The Missing Elements in Cloud Security
The cloud-native application protection (CNAPP) space has seen tremendous innovation. The tools today are great. They can detect almost any problem in the cloud, even preventing and addressing some problems automatically. But companies still struggle to find ways to make triage and remediation manageable for security teams.
The list of cloud-security technologies has exploded in the last few years, and while it may look like a jumble of acronyms, each one has a purpose in helping secure cloud-native applications throughout the developmental life cycle:
- Cloud-native application protection (CNAPP) centralizes security for cloud-native applications to make management simpler across public, private, and hybrid cloud environments.
- Cloud security-posture management (CSPM) scans cloud environments for misconfigurations. With the complexity of today’s cloud environments, configuration errors can easily and unintentionally create security risks.
- Kubernetes security-posture management (KSPM) is similar to CSPM but looks for misconfigurations in your Kubernetes environment. Again, simple errors can create major security holes, so any additional insight into configuration issues creates a useful check.
- Cloud infrastructure entitlement management (CIEM) manages identities in a cloud environment and the privileges that users have.
- Data security-posture management (DSPM) focuses on protecting data by increasing visibility into the kind of data, its sensitivity, and its contexts. DSPM sometimes gets confused with CSPM, but DSPM focuses on data security specifically, while CSPM looks for flaws in how the cloud has been configured.
All of these tools allow security professionals to gain visibility, identify issues, and create automated flows that remediate misconfigurations and vulnerabilities in the cloud. Without them, cloud environments risk a multitude of threats, but with them, organizations can protect their clouds much more easily than with the more manual processes that many have been using.
Where we are today
Most IT departments need to use too many tools for cloud security and face a rising number of other issues: new regulations and the complexities of new cloud deployments, CNAPP vendors’ new features and bug fixes which must be learned and addressed, and bad actors who are constantly finding new vulnerabilities and misconfigurations. As a result, teams spend precious time triaging and often find that their fixes prove insignificant, so they end up unable to focus on the problems that actually matter.
The typical process that is happening between when the issue was discovered to when the issue was fixed looks like this:
Once teams detect a problem, they need to collect any relevant information, add context that would help remediation, enrich that information with the missing business information, and triage the problems to address them according to urgency and importance. The impact of the fixes must also be investigated, particularly on operations, cost, security, and compliance. Then the fixes need to be scheduled for execution with customized remediation variables. After execution, security teams must try to prevent future vulnerabilities while validating the fixes.
How can we balance all the disparate needs of today’s complex cloud environments? First, we need to identify what we are missing.
The missing elements
Our cloud-security tools are massive improvements over the ad hoc solutions of the past, but without human decision-making, remediation is lagging. We need people to orchestrate all the technology to fit each solution. But this human touch is not the only missing variable.
The other piece to the puzzle is context. Business context and variables that describe the customer environment and desired process are also often lacking. They affect the accuracy of the automated prioritization, remediation, prevention, and deployment-planning processes. As an outcome slows down the remediation, production changes are required to prevent issues.
Making it all work
Speaking with hundreds of cloud security practitioners and cloud native developers, I have come to understand that we can best enable the developers and DevOps teams by making investigation, remediation, and prevention easy for them. Cloud security cannot be an afterthought, but it cannot be a chore either.
Can we just plug into the developer’s tools and “shift everything left”? Will that magically make the remediation and prevention changes happen? That sounds good in theory, but I think it is far too romantic. It isn’t working with complicated remediation use cases.
You can’t fix all of the misconfigurations with Infrastructure as Code (IaC) in a pipeline utilizing continuous integration and continuous delivery (CICD) technologies. For example, you can’t just encrypt an existing Amazon Relational Database Service (Amazon RDS), the process is more complex than that. Encryption for an Amazon RDS DB instance is enabled when you create the RDS instance and is not possible after it’s created. To encrypt an existing RDS you need to create a snapshot of your DB instance, and then create an encrypted copy of that snapshot. You can then restore a DB instance from the encrypted snapshot to get an encrypted copy of your original DB instance. More information about this process can be found here. This process requires change approvals, planning of the process and the rollback, since there is likely to be a disruption to existing applications and resources that use the respected DB. Disruption of services can be accomplished through proper planning and automation.
Instead of nice-sounding slogans, we need a hefty dose of realism. We need to wear developer’s shoes. What do they actually need to solve security issues? We have to break the big and complicated problem into smaller and more manageable pieces. This will make cloud security faster and easier for them.
We need to help developers to understand what can go wrong, what is being fixed, why it is being fixed, what is the impact to production operations and cost and how it needs to be best fixed based on their unique organizational needs in their specific environment. And this needs to happen without disrupting their current or future sprints and the critical development work on features &/or functions that drive their business outcomes. The developers and teams supporting them all need security to make sense and be as easy as possible to incorporate. All the while, everyone in the business/organization needs to ensure focus of resources on the risks that matter the most and remediation that will have the greatest impact on managing those risks improving the overall security posture. Frictionless and continuous security is the ideal outcome.
