The Push and Pull of Access, Visibility, Compliance—and Automation

October 15, 2020

It’s fair to say most organizations couldn’t be competitive without taking advantage of at least some of the benefits of the cloud. The ability to get up and running quickly, to scale almost immediately and to roll out new applications at a fraction of the time as those based in physical datacenters—these are critical for modern business.

IT groups already running as skeleton crews with physical datacenters are seeing headcounts slashed or overwhelmed with additional responsibilities since the advent of cloud. In the worst-case scenario, headcount is decreasing as responsibilities are rising.

These smaller skeleton IT groups may also be following a common business directive, that organizations must now run in multiple public clouds. This can easily overwhelm IT groups, as security configurations operate differently in each public cloud. An organization that stores all its customer data in a compliant fashion in their AWS EC2 instances may have security gaps in a duplicated virtual machine in Google Cloud Platform. An application that passes an audit with flying colors in Oracle Cloud may fail the exact same audit when the application runs in VSX.

These issues are so pervasive that we’ve seen the emergence of cloud security posture management in the last few years.

By now, most organizations realize that while their cloud infrastructure provider is responsible for the security of the cloud, the client is responsible for the security of the data in the cloud. Even with the right attitude toward responsibility, however, cloud breaches are still commonplace. Many times, the breach is due to a misconfiguration, such as developer settings that are too liberal or even unrestricted. The Cloud Security Alliance reports that unrestricted access settings are some of the most commonly used launch points for attacks. These types of misconfigurations are often caused by the mismanagement of multiple connected resources.

Today’s enterprise cloud environments are so large and complex it’s impossible to manually track and maintain tens of thousands of resources and accounts. When personnel suffer from lack of visibility, or if different divisions or roles don’t fully understand which resources interact, a common mistake is to apply permissions from resource to resource without knowing the 'least privilege' permissions required to keep customer data private.

Automation is key to the success of posture management

Posture management software specifically addresses these issues—among many others. These solutions provide organizations with visibility into how many cloud resources are running, the security and compliance policies surrounding those resources and how they’re all configured—even before placed into production.

Automation is crucial. Just as these resources are impossible to manage manually, so too is the application of proper policies. An effective solution must be able to automate remediation of misapplied policies. Those companies in regulated industries can choose from several products that include libraries of the most common compliance regulations (and some have obscure and uncommon regulations, as well). When remediation is automated—especially across multiple clouds—compliance is more easily assured.

Automation of remediated misapplied policies can lead to posture management software providing other benefits to the organization as well, such as identifying unused assets or checking the integrity of a recently deployed system.

CSPM (Cloud Security Posture Management) promotes effective clouds

Automation is emerging in many areas of cybersecurity to assure better, more efficient and secure customer outcomes. The application of security policies and the managing of security posture are no exceptions. Cloud security posture management is a key component of a healthy cloud environment—and can make achieving and maintaining compliance far less work.