Maturing Your Cloud Security Program
Here's what I see the most advanced security teams doing to be successful. The trick is to evolve faster than the business demands.
How do you transform your security program while simultaneously operating at cloud speed? If you haven't already, start by moving from reactively finding simple infrastructure misconfigurations in cloud storage, to proactively embedding security into development pipelines. Look to secure not only the cloud infrastructure, but the very code that creates it (e.g., Terraform, CloudFormation and other Infrastructure as Code tools.)
It's likely that most security teams are not at this level of maturity. However, cloud service providers (CSPs) are innovating so quickly that there isn’t much of a choice. Advancing your cloud security program requires evolving faster than the business demands. The most effective way to do this is by ensuring your team has the proper skills, processes and cloud native tools to get the job done.
The challenge for security and DevOps teams is continually maturing your cloud security program without acquiring dozens of security tools in the process.
The first wave
If we take a stroll way back to 2018, most security teams were just beginning to wake up to the notion of having to secure cloud platforms. This makes sense as many CIOs in 2018 did not have cloud-first strategies.But not having a strategy didn’t stop businesses from gorging on cloud services, i.e., shadow IT.
One of the results of this frenzy was a constant drone of news headlines about open cloud storage buckets. (Remember those? They still exist, but thankfully have greatly subsided due to a mix of CSP enhancements, security tools, and maturing cloud security programs). These headlines led security teams to focus primarily on cloud infrastructure configuration.
The first wave of security tools, dubbed Cloud Security Posture Management (or CSPM by Gartner), helped organizations mature in three foundational areas: asset management, configuration management, and compliance. While nearly all the early CSPM tools provided varying levels of visibility into these three areas, the more advanced offerings went a step further. They added critical capabilities for threat detection and response. Instead of just letting the SOC know there could be a problem in your cloud estate, these tools enriched alerts with threat intelligence and offered the ability to automatically remediate misconfigurations. Early CSPM tools were not DevOps friendly, but they did fill a critical security gap left by the CSPs.
One step forward
If CSPM was the first phase in cloud maturity, then the second involved an emphasis on the workload. The workload is where processing actually happens (in the on-prem world, we called them servers.) Put another way, this is the runtime environment where applications and data are actually processed.
In 2019, most workloads were still run on traditional VMs. However, developer interest in Docker, and containers in general, was beginning to enter its hyperscale growth phase. Security teams were suddenly challenged to secure not only VMs, but now also containers. For the most part, their CSPM tools lacked deep visibility into the workload -- whether it was a VM, container or a serverless function.
The market responded with a new class of tools commonly referred to as Cloud Workload Protection (CWP). These tools provided the needed visibility into containerized and serverless workloads, in terms of how they were configured and if there were vulnerabilities present. The challenge, however, with standalone CWP products, was that they narrowly addressed security challenges with containers and serverless. They lacked visibility into the underlying cloud infrastructure.
This lack of cloud infrastructure visibility was detrimental to security, as the majority of apps developed on containers utilized a mix of PaaS services (this is still true today.) Without showing exactly which cloud services were in use, CWP tools offered an incomplete view into the underlying cloud infrastructure. Organizations that adopted CWP found themselves looking at cloud infrastructure and the workloads as if they were two independent silos. The end result was a disjointed picture of cloud security -- and a constraint on program maturity.
Why not both?
Security teams then had two options to secure their cloud: CSPM and CWP. Good cloud security required both. The challenge quickly became reconciling the two. This demand for consolidation led to a wave of acquisitions in 2019 and 2020, which resulted in a new class of security tools referred to as Cloud Native Security Platforms (CNSP). These platforms combined CSPM and CWP giving organizations a consolidated view of their cloud risks, and the ability to further advance their program maturity.
Today, teams that have a good handle on infrastructure visibility and workload security are beginning to look at Infrastructure as Code (IaC).
These teams are asking themselves: “If the cloud infrastructure is now being built first in code, why aren’t we scanning it for security misconfigurations before they are deployed?” Threat research from Unit 42 backs up this thinking, as the researchers found over 200,000 insecure templates in use in GitHub.
From a tools perspective, some CNSP platforms offer security and DevOps teams the ability to scan these templates for security issues. These capabilities can offer the next step in your cloud program’s maturity and equate to major progress in shifting security left and empowering DevOps to build cloud infrastructure securely from the start.
The next challenge
Looking into the future, cloud programs should be focused on data security. Mature security teams should be asking two questions: Where is my sensitive data, and who has access to it?
A myriad of compliance requirements including GDPR and the California Consumer Protection Act (CCPA) drive these questions but at the heart is an attempt to better understand risk. The near-limitless capacity offered by cloud storage services has enabled organizations to collect massive amounts of data -- volumes that quickly exhaust traditional, manual processes for data classification. This had led to publicly exposed sensitive data being one of the most commonly-seen vulnerabilities across cloud environments.
Historically, the best way to address this challenge was to leverage data loss prevention (DLP) tools. While most CNSPs do not yet have DLP built-in, check with your vendor to make sure it's on their near-term roadmap. DLP is not an easy challenge to solve but having this capability is a must-have as you mature and optimize your cloud program.
The question "who has access to the data?" almost always revolves around identity and access management (IAM). IAM security has quickly become a requirement for cloud security, and for good reason. During a Red Team exercise, Unit 42 threat researchers were able to discover and leverage IAM misconfigurations to obtain admin access to a customer’s entire cloud environment -- a potentially multi-million dollar data breach in the real-world.
DevOps and security teams alike must ensure that privileged accounts and entitlements across their cloud infrastructure are consistently managed and assigned following the principle of least privilege. CNSPs that have this capability offer security teams powerful depth of visibility and control.
A great example would be a cloud storage service. A CNSP should be able to leverage what it knows about your data from DLP, and then pair that with what it knows about your cloud infrastructure to calculate the true internet exposure. The IAM capability should then provide granular insights into exactly who has access to the data and make appropriate recommendations to enforce least-privilege access.
Creating a roadmap for program maturity
Cloud Maturity Model (Image from Palo Alto Networks)
As your company's cloud use scales, it's critical to track where you are from a security maturity standpoint both in terms of tools and team capabilities. The model above can be used to assess where you are in the process, and if your security tools are helping or hindering. Security teams that want to stay ahead of business demand need to ensure they are dually investing in people and platforms that evolve faster than cloud projects.
In the age of cloud native, security teams need to take a multi-cloud approach and look for tools that offer deep functionality across not only cloud infrastructure but also multiple types of workloads, DevOps pipelines, data and IAM. Wrapping your processes and metrics around these elements are the hallmarks of a rapidly maturing cloud program.
Things to remember
Do...
Assess the people-side of cloud security. Does your team have cloud skills or do you need to upskill? Should you hire new FTEs, contractors or consultants?
Review cloud security purchases. Do these tools lend themselves to cloud optimized security as defined in the Cloud Maturity Model?
Develop metrics that track the people, process and technology side of cloud security maturity.
Don’t…
Assume the cloud you run in today will be the cloud you run on tomorrow. Be proactive for a multi-cloud future.
Lock yourself into toolsets that only work in one cloud. Think multi-cloud and simplicity.
Matthew Chiodi is Chief Security Officer, Public Cloud at Palo Alto Networks. Matt has nearly two decades of security leadership experience and is currently the Chief Security Officer of Public Cloud at Palo Alto Networks. He is a frequent blogger and speaker at industry events such as RSA. He currently leads the Unit 42 Cloud Threat team, which is an elite group of security researchers exclusively focused on public cloud concerns. He is also on faculty at IANS Research.
About the Author
You May Also Like