One of the main reasons for the poor cloud security hygiene is the lack of skills, which lead to a plethora of issues such as data leakage and exposed containers. In fact, a recent study by Unit42 found 40,000+ container systems operate under default, insecure configurations and 61% of organizations use unsecured TLSv1.1 and older protocols in the first half of 2019 alone.
Despite the cloud service providers (CSPs)’ effort to bolster their native security assessment tools, companies are still accountable for everything from the OS level up to application in IaaS. With 72% of organizations moving to a hybrid or multi-cloud infrastructure, it’s a huge challenge to get visibility into the data and assets moving and sitting across multiple cloud services providers, and to streamline the security controls in a single pane of glass when each provider comes with a different set of controls and tools. While CSPs have been making progress on showing misconfigurations, they have not yet completely implemented their own CIS benchmarks in their consoles – misconfiguration is the single biggest bugbear in cloud security, where Gartner predicts 99% of the failure will be the customer’s fault through 2023. And just because you are in the cloud, it doesn’t mean you are protected from unpatched systems and insecure applications if you haven’t configured it correctly.
The business case for an independent cloud security solution to assess and homogenize multi-cloud security controls is loud and clear under these circumstances. Security teams need to understand the core requirements to protect cloud workloads and ensure correct configuration are maintained through continuous assessment. In a nutshell, IaaS security consists of two key elements using the Gartner terminology:
Cloud security posture management (CSPM) - at the top, a control plane to continually assess your identity and access management (IAM) policies, network, storage configurations and admin access to check for improper settings.
Cloud workload protection platform (CWPP) - supported by a data plane with vulnerability management, firewall, anti-malware scanning, application controls and monitoring for your workload.
To match the pace of DevOps and the increasingly complex cloud environment, busy security teams should ensure they consider the following aspects when choosing a cloud security scanning tool:
- Auto discovery of network and servers, this can be done through cloud APIs to gain visibility into the changing perimeter
- Cloud security compliance checks, scanning against cloud security best practice such as CIS AWS/Azure/Docker/Kubernetes benchmarks for misconfigurations to avoid data exposure
- Integration or built in vulnerability scanner, remember to uphold your part of the ‘shared responsibility’
- Application and container assessment as DevOps adoption continues to grow, the need to shift left and secure the SDLC is gaining pace
- Homogenized security controls across public, hybrid and private cloud environments in a single console for efficiency. Native security features offered by the major cloud service providers are not enough.
Or even better, consolidate security checks of your full technology stack under one roof across network, application layer and cloud infrastructure.
Ready to identify your cloud risk?
Join our next webinar on 24 September where we’ll discuss the common cloud security misconceptions and guide you through your journey from ‘lift and shift’ to multi-cloud.