Make the Shift to Next-Gen Cloud Security Posture Management (CSPM)
Cloud Security Posture Management (CSPM) has gained significant traction in the last few years, and with good reason. With dependence on the cloud seeing significant growth and cloud environments becoming more complex, it’s hardly surprising that instances of breaches are exploding as well – becoming an everyday occurrence, unfortunately. In fact, a recent survey of 300 CISOs found that nearly 80% had at least one data breach in the last 18 months and almost half had experienced ten or more incidents. Analysts estimate that by 2023, 75% of all security failures will be the result of insufficient controls around access, identities and privileges. Combined with cloud infrastructure misconfigurations, these environments practically invite attackers to exploit them. It’s no wonder that CSPM is entering the mainstream, but are existing solutions up to the task?
Most CSPM solutions were designed for cloud native infrastructure that is defined and managed in runtime. They establish a secure configuration baseline in runtime and monitor for drift from that point. However, cloud infrastructure today is defined and managed as code during development, which means misconfigurations are introduced in development. With risks being introduced earlier in the software development lifecycle, baselines must also be established earlier in the cycle if CSPM is to be effective. While CSPM can detect these misconfigurations in runtime, resolving them in runtime is a very expensive proposition. An even bigger issue is that those fixes are applied to the runtime, not to the Infrastructure as Code (IaC) from which the runtime environment was built. The next time the IaC is deployed, the misconfigurations will be reintroduced. The end result is wasted time and money and, more importantly, a false sense of security.
The Three Tenets of Next-Gen Cloud Security Posture Management
CSPM solutions must evolve if they are going to keep pace with or, better yet, stay a step ahead of threats and breaches. This can only be achieved when misconfigurations are detected and resolved in development and when secure posture is maintained in runtime. The following three tenets provide a roadmap with specific guidelines to help you make this next-level security proposition a reality for your organization.
Secure Infrastructure as Code
The first step to realizing next-gen CSPM is to create a secure baseline from your IaC, which means starting the process when code is being written. Scanning IaC for misconfigurations in development means the cloud infrastructure will be “born secure”. This can be a challenge because there is a lack of standardization in IaC; it’s important to enure your CSPM solution offers the appropriate level of IaC support for your organization’s assets. Then, policy-based checks (Policy as Code) can be applied to identify violations. There are a number of common best practices and compliance policies to consider, and you’ll want to ensure your solution supports policies that are relevant to your needs. To give you a feel for the scope of this challenge, Accurics maintains over 1,800 out-of-the-box policies to ensure effectiveness while allowing teams to maintain agility.
Cloud security risks are not created equal and the level of attention each risk requires varies as well. The sheer volume of alerts created by Policy as Code is a classic example of too much of a good thing, so next-gen CSPM must address alert fatigue. Accurics’ threat modeling technology (Security as Code) assesses and prioritizes threats so teams can manage resources with full visibility into which threats represent the greatest risk.
Where first-gen CSPM is typically used by security teams, next-gen CSPM and its focus on IaC targets developers ––and developers are not generally security experts. It’s not enough to simply push alerts to them and expect them to know what to do. Because it’s working from the source code, next-gen CSPM can actually do better than simply reporting problems. In fact, to be effective it must generate the code to resolve misconfigurations (Remediation as Code). This programmatic remediation enables developers to ensure code quality while seamlessly continuing their work. Given these capabilities and where they are applied in the development process, next-gen CSPM solutions are great for establishing guardrails that deliver continuous security in the automated processes and CI/CD tools used by developers.
Monitor Infrastructure Configurations in Runtime
Given the dynamic nature of cloud environments, it’s safe to assume that configuration changes will be made in runtime. In fact, our State of DevSecOps Report (Summer 2020) found that nearly all organizations do so, and that it often leads to configuration drift.
The best way to combat drift is through continuous monitoring, which starts with converting infrastructure configurations in runtime into code so the resources created in runtime can be compared to those defined through IaC (Drift as Code). This normalizes runtime and IaC configurations, and can help organizations migrate manually created environments to IaC.
Just as process and pipeline integrations are important in development, CSPM continuously monitors the runtime environment to enforce policies and identify drift. Taken together, next-gen CSPM can govern policy and risk compliance with a single definition of success and consistent enforcement throughout the life cycle.
Remediate Through Infrastructure as Code
It’s a given that any configuration change must be assessed for risk. The way in which that risk assessment plays out is the biggest difference between first generation and next-generation CSPM solutions. First generation CSPM delivers remediation that focuses on a limited set of risks and focuses on changes applied to configurations in runtime, which may go against company policy. This increases the risk of potential downtime, and creates drift from the IaC baseline.
In contrast, next-generation CSPM establishes IaC as the single source of truth. Assuming a change – regardless of whether it is introduced in IaC or runtime – does not introduce risk, the IaC is updated and a new IaC baseline is established. If the change does introduce risk, the cloud is redeployed using the secure IaC as its baseline. In both instances, the risk is eliminated and the single source of truth is preserved.
Demand Next-Level Security from CSPM
Just as organizations demand more from their cloud environments, they must also demand more from their cloud security solutions. Next-gen CSPM solutions will deliver on Policy as Code, Security as Code, Remediation as Code, and Drift as Code, ensuring efficient, consistent, high velocity risk management across the entire cloud native development lifecycle from a single source of truth.
For more information about what next-generation cloud security posture management solutions will look like, and tips for choosing a solution, I invite you to download The Buyer’s Guide to Next-Generation CSPM.