Written by: Piyush Sharma, VP of Engineering, Tenable
A growing concern among security leaders is: how do we ensure investments in the cloud are working for us? When a solution is not working, it’s clear that organizations need to look at self-healing technologies that can evolve at the speed of the cloud and Infrastructure-as-Code security is the answer to some of the most pressing DevOps challenges organizations are currently facing.
In the current state of business operations, data moves across multi-cloud, hybrid cloud and distributed public cloud services. Cloud ecosystems in India are maturing at an unexpected rate and it is evident that the revolutionary platforms and technologies that make the cloud an enigma, are also a source of vulnerability. The speedy transition to cloud operating models has highlighted foundational challenges and resultant risks at the heart of digital supply chains and digital operations. Amid operational constraints, remote-work arrangements, and an amalgamation of devices and access points, organizations are exposed to new risks.
Among the countries that suffered the most cloud breaches, India ranked number 2. This is largely because organizations’ cloud security solutions aren’t working. 81℅ of organizations claim traditional cloud security solutions either don’t work at all or have limited functionality. Limitations arising out of outdated technologies make it doubly expensive. It is perhaps why misconfigurations, lack of visibility, unauthorized access and insecure APIs are among the biggest concern for organizations today.
Visibility: What you cannot see you cannot secure
Cloud is the new normal for enterprise computing. Hence, a discussion into network visibility must also examine how it is different in cloud environments. In the cloud, network visibility includes traffic analysis, application availability, health and performance, real-time observability and visibility into the state of the cloud. This is pivotal as cloud environments are built using code-based automation, such as Infrastructure as Code. The ephemeral nature of cloud environments makes it critical to gain visibility into the drifts and changes.
Without visibility, the failure in mitigating attacks increases, compromising hosted apps and services. Another big risk is the failure to implement Access Governance, which provides information about who accesses what and when, and builds an audit trail. Failure to implement Access Governance can lead to attacks with a high blast radius.
Understanding the environment is the first logical step to gaining visibility, which calls for close monitoring of assets. Most cloud-based services enable built-in basic network and log monitoring capabilities. But these don’t pass muster as it is not sufficient to derive meaningful results, especially in security. For security to evolve at the speed of the cloud, the best strategy is to use Cloud Security Posture Management technologies augmented with visibility into Infrastructure as Code. Infrastructure as Code provides deep visibility into network architecture, misconfigurations and vulnerabilities.
The biggest mistakes organizations make are focusing too much on data collection and correlation, and not enough on analysis, which ends up defeating the purpose of network visibility. Visibility is about having actionable insights and analysis that can help organizations make decisions faster.
Security by design: It’s all in the code
Containers and other cloud-native technologies are clearly fueling innovation and power applications, but they also expand the attack surface and introduce risks that lead to cloud breaches. Cloud breaches continue to increase because the velocity of development outpaces that of security.
Developers programmatically define containers and cloud-native infrastructure, but security teams have to manually mitigate risks in runtime, often without context. Containers and cloud-native infrastructure are difficult and expensive to secure with traditional tools. It’s doubly difficult as these systems evolve over their lifecycle through development, pre-production and production. All it takes is one container misconfigured for public access in order for criminals to gain entry and launch attacks on the supply chain.
Compounding the issue, traditional cloud security approaches are largely obsolete with containers and cloud-native infrastructure. Automated tools that identify flaws in the code make it easier to fix and ensure the software is secure by design.
Securing the low-hanging fruits: APIs and the software supply chain
Modern cloud applications integrate with several third-party APIs. Any security risks within the third-party APIs and the cloud on which the third-party APIs are running represent supply chain risks for cloud applications. This makes APIs low hanging fruits that cybercriminals exploit.
To address security risks related to APIs, organizations need a strong partnership between development and security teams for an up-to-date inventory of all the APIs across different applications. API security solutions are still coming into maturity in India, so organizations should be looking for solutions that can offer API discovery capabilities in addition to automated API scanning.
Capturing value in the cloud requires organizations to integrate cloud into business and technologies, drive adoption in priority business domains, and establish the foundational capabilities required to scale cloud usage safely and economically. Security as Code is now the mechanism for developing foundational capabilities in cloud security. When organizations move away from legacy technologies by leveraging Infrastructure as Code, it will create a new world order for security and risk management.