By Andreas Dann | August 12, 2021
Cloud Security Term: Cloud Security Posture Management (CSPM)
More and more organizations rely on cloud services or even start shifting to go full cloud-native. Thus, so-called Cloud Security Posture Management (CSPM) tools and technologies have become popular since they aim to reduce and manage security risks in the cloud.
Table Of Contents
Companies are shifting their workloads to the cloud - for a good reason - it reduces the cost, reduces the time-to-market, and increases development speed. However, the shift to the cloud also does not come for free, many companies are struggling to monitor and check the secure configuration of their cloud environments due to the fast pace at which cloud infrastructures change. Surely, the use of multiple cloud providers and the combination of private and public clouds does not ease tracking down misconfigurations. In fact, a leading cause of data breaches are cloud (security) misconfigurations, enabling data breaches like the Advantage Capital Funding and Argus Capital Funding breach in 2020, or even may corrupt the company network, as described in our article Five Common Cloud Security Threats.
CSPM tools aim to detect such misconfigurations, warn the security team, and help to fix and patch issues before attackers can exploit them.
Cloud misconfigurations can happen easily, a developer or DevOps engineer may unknowingly miss to set a particular option or unintentionally misconfigure it, e.g., lack using multi-factor authentification or miss encrypt S3 buckets. A CSPM tool checks cloud users and cloud resources for such misconfigurations. Typical misconfiguration are, for instance, unencrypted data storages, open databases, accounts with to high permissions, or deactivated security controls.
- public storages: Cloud misconfigurations often affect S3 buckets are not encrypted or even allow public access.
- open networks: Recent data breaches like the AutoClerk breach in 2019, which exposed the personal information of thousands of hotel guests including members of the US government and military, were caused by network configuration errors. Either database ports were left open or networks that were assumed to be private were in fact reachable from the internet allowing access to internal containers, storages, or VMs.
- Identity and Access Management: Over-permissioned cloud resources or user roles are often targeted by attackers since they allow attackers to escalate their privileges and to gain unauthorized access to further resources or even compromise an account.
A manual approach for checking an account for misconfiguration cannot keep up with the fast and rapid changes in today’s cloud environments which Infrastructure-as-Code technologies make possible. A manual approach becomes even more infeasible when trying to secure multiple accounts or even multiple cloud providers. To manage cloud resources and issues effectively and to stay on top of new assets added to your cloud environment, it is inevitable to use automated CSPM tools that continuously monitor and watch your cloud.
A single AWS account compromises dozens of different accounts, dozens of regions, and hundreds or thousands of different cloud resources, e.g., networks, databases, S3 buckets, users, making it difficult to keep track of all the used resources or which user has access to the resource. In addition, the large amount of resources makes it difficult to identify unused resources that are still active and running but unused and thus costing money. To cope with that issue, a CSPM tool must provide a comprehensive overview of all resources in the cloud for the security team.
A problem that arises with many CSPM tools is their lack of context. A CSPM tool checking for misconfiguration or - in the best case displaying also CVEs - produces a sheer amount of noise leaving the tasks to triage thousands of warnings to the security teams. However, merely raising a warning for a potential security issue is not enough. The key question is “Is my cloud exploitable given the way the cloud resource is affected by the warning?" or simply put Is the security issue actually exploitable in my cloud environment?". To answer this question, next-generation CSPM tools must analyze and respect the context of a security issue and taking into account which resources are also impacted if the issue is exploited.
There are a lot of things a cloud security team can do to improve security - however, the tough part is to choose what to do. To ease the decision which issues must be addressed immediately, the raised warnings must be prioritized with respect to their context, business impact, and exposure of the affected resource.
A simple CSPM has become a must-have to manage and secure the cloud environment. To scale with today’s multi-account environments and to reduce noise, CSPM have to contextualize and prioritize security warnings to guide and support security teams efficiently.