Organisations are increasingly moving applications to the cloud to better serve their customers, partners and employees. The ability to quickly deploy applications to the cloud so employees, partners and customers can connect to companies for business transactions and services gives organisations a competitive advantage.
This makes maintaining security posture more important than ever, as increasing availability of products and services connected to company and customer data increases exposure to attacks. Cloud security posture management (CSPM) is key to mitigating security risk while enabling the use of innovative cloud technologies that drive better business results.
If your company is moving workloads to the cloud, or if you are charged with managing security in cloud environments, where do you start? Here are five ways to effectively manage your security posture with the use of cloud services.
1. Understand cloud security challenges and opportunities
Especially over the last few years, digital transformation using cloud services has been a key to business success. Cloud services provide economies of scale, taking care of hardware, infrastructure and support so organisations can focus on developing their applications. This includes providing a secure cloud platform, with each cloud service provider (CSP) articulating its security features and shared responsibility models, so that subscribers understand their responsibility in securing the workloads it puts into the cloud.
The use of cloud services enables developers to build their applications with microservices-based architectures on elastic infrastructure and deliver them via continuous integration and continuous delivery (CI/CD) processes to the cloud. This empowers developers to provision their own cloud infrastructure and build their applications on resources that can be spun up and spun down on demand, with numerous connections to other resources and services.
While basic security concepts — such as code testing, applying policies and monitoring for threats and attacks — apply to managing your security posture, they need to be adapted to the complexity of the environments, the increasing speed of releases and the threat landscape with their exposure on the internet. In ESG’s study on the maturation of cloud-native security, 62% of respondents said the lack of access to the physical network and the dynamic nature of cloud-native applications and elastic infrastructure create visibility blind spots, making security monitoring challenging.
While organisations are responsible for securing their workloads in the cloud, CSPs have an interest in helping organisations secure their workloads on the platforms. Organisations should consider using add-on services from CSPs — including AWS, Google Cloud and Microsoft Azure — as well as offerings from security vendors to help them manage their security posture.
2. Work closely with IT and operations for technology decisions
A successful security leader needs to enable the use of innovative technologies instead of blocking them. Cloud computing and cloud-native technologies can be game-changing for increasing productivity and innovation. Security needs to be strategic and integral to IT and operational strategy, because if there is a security issue, it’s an operational issue affecting multiple teams and the business itself. Collaboration is essential in goal setting and technology adoption.
With security team involvement in evaluating and choosing products and platforms, groups can collaborate to ensure secure technology adoption and insertion of security processes into workflows. The move to cloud-native technologies is all about speed and efficiency, but if you rush through technology adoption, security is relegated to reactive mode instead of proactively building a strategic program to manage risk. While it may take more time to have multiple groups weigh in on technology purchasing decisions, security involvement helps reduce technical debt and costs from possible security issues down the line. Products also often have use cases or capabilities that can be used across multiple teams, so organisations can maximise the use of their technology investments.
3. Gain consistency across environments
ESG research on cloud-native applications showed that most organisations are employing multi-cloud strategies, with 72% using three CSPs or more. ESG research also found that most organisations are moving to hybrid cloud environments, with workloads in public clouds as well as in on-premises data centres. The top challenges include maintaining proper configurations, meeting and maintaining compliance standards, and setting consistent policies across environments.
If you are managing security to support the flexibility of development teams deploying to different cloud environments, how can you effectively manage risk? As mentioned above, different cloud environments have different security offerings and capabilities. This is where security vendors come in with CSPM products integrated with CSP security features. These products help security teams monitor, identify and remediate security issues found across cloud environments. Many well-established security vendors offer CSPM tools to help their customers safely move workloads to the cloud while managing their overall security posture. Newer companies and startups are focused on new approaches using the cloud-native technology stack.
4. Invest in products that reduce burden on security staff
Cloud-native development enables development teams to grow while security teams increasingly face a cybersecurity skills gap. Joint research from ESG and the Information Systems Security Association found that the biggest shortage was in cloud computing security skills. It’s important to consider time and staff savings and invest in products that drive efficiency and reduce staff burnout.
The availability of open source tools has also created tool sprawl and alert fatigue. Instead, invest in products that will pay for themselves by driving efficiency in reducing risk and saving security team members from wasting their time on mundane tasks, such as trying to find patterns or perform analysis across multiple tools, which has a propensity for errors.
CSPM products are helpful because they automate tedious, manual processes and reduce the time it takes for security to remediate the highest-impact issues. Tool and product consolidation and/or integration is also useful, as it takes time to deploy and manage any new security product.
5. Incorporate security into development processes
Cloud-native development with CI/CD means developers are empowered to provision their own cloud infrastructure and applications to the cloud. Security teams are overworked and outnumbered. They don’t have time, nor do they want to slow down development by causing a bottleneck.
Security needs to adapt. Just as operations shifted to development, security needs to shift to development in order to empower developers to test and fix their own code. This DevSecOps or shift-left movement has already begun, but security skills and experience vary among development teams. Also, developers may be using a variety of tools, including many freely available open source tools, that result in security alerts for issues that may or may not need attention. Alerts can be difficult to determine without the context of how applications will behave when they are running.
Security can help developers by giving them the right tools integrated with their CSPM tools, so developers can focus on remediating security issues that pose the most risk. Security teams can set policies and help developers use automated testing tools that work within their workflows. This should provide the best of both worlds: visibility and control for security, while automating processes so developers can work efficiently to produce higher quality, secure code.