Cloud security challenges drive need for strategic CSPM
Security in the cloud has become too complex to manage with a tactical approach, driving a need for more strategic, holistic approaches to cloud security posture management.
This is according to Palo Alto security experts who were addressing a webinar on multi-cloud security and compliance, hosted in partnership with ITWeb.
Frans de Waal, Prisma Cloud sales specialist at Palo Alto Networks, said: “Organisations are trying to apply the same problem-solving principles they used in on-prem environments to cloud native environments, trying to solve modern problems with old ways of thinking. This is causing frustration and a lot of complexity in environments.
“The approach has always been ‘we need to solve a business problem – let’s buy a piece of technology’. Over time, we have found ourselves in a situation where we have various point products, different vendors and different skills to operationalise. This introduces cost, operational inefficiencies and risk blind spots. A new strategic approach is needed in terms of future proofing our cloud security strategies and being able to address the challenges we have now – and will have tomorrow.”
Organisations are trying to solve modern problems with old ways of thinking.Frans de Waal, Palo Alto Networks.
De Waal said using a variety of point-based technologies could increase risk blindness, with 70% of organisations experiencing cloud security blind spots. It also resulted in them having a lack of context and made it difficult to prioritise security risks.
“Many organisations don’t have the deep visibility they require into cloud service providers and the services their teams want to consume, and this is exacerbating the anxiety and risk within the organisation. There is a massive risk of context which causes organisations to be unable to define a clear security strategy and journey for a one- to five-year horizon. Organisations find it extremely difficult to prioritise what they need to action in the cloud because there is so much information and so much risk,” he said.
“It’s common to see mergers and acquisitions occurring, or developers and teams using credit cards to fire up their own cloud accounts. How do we gain visibility into these estates and ensure that we prioritise these risks effectively?”
Cloud development increases risk
Polls of attendees revealed that 45% use DevOps. 10% use over 12 security tools in their cloud environments, 5% use eight to 11 tools, 21% use four to seven tools, and 63% use one to three tools. 60% said under 25% of their estate was containerised, while 8% said over 75% of their estate was containerised.
Gordon Bailey-McEwan, Prisma Cloud solutions architect at Palo Alto Networks, said DevOps could introduce significant risk into an environment from a compliance perspective. “What a lot of people don’t realise is that if your DevOps pipeline is compromised, it can result in very sensitive data being exposed.”
De Waal said: “When organisations first migrate to the cloud, it typically starts with lift and shift and evolves over time into more of an innovation centre where organisations start relying on things like infrastructure as code, DevOps and automated delivery of applications into the cloud.”
He elaborated: “There are generally a lot more developers in an organisation than security staff, and these developers are incentivised to deliver applications quicker. So, the security team wakes up and identifies that there is a new risk or alert, and they need to gain context around it. They then try to resolve it, only to have it nullified when the developers roll out a new piece of the application code. There is this constant flux between the developer community wanting to get applications into production quickly, and your security teams being inundated with alerts and trying to keep up. This causes a lot of friction in organisations.”
He cited Palo Alto’s Cloud Native Security Report, which found that among organisations that have aggressively and successfully adopted cloud environments, there is an inverse correlation between their level of success and the amount of security tools they use within their cloud estates.
“When interviewing customers, we see that many organisations are unable to keep up with the flurry of alerts they receive from multiple point-based technologies in their environment, and being able to create context and prioritisation around that. This leads to poor security outcomes,” de Waal said.
“Organisations can take four to six days to be able to identify, respond and contain a threat and this points out a big weakness in tactical approaches. Over 90% of organisations are unable to identify, respond and contain cyber breaches within 60 minutes – there is just too much telemetry they must go through, and too much information.”
De Waal said cyber criminals were taking advantage of misconfigurations, new vulnerabilities, and Identity and Access management flaws, and this risk was exacerbated by the fact that cloud service providers are innovating at scale, adding hundreds of new services every year while security tools cannot keep up.
“It’s not uncommon for organisations to jump headfirst into the cloud, only to exit a few years later because they are unable to keep up with the risk,” de Waal said.
CSPM to address challenges
“To address these challenges, we need next generation cloud security posture management (CSPM) that simplifies agentless onboarding, offers deep visibility and contextualised, prioritised alerts, with actionable reports and dashboards,” he said.
“The requirements of next generation CSPM are real-time misconfiguration detection with cataloguing and audit; ML-enabled threat detection with behaviour analysis to surface anomalies; intelligent cloud identity management including net-effective permissions and entitlement investigation; one-click compliance reporting; critical risk prioritisation with context and pinpoint accuracy. You must be able to action that intelligence, so next generation CSPM must support remediation through both auto remediation and opening tickets. It needs to be able to span multiple cloud providers and stay up to date as new services are released,” de Waal said.
Bailey-McEwan demonstrated Prisma Cloud CSPM to holistically cover cloud security needs from development through deployment, until the time the application is productionised.
“The cloud is very complicated in terms of security, and has many different elements. Say I want to deploy an application, it could run on compute infrastructure such as a virtual machine. This compute infrastructure would also require networking infrastructure for communication purposes. The application would also need to store permanent information in some sort of database. Then finally, since identity is the new perimeter, there are also Identify and Access Management permissions to consider too. Prisma Cloud tries to simplify these different elements of cloud security with 'attack path policies'. Instead of focusing on individual areas and alerts with no context, it ties these elements together and raises a single alert – with context,” Bailey-McEwan said. “We can then remediate the problem at the code level or send a detailed ticket to the application team to fix it.”