Cloud Security Posture Management (or CSPM) is a piece of technology that eases out cloud security efforts for enterprises. This is true for organisations that are either already on public cloud, or even in process of migration. Public cloud deployments are built of multiple moving parts such as network, storage, containers, server-less applications and so on.
In fast paced organisations, these moving parts “move” (or change) as frequently as every hour or even minute. This brings about a towering challenge of security teams keeping up with these changes and ensuring they do not adversely impact the security posture of the organisations public cloud deployment.
This is where Cloud Security Posture Management or Cloud Security Posture Management plays a crucial role. CSPM solutions take some of this load off security teams by providing visibility, continuous secure configuration management, threat detection and compliance.
Let’s deep dive a little more now.
Importance of Continuous Security Management
Where is your organisation’s critical information – somewhere in a data warehouse, database, or backed up on S3 buckets (or similar alternatives), isn’t it? Well that’s the case for most organisations hosted on the cloud. What happens when an administrator accidentally opens up an S3 bucket publicly, or a developer accidentally pushes an access key to the open? You have a breach in the making right there!
This is precisely why:
Gartner estimates 95% of breaches occur due to configuration errors
A survey by IDC brought out a serious finding according to which 80% of companies experienced a cloud data breach and most arising due to misconfigurations
Those are some really scary numbers!
Why do Cloud Data Breaches occur?
- Long live the perimeter : in the cloud, there is a network, yes, of course there is. But there are also a bunch of services that are “perimeter-less”. This drastically increases the attack surface for an organisation and it’s applications. For example, S3 buckets are hosted within a common AWS network, these are NOT hosted within enterprise network boundaries, but are governed by logical access control via S3 bucket policies.
- Lack of adequate preventive controls : public cloud adoption is all about engineering speed and agility, which often leaves security taking a back seat, basic controls such as data encryption, access keys restriction, restrictive public access are often missed out.
- They are faster, smarter than you think : the bad guys are backed with high end technology and compute at their disposal, it’s likely they would see a misconfiguration very quickly, they’re watching out for these all the time. In fact, there are tools to their disposal that present a list of exploitable resources, such as public S3 buckets!
Why do Misconfigurations occur?
- Complexity : AWS alone has 300+ services (as of this blog post), and engineering teams are hungry to try these out. It gets complex when tens of services are talking to each other in any standard public cloud deployment. And thus, cloud security teams are posed with a constant challenge of keeping up with rapid adoption and management of these services from a security standpoint.
- Security knowhow : hosted or physical data centre deployments are well known and infrastructure teams possess in depth understanding in managing the same. This doesn’t always hold true for public cloud deployments. Infrastructure teams quite often, go ahead with “default” configurations or open up permissive identity (or network) access in order to get a service up and running! We’ve seen this happen all the time : engineering teams gets an access denied error, infrastructure team opens up more access, the setup works, infrastructure team misses reverting these changes or trimming them down.
- Scale : vast variety of services, with production changes going on by the hour or minute presents infrastructure and security teams with the challenge of monitoring and reviewing these changes at scale. This is where fatigue sets in and misconfigurations occur!
Cloud Security Posture Management
Well there are ways to deal with these challenges, at scale.
Enter Cloud Security Posture Management, or CSPM.
CSPM solutions help enterprises continuously monitor their public cloud deployments for misconfigurations, or potential security issues that could lead to a compromise. It creates visibility for DevSecOps or Infrastructure teams to discover and analyse public cloud deployments. With help from such technology, teams can quickly pinpoint areas that need attention, irrespective of location or cloud service provider.
A typical CSPM is an agent-less SaaS deployment that helps achieve the below objectives.
Continuous Discovery and Visibility
CSPM tools typically run scans across public cloud deployments to discovery network, compute, storage, server-less and many more types of resources. Resources are tagged with their associated configurations which provide further details into their configuration, type or security parameters. An enterprise, can at any point in time deep dive into resources, their configurations and associations to understand interlinkages, dependencies and threat landscape. CSPM solutions help organisations get a view described earlier irrespective of public cloud providers in a single pane of glass.
Security Misconfiguration Detection
Infrastructure changes in the cloud occur rapidly. Like we’ve seen already, some of these changes can lead to exposure of sensitive data or systems.
Just like any typical hardening standard, there are certain best practices that should be followed from a security perspective. Some insights around these best practices could be found in our post around securing S3, or AWS networking 101.
But, it might get challenging to continuously monitor changes in the environment to flag when a resource or system deviates from these best practices. This is where CSPM plays a crucial role.
Any typical CSPM product monitors popular cloud platforms such as AWS, Google or Azure for changes and alerts when a change could adversely impact the security posture of a cloud deployment.
For instance, Cy5’s Cloud Security Posture Monitoring offering scans 60+ cloud services and runs 300+ checks on a continuous basis. Customers can alert on security misconfigurations over email or slack as required.
There are times where enterprises need to comply with certain regulations. For example, organisations that store or process credit card information need to comply with PCI-DSS standards, organisations that process healthcare data in the United States need to comply with HIPAA.
Proving compliance requires reviewing security implementations against defined controls within the standard. This can prove quite overwhelming for multi-cloud and large scale deployment.
Cloud Security Posture Management tools ease out the effort of monitoring and proving compliance, by continuously checking existing security configurations and measuring them against a given compliance standard.
The below screenshot is an example of how Cy5’s CSPM offering gives visibility into compliance posture of an organisation’s cloud deployment.
One can drill-down into individual compliance reports to understand which controls are failing across which type of resources.
Drift Detection and Automated Remediation
Well, we found out we’ve got a public S3 bucket with sensitive data in it. Great! What’s next?
By the time such security issues are manually reviewed, escalated and fixed, the adversaries have already found their way to the affected resources and done the damage.
Automated remediation is a key functionality of Cloud Security Posture Management platforms, which enables customers to remediate the obvious class of findings or security issues instantly via automation. Security issues such as public S3 buckets, open SSH or RDP ports etc, such be remediated with automation, without doubt.
Similarly, for highly sensitive deployments, it might be a good idea to ensure the designated security posture remains unchanged. Drift detection is a feature offered by a few CSPM solutions that detects when a set of configurations change or deviate from existing baselines.
Infrastructure as Code Scanning
Examples of CSPM Checks
Here are some examples of security issues that Cloud Security Posture Monitoring systems are capable of detecting and fixing automatically:
- S3 bucket misconfiguration – catching poorly configured S3 buckets that could leave sensitive data exposed to public access
- IAM issues – poorly managed IAM users, access keys or policies that could lead to initial access or privilege escalation
- Misconfigured security groups – happens all the time! Accidentally opened up remote access ports such as SSH, RDP
Going Beyond CSPM
The Cy5 Unified Cloud Security Platform goes above and beyond a typical CSPM in adding business context to resources hence giving an enterprise the capability to prioritise one issue over another while dealing with security at scale. For example, one could prioritise fixing issues around sensitive assets before non-sensitive ones. In case you’re interested in giving this a shot, sign-up here.