images
figures
Blog

Cloud Security Posture Management Best Practices

Admin Globaldots
25.07.2019
image 5 Min read
Cloud Workload Protection

The rapid adoption of cloud services, along with an increasing number of cloud infrastructure and platform services, has created an explosion in complexity and unmanaged risk. While IaaS providers deliver basic configuration and risk assessment capabilities, they only address their own services, which doesn’t account for the hybrid and multi-cloud capabilities that most enterprises require. And although the underlying cloud provider infrastructure is secure, most enterprises don’t have the processes, tooling maturity or scale to use the cloud securely.

In this article we’ll discuss cloud security posture management best practices.

cloud security posture management

Cloud security posture management

The cloud has fundamentally changed the way organizations build, operate, and manage applications. The uniqueness of cloud requires security teams to rethink classic security concepts and adopt approaches that better address dynamic and distributed cloud infrastructure.
Unfortunately, many security teams have yet to rethink how existing security practices within their organization are ill-fitted for the cloud world. Practices such as asset management, incident response, and internal training/education, which were originally built for on-premises environments, are now outdated and unable to support proper security posture for cloud infrastructure.

According to Gartner, by 2020, 95% of cloud security issues will be the result of misconfiguration and you can see that businesses face tremendous challenges ahead. As organizations look to migrate applications and data to the cloud, they are realizing that many of their IT staff lack cloud security expertise. The cloud represents a fundamentally different approach to computing and the security differences between the cloud and traditional on-premise infrastructures are night and day, and many IT staff lack cloud security expertise to ensure their new infrastructures are properly protected.

As the cloud grows, so too does the playing field of participants. Between infrastructure management (IaaS, PaaS, fPaaS, SaaS, Raas) security, CI/CD, and trying to navigate all of the nuances in between, it’s difficult to keep track of what each category of tooling includes. Within the cloud security space alone there are CASBs – Cloud Security Access Brokers, CWPPs – Cloud Workload Protection Platforms, and CSPM – Cloud Security Posture Management.

At the very top of the pyramid of cloud services are CMPT, or Cloud Management Platform and Tools. This is a huge umbrella of categories and as a subset is a CMP or Cloud Management Platform that includes numerous categories.

These include:

  • Provisioning & Orchestration
  • Cost Management & Resource Organization
  • Cloud Migration, Backup, and Data Recovery
  • Identity, Security, and Compliance
  • Packaging and Delivery
  • Monitoring & Analytics
  • Inventory & Classification
  • Service Requests

According to Gartner, CASB, CSPM and CWPP tools offer an overlapping set of capabilities to address cloud risks, but no single group performs all the features of any one of the others. CSPM concentrates on security assessment and compliance monitoring, primarily across the IaaS cloud stack.

Cloud Security Posture Management (CSPM) automatically assess your cloud environment against best practice and security violations to provide the steps required to remediate them – often through automation.

With the widespread adoption of IaaS, data breaches through mismanagement of IaaS usage are becoming a commonplace. Nearly all successful attacks on cloud services resulted from customer misconfigurations. The main use is to verify that cloud configurations are following security best practices such as CIS AWS/Azure/GCP benchmark.

is cloud computing secure

Cloud security posture management solutions

Most common CSPM solutions:

  • Identify your cloud environment footprint and monitor for the creation of new instances or buckets (i.e., shadow IT).
  • Provide policy visibility and ensure consistent enforcement across multiple cloud providers.
  • Scan your compute instances for misconfigurations and improper settings that could leave them vulnerable to exploitation.
  • Scan your storage buckets for misconfigurations that could make data accessible to the public.
  • Audit for adherence to appropriate compliance mandates.
  • Perform risk assessments vs. frameworks and external standards such as the International Organization for Standardization (ISO) and National Institute of Standards and Technology (NIST).
  • Verify that operational activities are being performed as expected (e.g., key rotations).
  • Automate remediation or remediate at the click of a button.

Typical CSPM services conduct these activities on a continuous basis and can include automation capabilities to correct issues without human intervention or delay.

Cloud security posture management best practices

Automate compliance and align with cloud standards

Assessing your security and compliance in the cloud requires your approach to take into consideration the dynamic nature of cloud objects and benchmark against rules specific to the cloud provider and service type

Recommendations:

  • Continuously monitor your cloud’s security posture against established best practices with the help of cloud-specific benchmarks from the Center for Internet Security (CIS).
  • Leverage a cloud security posture management solution to automate benchmarking against multiple compliance frameworks at once.
  • Ensure that your security tools and procedures account for the dynamic nature of your cloud environment and provide real-time visibility necessary to audit ephemeral cloud infrastructure.

Prioritize security violations by quantifying risk 

The amount of violation alerts security owners receive everyday can be overwhelming.

Recommendations:

  • Begin with violations that impact your critical cloud assets first, especially those that could expose data publicly or lead to unauthorized access.
  • Work with a cloud security expert to build a custom plan to selectively enable security checks and policies that are most critical for your environment. You can gradually roll out new controls as you begin to feel confident about existing security hecks and operational process in place.

Enforce security checks in Dev pipelines

The lifespan of many objects in the cloud can be extremely short-lived. How do you enforce security in the cloud when your applications are constantly spinning up and down new resources every other minute? Even if your applications are not dynamic, figuring out security gaps late in production can be extremely expensive.

Recommendations:

  • Define misconfiguration checks as a pipeline to find violations immediately after your deployment pipelines are executed.
  • Embed remediation steps into the re-deployment pipeline to correct configurations.
  • Continuously gather feedback from the pipeline to identify trends in violations, if any, to update your policies.

Conclusion

The uniqueness of cloud requires security teams to rethink classic security concepts and adopt approaches that better address dynamic and distributed cloud infrastructure. Cloud Security Posture Management (CSPM) automatically assess your cloud environment against best practice and security violations to provide the steps required to remediate them – often through automation.

If you have any questions about how we can help you optimize your cloud costs and performance, contact us today to help you out with your performance and security needs.

Comments

0 comments

There’s more to see

slider item
Cloud Workload Protection

GlobalDots Partners with CWP Innovator Lacework

Li-Or Amir 23.11.21

In its constant endeavor to enrich its cloud security offering with the latest innovation, GlobalDots has recently introduced security unicorn Lacework to its vendor portfolio. Founded in 2015, Lacework offers a cloud security monitoring platform which brings together some of today’s top needs: Workload protection, container & K8s security, compliance monitoring. Last weekend (Nov. 18th, […]

Read more
slider item
Cloud Workload Protection

Demo: Inside Radware’s Cloud Native Protector

Steven Puddephatt 11.10.21

How many of your users’ cloud permissions are actually necessary? How do you prevent excessive permissions from enabling workload breaches? Can there be one source of truth for vulnerabilities in multi-cloud environments? And how hard is auto-hardening? This demo is all about answering these questions. Watch GlobalDots solutions engineer Steven Puddephatt break down the basics […]

Read more
slider item
Cloud Workload Protection

Solution Brief: Agentless Cloud Workload Protection

Admin Globaldots 13.04.21

Explore the main features, capabilities, and benefits of the latest cloud workload protectors. This category of products is meant to safeguard the organizational public cloud environment by: Removing excessive permissions Creating attack stories out of anomalies across different apps and workloads Auto-hardening upon suspicious incidents Fill out the form to get your copy of the […]

Read more

Unlock Your Cloud Potential

Schedule a call with our experts. Discover new technology and get recommendations to improve your performance.
Contact us
figure figure figure figure figure