4 min read
Cloud Security Posture Management is boring but important
Jonathan : Jun 2, 2021 11:34:00 AM
“While it is not popular to say out loud – most companies just are not at the maturity to totally eschew a CSPM. Almost every day, organizations are still falling victim to poor cyber hygiene that a CSPM would otherwise surface for you,” writes Jonathan Rau – Head of Cloud & Offensive Security, IHS Markit. MontyCloud DAY2 helps customers discover, inventory, continuously assess their security posture and automate remediations. All it takes is 5 minutes to connect your AWS account. You can automate and centralize CSPM across all your cloud accounts and regions worldwide.
– Sabrinath S. Rao
As the title suggests, CSPM, or Cloud Security Posture Management – is very boring. Before going further, let us dive a little deeper into what CSPM (also sometimes called Continuous Compliance Monitoring, or CCM) is. Without getting into an industry definition malarkey, CSPM or CCM is a set of tools or services which assess cloud provider resources (think an Amazon S3 Bucket or Google Compute Engine instance) and ensure they adhere with “best practices”. In addition to these “best practices”, harkening back to the CCM acronym, the checks performed would also be aligned to compliance or risk management frameworks such as ISO 27001 or NIST Cybersecurity Framework (CSF) – which is where the value proposition came from.
Best Practice is becoming much more of a buzzword (as is compliance alignment), and it really differs from cloud service provider to person, as cloud service providers are typically bad at articulating what this means beyond the actual service or infrastructure layer – which is exactly where CSPM solutions are aimed. This manifests itself as ensuring you are using customer-managed encryption keys (or are using encryption at rest to begin with), enabling logging, not exposing services to the internet, and can also sometimes look if an identity-based policy associated with a resource is too permissive. Some important ones right from the gate are:
- If you are using IAM Users (you should consider using Identity Federation), they should all have MFA attached to them.
- Use IAM Roles, and not IAM Access Keys for access to your AWS resources.
- Use Encryption everywhere with AWS KMS to allow you to set fine-grained policies on who can decrypt and encrypt with those keys.
- Databases and data storage (Amazon S3, Amazon EFS, Amazon RDS, and similar) should not be publicly reachable. Never publicly share volumes, snapshots, backups, buckets, or databases and instead scope down to specific Accounts or IAM Principals.
- Utilize central AWS Security Services such as GuardDuty, Security Hub, Macie, and IAM Access Analyzer and do not allow IAM principals to disable these. You should also enable CloudTrail logging as well as logging for important services, no matter what they are (EC2 with CloudWatch Agents, Lambda with CloudWatch, etc.).
Now that we have set what CSPM is, the title still stands: it is boring, but it is also important
CSPM is only skin-deep, but that was always kind of the point, as cloud service providers greatly expanded in the breadth of service categories and components within them, practitioners from security operations teams to DevOps organizations struggled to keep up. The value proposition, outside of “best practices” and “staying compliant”, was that using time-based scans or real time telemetry, you could be alerted when a resource deviated from a security configuration and sometimes be given recommendations on how to fix it. This sounds great, until you have a few accounts and hundreds of resources, and now you are under a deluge of alerts – that boringness quickly turns to frustration. As someone who is responsible for a large estate of 10s of thousands of compute, storage, and identity resources we are seeing something close to 400,000 findings per month, that is a little over 1000 an hour, even using automated remediation is hard to keep up.
What about the attacks you hear about all the time?
Public S3 Buckets, public RDS Snapshots with important data, unauthorized (or broken authorization) on API Gateways or lack of resource-based policies to prevent access to important data – a CSPM can catch all of that. You are likely waiting for me to get to the “what is important” part – and it is not that much of a surprise, the checks performed by CSPMs are important, with the proper context. While you may hate getting a deluge of findings thrown at you, you should take them into consideration of how your applications and business services are formed, and keep in mind what the more “popular” attack vectors are.
Do you build serverless, event-driven systems that send messages and data to third parties?
Then focus on checks around that system’s resilience and security – using telemetry tracing (such as with Amazon X-Ray), ensuring the message brokers support encryption and do not allow public access (such as an Amazon SQS Queue) will be important.
While it is not popular to say out loud – most companies (especially with COVID-19 accelerating cloud adoption) – just are not at the maturity to totally eschew a CSPM. Almost every day, organizations are still falling victim to poor cyber hygiene that a CSPM would otherwise surface for you. Are the same flavors of alerts, and every check mapped into the NIST CSF control PR.DS-1: Data-at-rest is protected, incredibly frustrating to get? Yes, but without those nagging CSPM checks a lot more companies would be worse off.
Going back to another thought, a lot of it does come down to context and understanding your attack footprint and your threat environment. While you will need specialized skills, and perhaps other tools, the MontyCloud DAY2 platform can certainly help you along the way. While yes, it offers a Security Bot and Compliance Bot which are CSPMs (and free!) the real benefit is the application management and context, instead of looking at 1000s of alerts in a vacuum, you can key into your Production or Sales related workloads.
To further the last point, DAY2 gives you hardened building blocks to start from, so you likely won’t be drowned by alerts to begin with. Other benefits include single-click access into compute resources, automated patching (managing vulnerabilities are equally important to CSPM) and the ability to group resources in a way that makes sense to you! A successful cloud strategy is more than just a stable of security tools – it is proper application development and monitoring which is what MontyCloud DAY2 gives you, and more! DAY2 also goes a bit further and helps you action all those boring alerts, in real-time, how you want to do it – but that is a story for another day.