Many companies host their systems and services in the cloud believing it’s more efficient to build and operate at scale. And while this may be true, the primary concern of security teams is whether this building of applications and management of systems is being done with security in mind.
The cloud does easily enable the use of new technologies and services as it is programmable and API driven. But it differs from a DC in both size and complexity in that it uses entirely different technologies. This why specific Cloud Security Posture Management should be a priority for any business operating primarily in the cloud.
Common Cloud Security Mistakes
There are several aspects of cloud security that are often overlooked that could lead to vulnerabilities. These include:
- Misconfigurations that result in unhardened systems.
- Insecure APIs could be caused by query injections or weak code. If a company doesn’t have a monitoring setup, these can be difficult to detect.
- Exposed services often occur because basic architecture that should be providing security has been left out on systems open to the public which creates vulnerabilities. These might include missing firewalls or ACL’s, open file shares and S3 buckets, or a lack of data listeners.
- Not implementing basic controls such as Multi-Factor Authentication (MFA), firewalls, IPS, WAF, or VPN. There is specifically a high risk when connecting on premises systems to the cloud and correct security structures need to be in place.
- There are so many controls for logging and monitoring systems yet many companies are missing or not using these controls. They’re fairly easy to set up and are an important part of setting alerts for and logging unusual activities.
How does CSPM help to improve security?
Cloud Security Posture Management (CSPM) analyses the cloud infrastructure including configurations, management, and workloads, and monitors for potential issues with configurations of scripts, build processes, and overall cloud management. Specifically, it helps address the following security issues:
- Identify Misconfigurations
CSPM helps to identify misconfigurations that go against compliance. For example: If the company has a policy that says you shouldn’t have an open S3 bucket, but an administrator configures an S3 bucket without the correct security in place, CSPM can identify and alert that this vulnerability exists.
- Remediate Violations
If the CSPM is set up to monitor and protect, it can not only identify misconfigurations. It can also pull them back in order to shut down that vulnerability. In the process, it creates an active log to see what the root cause of non-compliance was and how it was remediated.
- Compare to Industry Standards
Knowing what’s happening in the broader industry helps to identify vulnerabilities and alert on changes that need to be made. This helps with compliance and also ensures that security teams don’t overlook vulnerabilities because they aren’t aware of them.
- Continuous Monitoring
Conducting scans and audits to ensure compliance are good practices, but the reality is that security in the cloud is constantly evolving. No company can ever be sure that they’re 100% safe from a breach just because they’ve completed an audit. Continuous monitoring is necessary to try to keep ahead of threats and ensure that you’re able to quickly identify any vulnerabilities.
CSPM at work
One of the common uses of CSPM is to be able to identify a lack of encryption at rest or in transit. Often HTTP is set as a default and this doesn’t get updated when it should. If this isn’t identified it can create a major problem further down the line.
In the cloud, improper key management can create vulnerabilities. One way to mitigate this is to rotate key management so that if one does get out there, there’s also the capability with CSPM to automatically take keys out of rotation.
Companies frequently ask for an audit of all account permissions and this often identifies that some users have permissions and access that they shouldn’t. This can be an oversight when roles are assigned or for example when a developer asks for access to a specific project but those permissions are never pulled back once the project has been completed.
Ensuring that MFA is activated on critical accounts is important and CSPM can run an audit to ensure that security protocols such as MFA are being implemented. The same applies to misconfigurations and data storage that is exposed to the internet. Having a way to continually monitor and dig into what is happening in cloud systems and alert on non-compliance can significantly improve a company’s security posture.
Advanced CSPM tools go beyond this by showing how an incident was detected, where it was identified, and how to fix it. As well as an explanation as to why it should be fixed.
There are multiple vendors offering a range of services and it’s good to keep in mind to not have all systems tied up to a single vendor. If they have unknown vulnerabilities that can impact your company’s security. With multiple vendors monitoring, they’re more likely to pick up on these and it reduces the risk exposure.
To hear a more detailed discussion on the topic of CSPM, tune into the podcast with Aaron Howell, a managing consultant of the MAI team with over 15 years of IT security focus. Link: https://www.youtube.com/watch?v=9XNdB4zDMjg