How to secure your cloud services with CSPM
The big cloud security challenge
Cloud security data breaches are becoming commonplace, with cloud misconfigurations being the #1 culprit and costing companies worldwide an estimated $5 trillion in 2018 and 2019. Cloud was the right choice for businesses looking to expand their infrastructure to keep pace with DevOps demands and embrace new technology to support remote working, however, was security somewhat overlooked? As we’ve seen this hurried approach, this has brought significant security issues affecting every sector from Capital One (Financial Services), Pfizer (Healthcare), Prestige (Hospitality) to Twilio (Software) and Virgin Media (Telecoms). With cloud misconfigurations rising by 80% (techrepublic.com) and being used by hackers as a launchpad for malware distribution, it’s becoming even more dangerous for companies rushing into cloud adoption since the pandemic.
Misconfigurations can happen due to a variety of security missteps, typically human error (Gartner reporting 99% of cloud security failure comes from the user) because of under skilled staff and shadow IT when embracing new technologies away from the parameters of traditional security models and network security controls. Other areas where security falls short is the lack of data and asset visibility that comes with unparalleled speed of change, scale and scope, making it difficult to govern and monitor without automation. Not to mention, cloud is accessible to far more people within and outside your organization, increasing your cloud security risks from misconfigured storage to publicly exposed databases. Imagine cloud infrastructure like a road system and cloud configurations as the traffic lights controlling the traffic (data) flow, which if misconfigured, can be dangerous and lead to car accidents.
McAfee released a list of misconfigurations hotspot affecting Amazon Web Services (AWS) in its "Cloud Native: The Infrastructure-as-a-Service (IaaS) Adoption and Risk Report":
- EBS data encryption is not turned on
- Unrestricted outbound access
- Access to resources is not provisioned using IAM roles
- EC2 security group port is misconfigured
- Publicly exposed cloud resources
- EC2 security group inbound access is misconfigured
- Unencrypted AMI is discovered
- Unused security groups are discovered
- VPC Flow logs are disabled.
Cloud breach like this doesn’t require a skilled hacker. Cloud misconfigurations are easy to scout with automation and provide the perfect inroad to gain access to an enterprise’s cloud. While cloud security has long been considered a major challenge for modern enterprises, problems such as misconfigured storage buckets and overly permissive policies come from mistakes made by none other than the IT team or business units who set up the cloud infrastructure, so the responsibility ultimately lies with the organization.
No shared responsibility
The main area to understand is shared responsibility in cloud, with many organizations mistakenly thinking the cloud host is responsible for security, which is a big security risk and could end up costing you by allowing cybercriminals an easy foothold into your critical cloud data. Ensuring you understand securing what you put in the cloud and creating a robust defense around your assets within an IaaS environment is essential. Knowing where cloud service provider (CSP)’s responsibility ends, and where yours begins - means you can’t rely on them to flag up security misconfigurations for you.
Common scenarios to be aware of:
- Infrastructure-as-a-Service (IaaS) security: IaaS is becoming the new ‘shadow IT’ as enterprises use multiple cloud providers and security incidents are more likely to go under the radar if they don’t know where all their infrastructure and data lives. In the rush towards IaaS adoption, many organizations overlook the cloud shared responsibility model and assume that security is taken care of by the cloud service provider with the important word here being ‘shared’. Think of it as the Cloud service provider acts as the house to store your valuables but it’s your responsibility to put locks and alarms on your doors to protect the contents. Hackers will look for misconfigurations in IaaS to escalate their privileges and access data using native functions of the cloud instead of launching sophisticated malware attacks, because you’ve made it easy for them by leaving it open.
- Cloud DevOps security: In the DevOps model, your daily operations are dictated by your deployment cycle. However when developers aren’t aligned with security standards or you don’t have automated configuration checks built into the CI/CD pipeline and security controlling the misconfiguration problem can multiply in your development cycle or reach your clients and stakeholders if gone undetected. The velocity of cloud deployments means that misconfigurations are introduced, removed, or resolved on a constant basis. With automation and DevOps teams practicing agile cycles, this unfortunately automates misconfigurations along with everything else and becomes part and parcel unless CSPM security controls are implemented.
Cloud Security Posture Management (CSPM)
To get to the root of the problem, we must put security emphasis on misconfigurations versus traditional vulnerabilities which can be monitored and patched. Gartner named CSPM as one of the key areas in their Top 10 Security Projects for 2020-2021, recognizing this as a crucial area in security planning for the year ahead and backed up by our own 2021 predictions blog. CSPM will ensure continuous cloud configurations assessment across even the most diverse infrastructures and multi-cloud to prevent security policy violation from creeping into applications and infrastructure elsewhere.
CSPM solutions provide enterprises with enhanced visibility and hardening of public cloud environments reducing the threat of cloud misconfigurations and the risk of data breach. With the reproduction of cloud resources, many organizations are unaware of how these are running and configured – CSPM removes any doubt even when your team doesn’t have the knowledge. CSPM provides instant visibility against any undetected security issues within minutes of inception, making it easier to secure your infrastructure and applications continuously. With the vast amount of complexity within the cloud, ensuring you’re controlling all elements and checking against security benchmarks like CIS is a huge manual undertaking. You’re likely to miss things, and this is why automation is key to protecting your business against cloud breaches.
Automation, hybrid and multi-cloud configuration assessment
When it comes to choosing a CSPM tool, it’s also important to consider your organization’s cloud adoption model. In Forrester research, a whopping 86% of IT decision makers in the US, EMEA and APAC identify their cloud strategy as ‘multi-cloud’ – using multiple public and private clouds for different workloads.
To ensure your CSPM can support your current and future cloud model we recommend the following checklist:
- Continuously assesses cloud and multi-cloud environments for misconfigurations
- Automated security monitoring against CIS benchmarks for all major cloud service providers
- A centralized user interface to detect and manage cloud vulnerabilities for effective remediation and provide a single view of cloud risks
- Classify and detect your cloud assets to check configuration and control cloud security
Our advanced CSPM solution supports hybrid and multi-cloud deployments and will automatically monitor and detect security flaws against the cloud security best practice, continuously hardening your cloud and multi-cloud configurations including AWS, Microsoft Azure, Google Cloud Platform, Docker and Kubernetes against security violations for CIS foundation benchmark to meet compliance standards. Our CSPM solution uses the cloud providers APIs so it’s simple to deploy with a read-only user configuration. Enabling you and your team to better understand your attack surface with greater efficiency in however many clouds you’re using.
Strengthen your cloud security posture today
As DevOps and modern-day operations are a continuous process, it’s important your cloud security matches this through continuous and automated cloud security monitoring to detect for misconfigurations and vulnerabilities. Whereas CSPM is the simplest way to prevent unauthorized access to your cloud data, another important consideration is to protect your cloud workload. Cloud Workload Protection Platform (CWPP) is a host-centric solution that targets the unique requirements of server workload protection in modern hybrid data center architectures, and checks the workloads being migrated to IaaS with integrated vulnerability scanning, often used in tandem with CSPM.
With opportunistic hackers looking for any weaknesses including in your credentials or software vulnerabilities deployed in your cloud environment - its crucial to have a comprehensive cloud security solution - CSPM + CWPP, to provide full security coverage. Find out how Outpost24 can help.