Mitigating Security Risk in the Cloud(s)

This post was originally published to the VMware Cloud Blog and can be viewed here.

Is your cloud security posture keeping you awake at night?

The promise of DevSecOps is security that is inherent to every phase of the application lifecycle. This means that security processes are incorporated earlier, commonly called “shift left” security. This implies that security best practices are both known and consistently implemented across all workloads – which in a multi-cloud world can include any number of disparate environments.

Multi-Cloud Security Threats

A multi-cloud strategy increases an organization’s ability to adapt quickly to the needs of the business but often also increases complexity and reduces visibility across environments. The Cloud Security Alliance (CSA) report The Top Threats to Cloud Computing called out eleven threats to cloud computing. Of these, less than half were generic threats like account hijacking or insider threat. The rest were specific to visibility, misconfigurations, and a weak control plane. This reflects a lack of maturity around cloud usage, often a direct result of limited relevant expertise and/or sufficient people to manage these increasingly complex environments. The only way for today’s organizations to improve their cloud security posture is to supplement their human expertise with intelligent, automated protections. To build security processes that can be incorporated into every stage of the application lifecycle and applied to all cloud workloads and services.

Lack of visibility

Given that you can’t secure what you can’t see, or don’t fully understand, visibility across cloud environments is essential to mitigating cloud security risks. Many providers have tooling to assess the security posture of their own services. However, these can result in an incomplete and disjointed view into an organizations overall posture. And without the context necessary to understand the bigger picture all issues can look similarly important. This makes it harder to prioritize actionable remediation and can result in critical issues getting lost or ignored in the noise.

Misconfiguration

Misconfigurations are a leading cause of public cloud security breaches. They can be the result of a simple fatfinger, a lack of best practice awareness, or a lack of resources to ensure consistency. Misconfigurations have always posed a security risk and proven difficult to eliminate completely. However, in the “always-on, publicly-connected” world of cloud, the potential for – and speed of – exploitations is magnified exponentially. The Cloud Security Alliance (CSA) report The State of Cloud Security found that 1 in 6 organizations had a public security breach last year due to misconfiguration. Our own analysis of common cloud misconfigurations identified several high-risk violations:

• Object storage default encryption not enabled
• Database snapshots not encrypted
• Virtual machine disk volumes not encrypted
• IAM policy has unlimited administrative privileges
• Multi-factor authentication is not required for all users
• Virtual machines SSH port (22) is accessible from public internet for any source address

These violations should seem obvious to even the casual observer yet are prevalent enough to indicate a struggle to ensure basic protection consistently across clouds.

Cloud Security Posture Management

Cloud Security Posture Management (CSPM) is a solution category that, using Gartner’s definition, delivers “a continuous process of cloud security improvement and adaptation to reduce the likelihood of a successful attack.” CloudHealth Secure State is our leading CSPM that provides security posture management for AWS, Azure, and Google Cloud Platform services. It also provides Kubernetes Security Posture Management (KSPM). Here’s how it works:

• You provide IAM credentials for each cloud account you want to monitor (configured for read-only following least privilege)
• CloudHealth Secure State collects cloud data and builds an interconnected cloud security model of your environment
• CloudHealth Secure State assesses the data for violations (findings) against its security rule database and compliance frameworks

Improved Visibility and Context

Users can access CloudHealth Secure State features through a single console or API. These features include:

• A unified search engine across resources, relationships, and security findings
• A topology explorer providing security context including relationships, misconfigurations, threats, metadata, and change activity
• An intelligent risk scoring algorithm to identify and prioritize critical findings
• Native exports to SIEM systems for additional analysis and to streamline SOC investigations

Improved Configuration Management

CloudHealth Secure State helps security and platform teams understand how a minor configuration change can elevate risk across connected cloud objects. It delivers:

• Automation to improve security and compliance posture with guardrails to prevent mistakes
• Auditing of configuration changes and compliance violations
• Automated assessment and remediation for benchmarks such as CIS, GDPR, HIPAA, ISO 27001, MITRE ATT&CK Cloud, NIST, PCI, & SOC 2

Conclusion

The dynamic, distributed, disparate nature of multi-cloud has introduced additional complexity for teams managing security risk. Challenges that were largely resolved in the datacenter, like limited system visibility and identifying misconfigurations, are not only more challenging across clouds but can also result in larger exposure. Improving multi-cloud visibility and context, along with misconfiguration protection and remediation, are simple steps that organizations and DevSecOps teams can take immediately to improve their cloud security posture. CloudHealth Secure State provides these capabilities, and more. Get a free trial or request a demo and start improving your cloud security posture today!

Learn more!

VMware Wins Gold at 2022 Cybersecurity Excellence Awards

VMware is proud to announce it has won across nine categories at the 2022 Cybersecurity Excellence Awards, demonstrating the company’s security innovation and commitment to keeping customers safe from cyberattacks. CloudHealth Secure State won the gold award in the 2022 Patch and Configuration Management category.

Recommended Reading

• Why CloudHealth Secure State won Gold for Cybersecurity Excellence
• Mitigating Security and Compliance Risks with CloudHealth Secure State
• The State of Cloud Security Risk, Compliance, and Misconfigurations
• VMware and NIST Cybersecurity Compliance Framework
• Building a Successful Cloud Infrastructure Security & Compliance Practice
• 7 Best Practices for Cloud Security Posture Management 

Other posts in this DevOps series

DevOps History

• Where Are We and How Did We Get Here?                 May 2020
• Innovators and Outcomes – The Disrupters                May 2020
• Early Adopters and Outcomes – The Disruptees        June 2020

DevOps Culture and People

• Collaboration, Empowerment, Autonomy                     June 2020
• Devopsdays – DevOps Culture Embodied                    July 2020
• Understanding DevOps personas and perspectives    March 2021

DevOps Practices and Processes

• Principles and Outcomes                                           August 2020
• The DevOps Toolchain                                               August 2020
• Continuous Everything                                               September 2020
• Value Stream Mapping                                               December 2020
• Everything as Code                                                    February 2021
• GitOps and your Cloud Operating Model                February 2021

DevSecOps

• What Does Shift-Left Really Mean for Platform Teams?    May 2021
• Mitigating Security Risk in the Cloud(s)                   March 2022