Cloud security is complex and distributed. Implementing security controls across on-premise environments traditionally sits with the information security team, but in the cloud, the responsibility could be distributed across developers, DevOps and InfoSec teams. DevOps and developers don’t primarily focus on security, and the impact is often seen as an increase in misconfigurations introducing the risk of breaches.
These security challenges in the cloud have become so prevalent that Gartner has defined cloud security posture management (CSPM) as a new category of security products designed to identify misconfiguration issues and risks in the cloud. CSPM tools today are relied on to provide visibility and compliance into the cloud infrastructure but still haven’t been able to address this issue at scale for InfoSec teams. These teams require solutions that can provide risk-based prioritized remediations in an automated way to handle the cloud scale and complexity. To determine which issues to remediate first, the InfoSec teams need to identify critical resources with unintended and accidental exposure to the internet and other untrusted parts of their cloud.
Calculating Exposure Considering All Security Controls
Whether they are on-prem or in the cloud, security professionals worry about getting breached. One recent report said 69% of organizations admit they had experienced at least one cyber-attack that started by exploiting an unknown or unmanaged internet-facing asset. Bad actors can now simply scan the perimeter of your cloud, look for exposed things and get into your network this way.
Cloud security providers (CSPs) like Amazon Web Service and Microsoft Azure have attempted to solve security by developing their own sets of controls, ranging from implementing security groups and network access control lists (NACLs) to developing their own native network firewalls.
Cloud-first companies often rely on these native tools from the CSPs, but for others who aren’t as far along on their cloud journey, making the transition from traditional on-prem to cloud workloads means pulling along their network security practitioners with them. These teams, who often aren’t cloud experts, are responding by deploying third-party firewalls and load balancers in the cloud due to their longstanding familiarity with them from the on-prem world.
Furthermore, the rise of application containerization with Kubernetes (and its corresponding flavors from AWS, Azure and Google Cloud) allows additional security controls such as pod security policies and ingress controllers.
These security controls are invaluable tools for security teams scrambling to secure their sprawling cloud environments and some under the control of development and DevOps teams. Still, they are largely unaccounted for by current CSPM tools when attempting to assess unintended exposure risk.
Current CSPM Solutions Don’t Accurately Calculate Access
Existing solutions look for misconfigurations at the compute or container level but don’t truly understand end-to-end access from critical resources to an untrusted network. They are essentially calling into the APIs of CSPs, and so if the setting in AWS for a particular subnet equals “public,” the tool believes there is exposure to the internet. That’s not necessarily true because a security team may have other controls in place, like a 3rd party firewall or Kubernetes security policy that successfully prevents access, or the security control is not in the path to the critical resources and not protecting them.
The result is that already short-staffed security teams are spending their days chasing security issues that do not impact the organization the most. The question to ask of today’s CSPM products is whether they are repeating data from CSPs based on their settings or accurately calculating effective reachability to their critical resources (and through which specific controls). Security teams need accurate and complete information to inform their remediation options, which can identify CSP-native security groups to specific ports and protocols controlling the access that may allow exposure to occur.
Increasing cloud complexity is making security as challenging as ever. The ability to quickly identify at-risk resources would go a long way in preventing many potential data breaches. Still, the approach that current tools take is incomplete and disregards much of what security teams are already doing to address the problem. Tools need to account for all security controls in place if security teams are to have truly accurate information on which to act.