CloudHealth Secure State’s Playbook to Operationalize Cloud Security Posture Management

Built on iterative, non-linear processes that engage with key stakeholders across the organization, the CloudHealth Secure State team has developed a cloud security framework to help the cloud community better manage cloud risk and operationalize their cloud security posture management.

Four years ago, when CloudHealth Secure State founders were researching the cloud market, it was hard to ignore the growing list of companies that ended up in the news headlines due to simple misconfiguration mistakes leading to massive data breaches. A closer look revealed that the security teams in many of these companies had tools, but were struggling with cloud visibility. They were getting the security alerts but didn’t know where to focus their resources to prevent or remediate security risks. Something was clearly wrong with the security approach prevalent in the cloud community.

Show, don’t tell

In writing, they often say “show, don’t tell.” Because when you tell a reader what’s happening, you give them information but don’t help them deduce anything on their own. But when you show rather than tell, you help them experience the situation and draw their own conclusions. In an epiphany, we realized that organizations’ cloud security was failing because their tools were simply telling and not showing them the mistakes they were making!

For example, as a cloud security user, when you receive an alert that a “server should restrict public access to TCP port 8080,” what conclusion can you really draw from it?

• Do you know the owner or app the alert is referring to?
• Is it a web server that needs internet access or a portal internal to your company?
• How critical is the data behind that server and what other resources are connected to it?

These are just the first few questions that come to mind when you see an alert like this. And to take proper action, you need a lot more context and some engagement with the right application team.

This is why we built CloudHealth Secure State! To help cloud security teams obtain richer insights into app infrastructure and make it easier for developers to fix security mistakes.

CloudHealth Secure State: Best Innovation in Enterprise Solutions

What makes CloudHealth Secure State different is that it helps security and DevOps teams get on the same page quickly. From a unified view, both teams can visualize the connected objects that violate security, and within seconds, they can see the blast radius of the security finding, correlate risk due to related misconfigurations and threats, inspect details such as permissions and tags, and trace activity logs to find users and the recent configuration changes.

When Secure State creates an alert about a server with misconfigured TCP port access, not only does the security team see the violation and its context, but the DevOps and application teams also see the same information, enabling the most appropriate owner to assess and resolve the finding as soon as possible. This is the reason why Developer Week named CloudHealth Secure State—a cloud security posture management platform—the Best Innovation in Enterprise Solutions!

Companies of all sizes, from innovative startups to large financial institutions, leverage CloudHealth Secure State to protect over 62M assets across multi-cloud environments.

Today, CloudHealth Secure State is the industry’s only cloud security platform to deliver:

• Market-leading rules engine: 720+ pre-defined cloud security and compliance best practices
• Real-time detection: Less than 20 seconds from change notification to security finding
• Cross-service risk alerts: Prevent attackers from gaining lateral access to critical resources
• Multi-cloud search: Visualize cloud inventory, hunt threats, and identify vulnerabilities
• Zero-trust remediation: Resolve security findings without write access to cloud resources

Operationalizing cloud security to better manage risk

Today, as we engage with cloud security teams, we see that they’re getting better at gaining cloud visibility but still struggling to transform it into actions that mitigate risk.

My team’s mission at VMware is to help your security organization better manage cloud risk. In the last year, we’ve asked architects of several security programs about challenges they face while operationalizing cloud security. The outcome of those conversations is a cloud security lifecycle framework that I want to briefly introduce in this article.

The goal of this framework is to encourage security organizations to obtain clarity around the role of different cloud security stakeholders in their company and then deliver a playbook that helps key stakeholders to collaborate and help the organization improve their overall cloud security and compliance posture.

If you’re wondering who owns cloud security in your company, don’t be surprised if you can’t identify a clear owner. During our interviews, different organizations we spoke to have different teams that own cloud security. In some, it’s the Information Security team, while in others it’s the IT Operations or app DevOps team. But no matter who owns cloud security, everyone agrees that the cloud security program must engage all security stakeholder teams.

At the core, this framework defines five sequential steps for operationalizing cloud security:

1. Obtain holistic visibility into cloud assets: In this step, security teams generally work with IT Ops teams to monitor cloud resources and organize information in a way that mirrors company boundaries.
2. Optimize governance to prioritize key security risks: Here, the goal is to define a governance framework that helps the company meet its security and compliance needs, while enabling developers to gradually improve security without compromising agility.
3. Resolve violations to reduce risk: In this phase, each DevOps owner triages the list of security findings and resolves violations that need to be addressed quickly to mitigate critical security and compliance risks based on severity.
4. Shift-left to improve security and development productivity: While resolving violations, DevOps teams must identify selective security controls within the CI / CD process that can be put in place proactively to not only reduce the cost of ensuring security, but also speed up time to market new software releases.
5. Respond to security incidents immediately: Technically this isn’t a step, but the goal here is to ensure that security incident response teams (SIRT) are equipped with the right visibility and context to investigate cloud threats and vulnerabilities, and can identify the right cloud users quickly to coordinate a successful incident response plan.

The key point we’re trying to illustrate with this framework is that an effective cloud security program is built on processes that are non-linear and engage with different stakeholder teams. If you’d like to learn more about building an iterative cloud security process that allows your team to start small and get quick security wins, please see my CloudLIVE session where, with the help of demos and real-world examples, I’ll show (and not tell!) how companies can operationalize cloud security and prevent data breaches.

What’s new: CloudHealth Secure State enhancements 

Over the last year, the CloudHealth Secure State team delivered several key capabilities critical for operationalizing and improving cloud security. These include role-based access controls (RBAC) and project-specific security views for teams, 400+ new security and compliance rules to expand service and risk coverage across AWS, Azure, and Google clouds, custom compliance frameworks for building company-specific standards, and 40 remediation jobs to fix commonly occurring security violations.

As we continue to double down on helping organizations improve their cloud security risk management, we’re pleased to announce several new enhancements that reduce friction between security stakeholders and improve decision making through an easier exchange of insights across company tools and processes.

• MITRE ATT&CK Cloud Framework support maps hundreds of critical security rules to help organizations build controls that defend against adversary tactics and techniques used by attackers in real-world cloud attack scenarios.
• Auto-Remediation General Availability and Remediation API support enable SecOps team to integrate remediation capabilities within automated response playbooks and scripts, while developers can add a cloud security layer to their deployment pipelines using the Findings APIs to detect misconfigurations and the Remediation APIs to run rollbacks and actions.
• Explore 2.0 allows both security and non-security users to instantly search cloud inventory and aggregate results that would otherwise take a lot of time to fetch through logs. Whether it’s a simple string search or a test for complex configuration patterns, users can quickly inspect cloud resources, visualize results, and export findings for further analysis by other teams.
• Suppressions 2.0 drastically reduces the time teams spend on chasing false positives. Security and DevOps team can automatically suppress security findings based on pre-defined criteria and bulk manage suppressions with the click of a single button.
• Alerts 2.0 will allow users to send notifications with actionable context to the right teams quickly. Users can limit the scope of alerts to specific accounts or projects and customize alert messages to include helpful notes such as Knowledge Base articles and remediation steps that make it easier for recipients to resolve findings.
• Webhook integration to share security insights across the company. With a few clicks, users can configure a new Webhook integration to send Secure State’s findings to most third-party applications used within your company. With Webhook support, you no longer have to treat cloud security as a separate activity.
• SOC2 Type I & ISO/IEC 27001:2013 certifications prove our ongoing customer commitment to building secure service operations and meeting established privacy standards.

Operationalizing cloud security in your company

As I mentioned earlier, our goal is to help the cloud community better manage cloud risk and improve their overall cloud security and compliance posture. If you’d like to learn more about how we can help your team operationalize cloud security, please book a demo with a CloudHealth Secure State expert.

Additionally, if you have ideas and suggestions around how we can improve our cloud security playbook, I’d love to hear from you and learn how your organization is tackling cloud security challenges. You can connect with my cloud security team by attending CloudLIVE 2021—the industry-leading multi-cloud management conference. Register today!