This post was originally published to the VMware Cloud Blog and can be viewed here.
Is your cloud security posture keeping you awake at night?
The promise of DevSecOps is security that is inherent to every phase of the application lifecycle. This means that security processes are incorporated earlier, commonly called “shift left” security. This implies that security best practices are both known and consistently implemented across all workloads – which in a multi-cloud world can include any number of disparate environments.
Multi-Cloud Security Threats
A multi-cloud strategy increases an organization’s ability to adapt quickly to the needs of the business but often also increases complexity and reduces visibility across environments. The Cloud Security Alliance (CSA) report The Top Threats to Cloud Computing called out eleven threats to cloud computing. Of these, less than half were generic threats like account hijacking or insider threat. The rest were specific to visibility, misconfigurations, and a weak control plane. This reflects a lack of maturity around cloud usage, often a direct result of limited relevant expertise and/or sufficient people to manage these increasingly complex environments. The only way for today’s organizations to improve their cloud security posture is to supplement their human expertise with intelligent, automated protections. To build security processes that can be incorporated into every stage of the application lifecycle and applied to all cloud workloads and services.
Lack of visibility
Given that you can’t secure what you can’t see, or don’t fully understand, visibility across cloud environments is essential to mitigating cloud security risks. Many providers have tooling to assess the security posture of their own services. However, these can result in an incomplete and disjointed view into an organizations overall posture. And without the context necessary to understand the bigger picture all issues can look similarly important. This makes it harder to prioritize actionable remediation and can result in critical issues getting lost or ignored in the noise.
Misconfiguration
Misconfigurations are a leading cause of public cloud security breaches. They can be the result of a simple fatfinger, a lack of best practice awareness, or a lack of resources to ensure consistency. Misconfigurations have always posed a security risk and proven difficult to eliminate completely. However, in the “always-on, publicly-connected” world of cloud, the potential for – and speed of – exploitations is magnified exponentially. The Cloud Security Alliance (CSA) report The State of Cloud Security found that 1 in 6 organizations had a public security breach last year due to misconfiguration. Our own analysis of common cloud misconfigurations identified several high-risk violations:
- Object storage default encryption not enabled
- Database snapshots not encrypted
- Virtual machine disk volumes not encrypted
- IAM policy has unlimited administrative privileges
- Multi-factor authentication is not required for all users
- Virtual machines SSH port (22) is accessible from public internet for any source address
These violations should seem obvious to even the casual observer yet are prevalent enough to indicate a struggle to ensure basic protection consistently across clouds.
Cloud Security Posture Management
Cloud Security Posture Management (CSPM) is a solution category that, using Gartner’s definition, delivers “a continuous process of cloud security improvement and adaptation to reduce the likelihood of a successful attack.” CloudHealth Secure State is our leading CSPM that provides security posture management for AWS, Azure, and Google Cloud Platform services. It also provides Kubernetes Security Posture Management (KSPM). Here’s how it works:
- You provide IAM credentials for each cloud account you want to monitor (configured for read-only following least privilege)
- CloudHealth Secure State collects cloud data and builds an interconnected cloud security model of your environment
- CloudHealth Secure State assesses the data for violations (findings) against its security rule database and compliance frameworks
Improved Visibility and Context
Users can access CloudHealth Secure State features through a single console or API. These features include:
- A unified search engine across resources, relationships, and security findings
- A topology explorer providing security context including relationships, misconfigurations, threats, metadata, and change activity
- An intelligent risk scoring algorithm to identify and prioritize critical findings
- Native exports to SIEM systems for additional analysis and to streamline SOC investigations
Improved Configuration Management
CloudHealth Secure State helps security and platform teams understand how a minor configuration change can elevate risk across connected cloud objects. It delivers:
- Automation to improve security and compliance posture with guardrails to prevent mistakes
- Auditing of configuration changes and compliance violations
- Automated assessment and remediation for benchmarks such as CIS, GDPR, HIPAA, ISO 27001, MITRE ATT&CK Cloud, NIST, PCI, & SOC 2
Conclusion
The dynamic, distributed, disparate nature of multi-cloud has introduced additional complexity for teams managing security risk. Challenges that were largely resolved in the datacenter, like limited system visibility and identifying misconfigurations, are not only more challenging across clouds but can also result in larger exposure. Improving multi-cloud visibility and context, along with misconfiguration protection and remediation, are simple steps that organizations and DevSecOps teams can take immediately to improve their cloud security posture. CloudHealth Secure State provides these capabilities, and more. Get a free trial or request a demo and start improving your cloud security posture today!
Learn more!
VMware Wins Gold at 2022 Cybersecurity Excellence Awards
VMware is proud to announce it has won across nine categories at the 2022 Cybersecurity Excellence Awards, demonstrating the company’s security innovation and commitment to keeping customers safe from cyberattacks. CloudHealth Secure State won the gold award in the 2022 Patch and Configuration Management category.
Recommended Reading
- Why CloudHealth Secure State won Gold for Cybersecurity Excellence
- Mitigating Security and Compliance Risks with CloudHealth Secure State
- The State of Cloud Security Risk, Compliance, and Misconfigurations
- VMware and NIST Cybersecurity Compliance Framework
- Building a Successful Cloud Infrastructure Security & Compliance Practice
- 7 Best Practices for Cloud Security Posture Management
Other posts in this DevOps series
DevOps History
- Where Are We and How Did We Get Here? May 2020
- Innovators and Outcomes – The Disrupters May 2020
- Early Adopters and Outcomes – The Disruptees June 2020
DevOps Culture and People
- Collaboration, Empowerment, Autonomy June 2020
- Devopsdays – DevOps Culture Embodied July 2020
- Understanding DevOps personas and perspectives March 2021
DevOps Practices and Processes
- Principles and Outcomes August 2020
- The DevOps Toolchain August 2020
- Continuous Everything September 2020
- Value Stream Mapping December 2020
- Everything as Code February 2021
- GitOps and your Cloud Operating Model February 2021