Do I Need CNAPP If We’re Only Starting to Deploy to the Cloud? 

Overview

You’ve started deploying workloads to the public cloud. Here’s your security strategy: Let’s use our provider’s native tooling, keep our workload vulnerability scanner and add in a cloud security posture management (CSPM) tool. They’ll flag the vulnerabilities and misconfigurations, and keep us compliant, at minimal spend. That’s good enough cloud security for us now – anything bigger would be taking a hammer to an ant.

True or false?

Decidedly false. You’re not going to conquer security in the cloud with a piecemeal approach or by ticking compliance checkboxes. With the data center firewall gone, cloud security is an ongoing, dynamic, multi-layered acrobatic act. Studies report ballooning misconfigurations and vulnerabilities, and excessive entitlements, for all organizations no matter how small their cloud footprint is. When cloud resources are not configured correctly, the cloud environment is vulnerable. 

This blog explores the rationale for a holistic cloud security approach from the get-go – even for fledgling cloud environments.

Cloud security problems start upon migrating workloads 

We see a tendency among customers new to the cloud: During and after deployment, their teams are applying the same data center principles and even using the same tools regardless of how well they don’t function in the cloud. We also see that as they make that initial deployment to the cloud they are typically over-permissive with identities and generic about security policies in an effort to minimize the number of obstacles and amount of troubleshooting that will need to be done. 

The cloud involves frequent spinning up and down of infrastructure, service accounts getting broad access and third parties needing access, workloads in flux and Kubernetes workloads acting like closed black boxes. It’s near-impossible to not mess up on security configurations and access policies. Using data center tools for cloud security or deploying workloads with over permissive access creates huge security gaps that can lead to exposure – and are a gift to cloud threat actors. These gaps include misconfigurations, workload vulnerabilities and risky policies, roles, and identities, as well as unsecured assets and potentially publicly accessible resources. In addition to the risks specific to assets, using the wrong tools or applying lax access entrenches security practices at an organizational level that are not suited to the new cloud environment.

Organizations are aware of the risks. A recent TechTarget ESG study found that the most common cloud security concerns included managing access control to reduce risk and the attack surface, and ensuring developers aren’t circumventing security teams. Respondents reported contending with a range of misconfigurations.

So what are organizations new to the cloud doing about their security concerns and to reduce their cloud attack surface? Some rely on the native tools of their cloud providers. Others supplement provider tools with – or rely solely on – third-party cloud security posture management (CSPM) and other independent security software vendor capabilities. 

What security can you count on your CSP to provide?

For starters, your CSP can help you:

• Align with best practices
• Educate your organization on the leading risks and threats
• Mature your cloud and cloud security program and roadmap

AWS, for example, offers the AWS Cloud Adoption Framework, which consists of foundations, domains and iterative phases necessary for successful cloud transformation. Security is one of the framework’s key foundational capabilities.

The leading cloud providers offer an ever-evolving treasure chest of security tools and related documentation to help you ensure the confidentiality, integrity and availability of your cloud workloads and data. These security capabilities span identity and access management (IAM), network security, data and infrastructure protection, monitoring and logging, vulnerability management, governance, incident response and more. Many of these tools integrate well with the cloud customer’s existing workflows and support automation. 

While cloud provider tools can offer a security foundation, they typically require a high degree of cloud security expertise to implement and use effectively. Also, even with provider tools in place, the cloud customer must configure their environment correctly, follow best practices and implement additional security measures for specific needs. The success and effectiveness of implementing provider security tools depends on how well your organization is at configuring, monitoring and maintaining them. 

Under shared responsibility, cloud providers recommend security best practices for cloud-stored data – yet the cloud customer has the onerous task of executing them, and carrying out regular security assessments and audits to ensure continued compliance. For organizations new to the cloud, building out a security program using cloud provider tools can create a huge amount of work, result in solutions that are not necessarily automated and potentially compromise the cloud environment’s resilience to attacks and lateral movement.

Then there’s the matter of detected risks. CSP security tools may generate findings – but what to do next? Are the findings critical or minor? Are the risk mechanisms able to identify toxic combinations? Do the tools answer questions you need to know about what is taking place in your environment? Knowing how to mitigate detected misconfigurations and risks can be a challenge for even the most resourceful and experienced teams.

And note: cloud provider tools typically do not identify risk in other cloud environments. Yet studies show that most organizations deploying to the cloud find themselves, in short order, expanding to additional cloud providers for different business unit and application needs. For multicloud security, many organizations turn to third-party tools.

CSPM and CIEM are a great start – but not enough

Investing in cloud security posture management tools is a widely recognized first step in  securing migrated workloads – and cloud-native applications. The same ESG report found that almost 75% of organizations are using third-party CSPM solutions including for consistency across platforms. 

Organizations are increasingly seeking out identity and entitlement management (CIEM) tools in combination with CSPM. Together, these capabilities provide cloud security posture management with greater context for more effective compliance, reduction of the cloud attack surface by reining in permissions risk, and least privilege access scaling. 

Are CSPM and CIEM enough? Such solutions offer automation and multi-cloud access risk deduction. However they do not address security at the cloud-native application level, namely:

• Continuous scanning of workflows
• Kubernetes security
• Shift left infrastructure as code (IaC) scanning, to prevent errors at source
• Anomaly detection

You’re thinking: I don’t need all that now. Yet for time saving, organizational, improved security and even investment reasons, a more effective approach to cloud security is to adopt CNAPP from the get go. Let’s take a closer look. 

Adopting CNAPP early enables seamless security scaling

The ESG study found that most organizations are using DevOps for their cloud-native application building and plan to ramp up security practices in those efforts in the next two years. Microsoft reports that the number of service identities in the cloud is tenfold that of human users. In other words, very quickly in your organization’s cloud journey you will be engaging in the cloud’s productivity enablers and complexity.

CNAPP holistically combines and tightly integrates the cloud infrastructure security capabilities of CSPM and CIEM with cloud-native application security for holistic lifecycle security from development to deployment. CNAPP offers a robust and layered security posture spanning all aspects of cloud security, including risks to identities and entitlement (like unintended privilege escalation), misconfiguration of cloud infrastructure components (like publicly exposed storage resources), exposure of workload vulnerabilities (such as vulnerable OS versions) and misconfigurations in code as infrastructure. CNAPP integrates and correlates otherwise siloed capabilities and automates cloud security to detect risks and threats more accurately and quickly than standalone tools, and remediate them in a fraction of the time. It performs the analysis needed for regulatory compliance. 

Taking a holistic approach to your cloud security out of the gate makes more sense – you grow your cloud security incrementally, minimizing the attack surface where possible. Piecing together your cloud security one solution – or many, unintegrated solutions – at a time may make you late to the game in detecting risks of impact. CNAPPs, from the first steps of implementation, actually improve your speed in detecting risks and eliminate time spent chasing alerts. 

The pursuit of consolidated platforms is on the rise. Gartner predicts that, by 2025, 75% of new CSPM purchases will be part of an integrated CNAPP offering. 

A CNAPP solution provides quick, early wins with minimal effort. As an example, in the first weeks to months of implementing a CNAPP you can already:

• Find the toxic combinations – See which workloads have a combination of critical vulnerabilities and additional severe risks
• Remove all IAM inactive users at a click
• Reveal exposed secrets across all your cloud environments
• Resolve critical risks – ~2% of findings – across identity, secrets, network, workload, compute, data, custom policies and anomalies
• Automate compliance benchmarks

Over time, you operationalize the solution further, remediating through project-based workflows, implementing least privilege, identifying and addressing flaws in infrastructure as code and more –  eliminating operational silos and empowering cross-functional teams. 

And there are other bonuses. A CNAPP practically automatically produces a best practice path to an increasingly maturing cloud security strategy. The capabilities are there, waiting to be used, with added correlated insight with every new use case you incorporate. Remediation guidance is rich in the why and how, teaching teams as they go. Updates on cloud provider services and tools take place automatically without teams needing to make the updates manually.

Four reasons to start your cloud security with CNAPP

While the domain is yet emerging and evolving, there are key qualities to guide your thinking in what to look for in a CNAPP.

1. Exceptional cloud identity security – According to Gartner, 75% of breaches are the result of misconfigured identities
2. Usability and easy to onboard – All dashboards look nice but when you click through do you understand the problem and what you need to do? 
3. Dynamic risk prioritization – Nuanced, contextual analysis across workloads, network, identity, data and Kubernetes filters out noise and pinpoints what’s most important 
4. Easy communication with developers – Detailed findings easily shipped to change owners is a boon to collaboration and good security best practice

Tip #1: Exceptional cloud IAM security

Challenge

As organizations move to the cloud, identity is the new perimeter, taking the “front-and-center” place as a major security control. Many security use cases, like network security, were traditionally addressed by other tools and are now being addressed by identity controls – such as segregation between development and production, third-party access and data security. Yet, identity configurations in the cloud are extremely complex. Even the most basic questions, like “who can access what?,” are hard to answer. Many organizations get it wrong. Strong cloud identity security is crucial for a CNAPP solution. 

Solution

Look for a CNAPP solution with strong cloud identity security, integrating complete visibility, detection, and remediation capabilities for identity-related configuration and risks.

Tip #2: Focus on usability for quick wins and to close gaps

Challenge

Organizations are increasingly migrating resources to the public cloud – adopting Infrastructure as a Service (IaaS) and Platform as a Service (PaaS) offerings and services. The complexity of the environments and the knowledge required by the different teams using the services grows exponentially (IAM service alone has more than 3,000 configurations). Understanding the root cause and being able to prioritize cloud misconfigurations is extremely challenging.

Solution

Look for a CNAPP that visualizes key configurations (e.g., network exposure, entitlement, or access activities) in a user-friendly way. Such usability will allow any user to not only detect a potential misconfiguration but to easily identify the root cause – expediting triage and remediation. Seeing the problem, despite its complexity, makes troubleshooting much easier.

Tip #3: Ensure dynamic risk analysis and prioritization

Challenge

Cloud environment complexity and lack of cloud security expertise leads to the detection and visualization of large numbers of cloud misconfigurations by automated monitoring tools. Even experienced teams face challenges in triaging and resolving all the detected misconfigurations. But all misconfigurations are not equal – some have critical impact. Teams need to be able to accurately prioritize misconfigurations and findings.

Solution

Seek out a CNAPP that combines visibility across the technical stack – network, compute, data, and identity configurations – and allows building a comprehensive risk profile for each misconfiguration and finding, effectively selecting the critical risks, and greatly reducing the time to resolution. Best are solutions that provide policies that do not have a ”fixed” risk level; rather, determine risk dynamically based on deep contextual analysis. Also, look for solutions able to detect when a combination of misconfigurations can expose the environment to high-risk attack scenarios (such as Internet-exposed machines that have critical vulnerabilities and sensitive permissions).

Tip #4: Detailed findings and easy developer communication

Challenge

Once a misconfiguration is detected, remediation may require much work, including in ensuring that the findings are delivered to the DevOps, CloudOps, or Dev teams responsible for the misconfigured resource and that have the technical ability to triage the finding and remediate the risk. This process is further complicated use of different platforms by teams to communicate such information (e.g., Jira, Slack, MS Teams, PagerDuty, ServiceNow). Furthermore, the relevant DevOps individual or developer may lack the knowledge to determine the best way to remediate the specific risk – and may be concerned that a configuration change may cause production issues. Implementing the remediation procedure might take up precious time, making semi- or fully-automated remediation capabilities a must.

Solution

Seek out CNAPP capabilities that automatically identify stakeholders potentially responsible for the misconfigured resources and allow you to set up automatic notifications. These settings allow you to automatically share findings with stakeholders via different channels based on specific rules, e.g., environment, risk severity and event. It’s very important that the CNAPP solution provide detailed remediation instructions for each finding, to inform stakeholders of the optimal remediation process. It’s also important that the platform offer built in secure configurations (in cloud-native or IaC formats) that integrate in CI/CD processes or automatically to further save time and build developer trust in the security tooling. 

Conclusion

Awareness of the importance of securing cloud environments is high. Where to apply your budget for the best immediate and longterm value? Organizations with a large cloud footprint and cloud security tooling are, as Gartner recommends, seeking to consolidate those tools – to save on overhead and get better outcomes for their investment. 

Organizations like yours, new to the cloud, have a magical moment to get security right from the start and launch your cloud protection program with consolidation built in.

Like a home with extra bedrooms for growth, consider a CNAPP solution a smart, scalable choice for your cloud security investment that gives you quick wins and modular expansion. You gain advanced correlated risk intelligence from your first steps and a security gap reduction gift that keeps on giving as your cloud usage grows.

The post Do I Need CNAPP If We’re Only Starting to Deploy to the Cloud?  appeared first on Ermetic.

*** This is a Security Bloggers Network syndicated blog from Ermetic authored by Diane Benjuya. Read the original post at: https://ermetic.com/blog/cloud/do-i-need-cnapp-if-were-only-starting-to-deploy-to-the-cloud/