Better cloud security in five steps.
How confident are you in your security posture?
A new report on the “State of Cloud Security Posture Management” reveals that 97% of cloud professionals have some level of confidence in how their organization is handling their cloud security. Yet over half of them have experienced a breach in their security, and over one-third replied that they wouldn’t be surprised if their organization made the news for a major failure. This could result not only in a major loss of data and the potential for service downtime but a loss of reputation as well.
Where is the disconnect? How can you have high confidence in systems that aren’t truly secure? Cloud professionals might be overconfident in their organization’s ability to secure their cloud, but it’s hard to blame them because when it comes to cloud security it’s easy to develop a false sense of security. Multi-cloud security is both multi-dimensional and complex, so one can feel confident across a certain dimension, like Network Security, but be lacking in areas like Identity and Access Management or visibility into increasingly rapid deployments — approaches that ignore this paradigm in favor of more traditional approaches can set an organization up for disaster.
Challenges of Cloud Security
The cloud is an amazing tool for growth and innovation, but securing it needs to be approached differently than how organizations managed their on-premise data centers. With its many end points, rapid deployments, and frequent changes, there’s a real danger that a lack of continuous, centralized monitoring or visibility into the environment can leave organizations at risk. This is why some of the biggest challenges cloud professionals report having are managing identity and security baselines, data loss or leakage, and misconfigurations or configuration drift.
Yet cloud professionals have confidence that their systems works, and cite the following as approaches that make them confident:
- We maintain real-time monitoring of our cloud environment
- We automate as much as possible
- We have responsibilities and roles clearly assigned
If breaches are still happening, and if there are still concerns over baselines, data leakage, and misconfiguration, it likely speaks to cloud immaturity. Their monitoring might be done in real time, but maybe it’s only application metrics and they’ve got no visibility into configuration drift. Or maybe they’re using infrastructure-as-code and automation to promote secure configuration patterns, but still lack an inventory of cloud assets and any ability to validate that the resource configurations in your cloud are what you expect them to be. After all, Gartner estimated that 95% of cloud breaches, issues, and misconfiguration are due to human error.
Without a good CSPM, or Cloud Security Posture Management, solution in place, it’s difficult to comprehensively approach cloud security, with all of the layers of complexity, if you’re trying to build and maintain it all on your own. CSPM tools can provide an almost instant way to automate inventory and classification of cloud resources, detect configuration drift, and monitor for compliance. This level of visibility and actionable information provided by a fully integrated CSPM, helps companies scale their cloud footprint safely, innovate faster, and maintain a strong multi-cloud security posture.
Here are five ways to adopt a CSPM if you haven’t yet, or how to better utilize your existing CSPM to increase your overall confidence in your cloud security posture.
1. Plan First
If you haven’t yet invested in a CSPM solution, spend time identifying your business’s needs, what challenges you’ve identified with regard to cloud security, who will own the tool, and the workflow for getting security posture data to the right people in your organization. CSPM solutions will help, but not out of the box — they need to be fully integrated into your cloud operation to provide the maximum benefit.
2. Align Your Operations
Spend time identifying how to integrate CSPM into your team structure, as the technology must work hand-in-hand with the people and processes of your organization. Cloud security responsibilities are expanding out from just a dedicated security team to CloudOps and DevSecOps teams, who need to collaborate on finding, remediating, and preventing risky misconfigurations and other cloud vulnerabilities.
3. Define Standards and Baselines
Because managing baselines and configuration drift are major concerns, identify industry (such as CIS or NIST CSF) and company standards to help define that baseline, so you can immediately have a starting point. But to really understand where configuration drift is happening you need to have visibility into all of your cloud resources and how they’re actually configured. From there you can detect how they’re changing, whether it’s a problem, and if it is, determine the appropriate remediation. This is how you find the riskiest changes before they become problems and CSPM’s will help you do that.
4. Leverage CSPM Providers
Leverage the deep visibility capabilities of CSPMs to better understand your cloud today and as your cloud strategy evolves. A good CSPM will support all major public clouds and provide high-fidelity discovery and inventory of resource types. This can help your team learn about new services and how they can be configured, and secured, early on in adoption and not when the service becomes mission critical.
5. Grow Operational Excellence
Create an internal Cloud Center of Excellence so you can continue to scale your cloud security with your organization, and make training and education a priority going forward. CSPMs will go a long way in helping less experienced teams make immediate leaps when it comes to cloud security. But unless those teams are adequately trained, and constantly evolving their education as the cloud evolves, they’ll be far less effective at protecting their organization and won’t scale as quickly or as successfully. This is key because CSPM tools and offerings are only going to increase in adoption, due to the increase in cloud-based tools launched during the COVID-19 pandemic, according to a report on “Cloud Security Posture Management Market.”
Mistakes that Cause Overconfidence
Organizations need to be proactive about fully understanding cloud security and how it requires a different mindset from traditional data center security. Cloud security overconfidence, too often, stems from very unintentional ignorance. Here are the mistakes that most contribute to this risky overconfidence.
Doing it themselves: Sometimes, manual monitoring provides a false sense of security. For example, it’s understandable to assume a CI/CD pipeline with security checks built-in means that everything that gets deployed will be error-free. It’s also understandable that organizations would want to rely on manual or legacy tools long used in their on-premise environments to monitor their cloud. In fact, according to a new report by the Cloud Security Alliance, one-third of organizations still manage their cloud security manually. But continuous monitoring of all parts of a cloud environment is too complex of a task, and teams trying to do it manually will nearly always leave you with gaps, and relying on user perfection is always too risky.
Not choosing the right CSPM: As mentioned above, organizations should identify first the problems they’re trying to solve, and be sure the CSPM solution solves those problems. But when organizations jump to purchasing a CSPM too quickly, only to find that it doesn’t support an adequate number of cloud resource types, lacks the out-of-the-box compliance checks you want, or is difficult to on-board.
Only train a few people: Cloud security shouldn’t be siloed to one team, but should be on the minds of everyone that touches or deploys to the cloud. Yet teams often onboard just a few dedicated people to manage all of cloud security, not realizing it needs to be a comprehensive and collective effort.
Increasing Confidence the Right Way
There’s no question that cloud professionals should be confident in their cloud security posture. But too often teams think they can handle cloud security themselves, that security belongs to one team, or that simply buying any CSPM will take care of it without having to put solid operational infrastructure in place around it. By thinking through an approach, identifying needs, and implementing a plan that scales combined with a CSPM solution that provides deep visibility, intelligence, and control, teams can create true confidence in their cloud security.
