Palo Alto Networks today revealed that its Bridgecrew by Prisma Cloud offering has been extended using another tool that now makes it possible to also detect configuration drifts across multiple clouds.
Bridgecrew Drift Detection is based on an open source Yor project that automatically tags IaC templates with attribution and ownership details as well as a unique ID that gets carried across to cloud resources. Yor was created by the Bridgecrew, which Palo Alto Networks acquired earlier this year. Bridgecrew by Prisma Cloud already provides IT teams with an open source tool for scanning infrastructure-as-code (IaC), dubbed Checkov, that was also created by Bridgcrew.
Guy Eisenkot, vice president of product for Bridgecrew by Prisma Cloud, said the Multi-Cloud Drift Detection extension to the Bridgecrew by Prisma Cloud platform leverages Yor’s tracing capabilities to make it easier to identify and flag discrepancies between how cloud resources were defined in IaC and how they are configured in runtime.
The goal is to make it simpler to identify misconfigurations that might have occurred because of changes made by developers or the cloud service provider, he added. If detected, it’s still up to an IT team to remediate those misconfigurations but Eisenkot noted the multi-cloud drift detection capability makes it possible to prioritize those efforts based on the level of risk to an organization. The current implementation of Multi-Cloud Drift Detection supports Amazon Web Services (AWS), Microsoft Azure and Google Cloud.
The root cause of most cloud breaches is usually traced back to a misconfiguration issue. Developers typically employ an IaC tool such as Terraform to provision cloud infrastructure. Unfortunately, most developers are not security experts, so mistakes are frequently made. Cybercriminals, meanwhile, have become very adept at scanning for cloud infrastructure misconfigurations through which they might be able to inject malware or exfiltrate data.
It will be up to each organization to determine how best to employ the multi-cloud drift detection extension. In an ideal world, any detection of drift would be fed back to developers via the same DevOps pipelines they employ to manage the building and deployment of applications. Cybersecurity teams, after all, generally lack the programming skills required to update configurations created using IaC tools. It’s generally a site reliability engineer (SRE) that centralizes the management of cloud configurations, noted Eisenkot.
There’s a lot more focus on cloud misconfigurations in the wake of a series of high-profile breaches; that has led to many organizations reevaluating the core processes employed across their software supply chains. For years, cloud service providers have insisted on a shared responsibility model for cloud security that assumes developers will be able to securely provision cloud infrastructure. Given the large numbers of misconfigurations, that faith in developers may be misplaced.
It’s not clear if those security reviews will lead to any fundamental changes when it comes to who is allowed to provision cloud infrastructure or what tools are employed. However, as cybersecurity teams start to delve deeper into those existing processes, they may soon conclude that they are deeply flawed. The issue will then become how to improve them without adding additional burden to developers already overwhelmed by security requirements that continue to shift in their direction.