20 spot instances running the same image that have a vulnerability or misconfiguration, will you see it as 1 issue or 20 unrelated issues? A proper CSPM solution must be able to understand that they are all copies of the same image.
Mitigation strategies must also be adapted and relevant in the cloud. Many times in the cloud you ‘refresh’ images rather than fix them, leaving your organization exposed. But cloud best practice isn’t just to patch transform your images, but to recreate them from scratch using newer versions. Make sure that the products you are using are compatible with the cloud way of doing things, and can provide adequate recommendations for action.
Upgrade your CSPM today
To determine if your CSPM tool can help you achieve holistic cloud security, ask yourself these four questions outlined above.
CSPM tools should live up to their name and provide real management of the cloud security posture, regardless of where in the technology stack the issues lies.