Tag Archive for: RedSeal Cloud

Accidental Cloud Exposure – A Real Challenge

/by

The recent disclosure that Toyota left customer data accidentally exposed for a decade is pretty startling, but can serve as a wake up call about how cloud problems can hide in plain sight.

It’s not news that humans make mistakes – security has always been bedeviled by users and the often foolish choices that they make. Administrators are human too, of course, and so mistakes creep in to our networks and applications. This too is a perennial problem. What’s different in the cloud is the way such problems are hard to see, and easy to live with until something bad happens. Cloud isn’t just “someone else’s computer”, as the old joke goes – it’s also all virtual infrastructure. If you’ve never seen how cloud infrastructure is really built and managed, you may not realize how inscrutable it all is – think of it like a computer in an old movie from the 1970’s, all blinking lights and switches on the outside, but no way to see what is really happening inside. These days, we are used to visual computers and colorful phones, where we can see what we are doing. Cloud infrastructure is not like that – or at least, is not if you just use the standard management interfaces that are frustrating, opaque, and vendor specific. Are there ways you can escape the lock-in to your specific cloud vendor? Sure – inventions like Kubernetes free you up, but the price is even worse visibility as you drive everything through shell scripts, CLI commands, and terminals. The 1970’s computer has moved up to the 1980’s green screen, but it’s a far cry from anything visual.

I don’t mean to just pick nits with the old-world interfaces of cloud – this isn’t a debate about style, it’s a problem with real world consequences, especially for security. You can’t see through a storm cloud in the sky, and similarly, you really can’t see what’s going on inside most cloud applications today, let alone ensure that everything is configured correctly. Sure, there are compliance checkers that can see how individual settings are configured, but trusting these is like saying a piece of music is enjoyable because every note was tuned exactly – that rather misses the big picture of what makes music good, or what makes a cloud application secure.

This is why you need to be able to separate security checking from the CI/CD pipelines used to set up and run cloud infrastructure. The much-hyped idea of DevSecOps has proven to be a myth – embedding security into DevOps teams is no more successful than embedding journalists with platoons of soldiers. The two tribes don’t see the world the same way, don’t have the same objectives, and largely just frustrate each other’s goals.

Central security has to be able to build the big picture, and needs to check the ultimate result of what the organization has set up. Ideas like “shift left” are good, but do not cover the whole picture, as the Toyota exposure makes clear. Every detail of the apps was working, and was quite likely passing all kinds of rigorous low level checks. But just like checking whether each note is tuned correctly, while not listening to the piece as a whole, Toyota lost track of the big picture, with all the embarrassment that goes with admitting a ten year pattern of unintended exposure.

Solving this is the motivating mission at RedSeal. We know what it takes to build a big picture view, and then assess exposure at a higher level, rather than getting stuck in implementation details. It’s the only way to make sure the song plays well, or the application is built out sensibly. This is why we build everything starting from a map – you can’t secure what you can’t see. This map is complete, end-to-end, covering what you have in the cloud and what you keep on your premises. We can then visually overlay exposure, so you get an immediate, clear picture of whether you have left open access to things that surprise you. We can give you detailed, hop-by-hop explanation of how that exposure works, so that even people who are not cloud gurus can understand what has been left open. We can then prioritize vulnerabilities based on this exposure, and on lateral movement. And finally, we can boil it all up into a score that senior management can appreciate and track, without getting lost in the details. As Toyota found to their cost, there are an awful lot of details, and it’s all too easy to lose the big picture.

What Is Cloud-Native Application Protection Platform (CNAPP), An Extension of CSPM

/by

Modern businesses are increasingly storing data in the cloud and for a good reason — to increase agility and cut costs.

But as more data and applications migrate to the cloud, the risk of data and systems being exposed increases. Conventional methods for addressing security aren’t equipped to manage containers and server-less environments. Therefore, gaps, silos, and overall security complexity increase.

This is where Cloud-Native Application Protection Platform (CNAPP), an extension of Cloud Security Posture Management (CSPM), excels. This new cloud platform combines the features of CSPM, Cloud Infrastructure Entitlement Management (CIEM), Cloud Workload Protection Platforms (CWPPs), CI/CD security, and other capabilities into a unified, end-to-end encrypted solution to secure cloud-native applications across the full application lifecycle.

Where CNAPP/CSPM Vendors Fall Short

It’s important to point out that many CNAPP vendors focus on providing security measures, such as CIS compliance checks or a basic “connectivity” view and segmentation to protect an organization’s applications and infrastructure in the cloud. These measures help prevent malicious actors from gaining unauthorized access to an organization’s resources, but they don’t necessarily provide visibility into potential exposures that may exist in an application’s design or configuration, thus providing a false sense of security.

Most vendors can correlate resources to compliance or identity violations, but the network context of these solutions is often limited, leading to a lack of visibility into the hidden attack surface. This results in insights that are often irrelevant and unactionable, causing security teams to chase false positives or negatives and reducing their overall effectiveness. Additionally, the shortcomings of these solutions can cause DevOps teams to lose trust in the security measures in place, hindering their confidence in the infrastructure.

The most critical gap is CNAPP vendors lack the ability to calculate net effective reachability, which determines the network’s overall connectivity, including identification of potential points of failure or bottlenecks. In simple terms, they cannot accurately determine if their critical resources are exposed to the Internet. Without this information, security teams will be unable to identify the main cause of a problem or effectively prioritize potential threats. The result is inefficiencies and delays in the security response process, leaving the company vulnerable to attacks and flag false positives/negatives to the DevOps teams.

To identify exposures, organizations need to conduct assessments that look for end-to-end access from the internet that drive up risks to the organization from malicious activities such as insufficient authentication or authorization, unvalidated input/output, SQL injection, cross-site scripting (XSS), insecure file uploads, and more.

What Is CNAPP?

CSPM is an automated set of security tools designed to identify security issues and compliance risks in cloud infrastructure.

CNAPPs consolidate the capabilities and functionalities offered by CSPM and CWPPs, providing centralized access to workload and configuration security capabilities. They help teams build, deploy, and run secure cloud-based apps in today’s heavily dynamic public cloud environments.

A CNAPP solution comes with a single control panel with extensive security features such as automation, security orchestration, identity entitlement management, and API identification and protection. In most cases, these capabilities are used to secure Kubernetes workloads.

How Does CNAPP Work?

CNAPP uses a set of technologies, such as runtime protection, network segmentation, and behavioral analytics, to secure cloud-native applications and services. CNAPP provides a holistic view of the security of cloud applications by monitoring and implementing security protocols across the entire cloud application profile.

CNAPP works by identifying the different components that exist in a cloud-native application, such as containers and microservices, and then applying security controls to every component. To do this, it uses runtime protection to monitor the behavior of the application and its components in real time. It leverages methods such as instrumentation to identify vulnerabilities in the application.

Also, CNAPP uses network segmentation to separate different parts of the application and reduce communication between them, thus reducing the attack surface. In addition, CNAPP includes features such as incident response and compliance management to help businesses respond quickly to security incidents, as well as ensure that apps and services comply with industry standards and regulations.

Why Is CNAPP Important?

Cloud-native application environments are quite complex. Teams have to deal with app workloads that continuously move between the cloud, both private and public, with the help of various open-source and custom-developed code. These codes keep on changing as release cycles increase, with more features being rolled into production and old code is replaced with new.

To deal with the challenges of ensuring the security of highly dynamic environments, IT teams often have to put together multiple types of cloud security tools. The problem is that these tools offer a siloed, limited view of the app risk, increasing the company’s exposure to threats. DevSecOps teams often find themselves having a hard time manually interpreting information from multiple, disjointed solutions and responding quickly to them.

CNAPPs help address these challenges by combining the capabilities of different security tools into one platform to provide end-to-end cloud-native protection, allowing security teams to take a holistic approach to mitigate risk and maintain security and compliance posture.

CNAPP with RedSeal

The challenge most enterprises face is that they cannot get clear visibility of their entire network. Most networks are hybrid, with both public and private cloud environments, along with a physical network framework. This provides siloed visibility, which raises security risks.

When CSPM, CWPPs, CIEM, and CI/CD security work together, companies can quickly get a glimpse of what is happening on their network, allowing IT teams to take immediate action.

RedSeal Cloud, a CNAPP solution, provides organizations with a view of their entire cloud framework to identify where key resources are located and a complete analysis of the system to identify where it’s exposed to attacks. RedSeal maps every path and checkpoint, and calculates the net effective reachability of all aspects of your cloud, enabling you to quickly pinpoint areas that require immediate action. Furthermore, it avoids false positives and negatives, and supports complex deployments with different cloud gateway and third-party firewall vendors.

The Right CNAPP Tool for Reliable Cloud Security Management

Ensuring the security of assets in the cloud has never been more important.

Companies can leverage CNAPP capabilities to secure and protect cloud-based applications, from deployment to integration, including regular maintenance and eventual end-of-life. That said, CNAPP solutions are not one-size-fits-all options but rather a combination of different vendor specialties under a single platform, proving single-pane-of-glass visibility to users.

Companies wanting to adopt CNAPPs should focus on how vendors interpret the underlying cloud networking infrastructure, the per-hop policies at every security policy point, including third-party devices, to identify any unintended exposure, and how the solution interacts with other services, both on-premises and in the cloud.

In summary, every company should ask potential CNAPP vendors:

  • How do they uncover all attack paths to their critical resources and expose the hidden attack surface?
  • How do they calculate the net effective reachability to the critical resources on those paths?

RedSeal’s CNAPP solution, RedSeal Cloud, lets security teams know if critical cloud resources are exposed to risks, get a complete visualization of their cloud infrastructure, and obtain detailed reports about CIS compliance violations.

Want to know how you can stop unexpected exposure and bring all your cloud infrastructure into a single comprehensive visualization? Book a demo with our team to get started!