avatarDavid Matousek

Summary

The article outlines a comprehensive approach to establishing a robust cloud security posture through governance, configuration management, and vulnerability prevention and remediation.

Abstract

The article emphasizes the necessity for enterprises to maintain a strong cloud security posture to ensure compliance with security standards and industry best practices. It introduces a three-stream approach to cloud security: governance and standards, policy and configuration management tools, and vulnerability prevention and remediation flows. Governance involves setting high-level security policies and detailed standards, while configuration management tools are crucial for identifying misconfigurations and vulnerabilities. The third stream focuses on proactive prevention and swift remediation of security issues. The article advocates for integrating these streams to create a unified cloud security posture that allows for continuous monitoring, risk assessment, and automated issue resolution across multiple cloud platforms.

Opinions

  • The author believes that security without engineering agreement leads to hidden IT issues and excessive risk exemptions.
  • A centralized governance framework with decentralized risk review is considered effective for cloud security.
  • The author suggests that cloud security is significant enough to warrant its own governance model, separate from other policy areas like network or infrastructure security.
  • The article highlights the importance of evolving security practices by shifting them 'left' to the developers, enabling real-time feedback and reducing the need for post-deployment security checks.
  • The author values the use of Infrastructure as Code (IaC) scanning as a method to prevent misconfigurations and ensure compliance during the development process.
  • The author posits that mature organizations should automate the process of detecting configuration drift and remediating runtime vulnerabilities.

Posture One: The Three Streams of a Cloud Security Posture

Article 3 of 9 in Building Your Cybersecurity Posture on Medium

Image by Gerd Altmann from Pixabay

Enterprises need transparency into their cloud security posture in order to remain compliant with risk, security standards, and industry best practices. First step is to build a cloud security governance policies that sets the security standards for your cloud assets. After you know your policies, you need to continuously monitor your cloud assets for configuration changes, misconfigurations, and vulnerabilities. Finally, just knowing that you have issues doesn’t provide security, you need to begin the processes of remediating existing issues through automation and preventing future issues by scanning deployments into your could estate.

Building out a cloud security posture is task the requires agreement and participation from security, operations, and engineering. Agreement is required because security rules without engineering agreement does not provide security, it creates hidden IT and the overuse of risk exemptions.

The Three Streams

Going deeper into cloud security you need to think about what and how to properly monitor your cloud security posture. I find it useful to separate the work into three streams.

Once the work is divided up, each stream can be pursued independently to expedite building a safe and secure cloud security posture.

Stream 1: Governance and Standards

Governance is the framework of policies and process’s that provide oversight of how security is implemented and how risk is measured for your organization. Governance steers the policies derived from enterprise values. A policy is a high level description of how security should be implement. From policies, security standards are created that are detailed rules and measures that enforce the policy.

Governance can be both centralized and decentralized at the same time. I feel that a good cloud governance framework has centralized policies and standards. At the same time a good cloud governance framework has a decentralized risk review and interpretation process.

Building a governance model of policies and standards for your enterprise is no easy feat. Often in the case of cloud governance and policies, there are existing standards throughout other policies such as your network, application, infrastructure policies. To precisely govern cloud security, I believe it is necessary to provide a single policy representing your cloud. Clouds are continuously evolving, adding new virtual asset types, and even launching new asset categories. It seems to me that cloud security is important enough to spend the time and build out its own governance model.

Stream 2: Policy and Configuration Management Tools

Software is a security and compliance tool that identifies drift, misconfigurations, vulnerabilities, and risks to our cloud assets. When securing your cloud assets,

There are 5 major cloud security capabilities that need to be measured as part of your cloud security posture:

  1. Container Security — prevents deployments of containers with security vulnerabilities as part of the CI/CD pipeline.
  2. Infrastructure as Code(IaC) scanning — prevents infrastructure vulnerabilities by checking for policy misconfigurations at
  3. Cloud Workload Protection — actively scans runtime environments, both platform and server less, for security vulnerabilities
  4. Cloud Security Posture Management — a security and compliance tool that identifies misconfigurations and risks to our cloud assets in our IaaS and PaaS cloud environments
  5. SaaS Security Posture Management — a security and compliance tool that identifies misconfigurations and risks to SaaS cloud environments

Stream 3: Vulnerability Prevention & Remediation Flows

In addition to having a governance model and monitoring our cloud estate, we need to take action to both prevent issues from occurring and remediating any issues that manifest.

Using Infrastructure as Code Scanning to Prevent Misconfigurations

Once we have a controlled cloud configuration, it makes sense to evolve and decentralize the security to the developer. This is a classic “Shift Left” example where we provide the centralized policies to be used in the DevSecOps pipeline so that developers can get real time feedback of their configurations. Developers cannot wait for feedback on a misconfiguration or policy violation until after deployment into a production environment. By integrating IaC scanning in the DevSecOps pipeline and using the centralized governance model, we make the experience for developers to do the safe and secure thing frictionless and useful by moving the feedback cycle into their CICD process.

Using Cloud Workload Protection to Detect Configuration Drift and Runtime Vulnerabilities

Of course not all configurations stay static in our prod environments. Matter of fact, configurations can be altered for both malicious and non-malicious reasons, but in either case it’s important to detect the change and remediate the issue. Often this is done by first detecting the deviation, and then issuing an issue ticket in your project management tool of choice to fix the problem. More mature organizations even automate this process.

Convergence of the Steams into Cloud Security Posture

Once you have built out the three stream, they become your cloud security posture. Your cloud security posture gives you the ability to monitor a defined set of policies & standard across multiple cloud platforms, measure risk of your entire cloud asset portfolio, and instrument fixes to identified misconfigurations and vulnerabilities.

Articles in my Medium series “Building Your Cybersecurity Posture”

Article 1 — “13 Asset types to Build Your Cybersecurity Around

Article 2 — “The 6 Categories of Cybersecurity Posture

Article 3 — “Posture One: The Three Streams of a Cloud Security Posture

Article 4 — “Posture Two: Application Security Posture

Article 5 — “Posture Three: Data Security Posture”

Article 6 — “Posture Four: The Three Focuses Enterprises Need for an Identity Access Management Posture

Coming soon…

Article 7 — “Posture Five: Network Security Posture”

Article 8 — “Posture Six: Device Security Posture”

Article 9 — “The Future of Securing Your Assets in a Decentralized Cloud”

As my daughter says, if you are interested in “what-ever-this-is,” then please consider following me on Medium.

Cybersecurity
Information Security
Compliance
Recommended from ReadMedium
avatarMohit Vaishnav
Kimova.AI ISO 27001 Auditing Series: Changes in Clause 4 from 2013 to 2022

Welcome back to Kimova.AI’s ISO 27001 auditing series. In this new phase of our series, we will delve into the updates made to ISO 27001…

3 min read
avatarAdam Goss
5 Cyber Kill Chain Challenges and How to Prevail

Explore the top five Cyber Kill Chain challenges you will face when using this model in the real world and how to overcome them.

12 min read
avatarDylan
Utilizing Generative AI and LLMs to Automate Detection Writing

In Security Operations, we are primarily responsible for two things: Detection & Response. Writing detections can be a very laborious and…

20 min read
avatarAlexander Nguyen
The resume that got a software engineer a $300,000 job at Google.

1-page. Well-formatted.

4 min read
avatarJonathan Mondaut
How ChatGPT Turned Me into a Hacker

Discover how ChatGPT helped me become a hacker, from gathering resources to tackling CTF challenges, all with the power of AI.

4 min read
avatarKostas
Telemetry on Linux vs. Windows: A Comparative Analysis

A look at how Windows and Linux manage telemetry to support incident response operations.

8 min read