Is It Time to Buy into Cloud Security Posture Management?
BY ANNE SAITA
|Image Credit: Getty Images|
Mistakes happen. When it comes to cloud services, it’s important to know who is responsible when a mistake causes financial and reputational damage. With so many “shared responsibility models” currently being rewritten, now is an opportune time to consider the liabilities from cloud misconfigurations and technical solutions to help minimize them.
“Statements pertaining to shared responsibility models that all the major cloud service providers (CSPs) have published have become a lot more concise and focused on what they provide and what the limitations are in securing services,” explained cloud security architect Richard Tychansky, CISSP-ISSEP, CSSLP, CCSP, CAP, CIPP/US and CIPP/G, in the May/June issue of InfoSecurity Professional. “They are actually putting in writing what they expect customers to do to secure their environments and protect their data.”
This includes where service providers’ responsibilities end. “I know the CSP is protecting its physical assets, the servers and network infrastructure for free. But what they’ve now made clear is if my organization is offering a multi-tenant application environment [multiple customers using the same application], then I’m responsible for making sure every one of my clients has their data logically separated, and that is a big responsibility,” he said.
This is one reason more organizations are considering using cloud security posture management (CSPM) solutions, a term coined last year by a Gartner analyst to describe a new category of cybersecurity solutions that find and resolve customer-driven cloud misconfigurations. Analysts claim such errors are responsible for almost every attack on cloud services. And, they predict that within four years, those that adopt these products will see up to an 80% reduction in cloud security incidents due to misconfigurations.
Gartner analysts also warn that CSPM requires continuous assessments as both cloud infrastructures and applications continually evolve. So adding these solutions to your portfolio won’t allow you to step back; instead, they’ll help you lean in as you build an increasingly complex cloud infrastructure.
In a January 2019 Gartner white paper, Innovation Insight for Cloud Security Posture Management, author and analyst Neil MacDonald writes: “As enterprises place more services in public cloud and as the public cloud providers introduce more infrastructure and platform services directly into the hands of developers, it is becoming increasingly complex and time-consuming to answer the seemingly straightforward question: ‘Are we using these services securely?’ and ‘Does the configuration of my cloud services represent excessive risk?’”
Among the paper’s recommendations:
- Consider short-term contracts with CSPM vendors until the market is more mature.
- Take advantage of a CSP’s internal CSPM capabilities if that cloud use is limited in scope and usage.
- Look to see what CSPM capabilities a cloud security access broker (CASB) might provide.
- Include everyone within a cloud operations team so all have a firm handle on everything being accessed, stored or processed within a cloud management platform.
- Make sure any CSPM strategy includes locating all sensitive data stored in a cloud repository.
Creating checks on configurations and applying compliance best practices and industry standards is not new. In fact, it’s expected. But what a CSPM solution can do is provide a reason to improve requirements and elevate individual accountability.
“I think it’s got potential,” said Jon-Michael C. Brook, CISSP, CCSK, a principal at Guide Holdings and a Cloud Security Alliance instructor, in the same article. “It’s something where I expect the AWSes, Microsofts and Googles will come out with their ‘80% is good’ version. They’re already doing it from the perspective that they’re already telling you, ‘You have auditing capabilities out there.’ AWS has their inspector products, and Microsoft and Google offer something similar that tells you what the found issues are, but they don’t yet clean them up.
“I think we may get to that point where they do provide this by buying a CSPM provider. Or maybe they don’t because it’s too complicated, or they don’t want to go down that multi-cloud route and [will] just leave it to other people,” he continued. “I don’t think the big guys are going to get to the point of not allowing the company to have the machete on the table and if you hack your fingers off, it’s your fault. At some point they will make you put the machete in the closet and lock the door.”
Tychansky’s view of the CSPM term is that it is more “fast fashion” and in response to a marketing trend than anything, but the concept—to instrument security controls into cloud-native applications in order to better measure cloud security posture over time—is important and will persist in one form or another based upon demand.
“If we have instrumentation built into applications and (micro)services, then we can better manage and monitor application security controls in the cloud. Security instrumentation is where I’m predicting the technology will evolve,” he said.
ANNE SAITA is editor-in-chief for InfoSecurity Professional magazine.