In a recent report, Gartner states that “through 2022, at least 95 percent of cloud security failures will be the customer’s fault.” So much for shared responsibility! The reality is that the public cloud providers are only responsible for the infrastructure required to host the cloud, while the consumer remains responsible for the data, applications, operating systems, etc. that they choose to host there.
CSPs will provide some guidance to help with secure configuration, but the sheer volume of services they offer can be overwhelming. For example, here is AWS’s list of services and their use cases. If you look at this list and feel your confidence in your cloud security configuration drop, you’re not alone. According to the 2021 (ISC)2 Cloud Security Report, only 28% of respondents reported being very confident or extremely confident in their cloud security posture.
The cloud is complicated. Even if you have prior experience with cloud configuration, the landscape is constantly changing, and the differences between vendors can be significant. Not to mention that each organization is going to have its own unique use case.
In a previous post, we shared some of the different types of tools now on the market catering to cloud security. There are a ton of them, but if you’re worried about being out of compliance and not realizing it, you may want to invest in a Cloud Security Posture Management (CSPM) tool. Even within that subset of tools, there are a ton on the market. You can check out RH-ISAC’s Tech Marketplace to see some of the cloud security tool providers we partner with.
Regardless of which vendor you choose, here are some of the features you should look for.
- Straightforward Visibility: One of the biggest benefits of CSPM tools is that they will just tell you if you’re not in compliance. Most of them will come with a straightforward dashboard that indicates areas that might be a concern. They will also prioritize your areas of improvement and provide a suggested remediation plan. There’s nothing worse than getting an error message and thinking, “Okay! What does that mean?”.
- Automated Remediation: One misconfiguration can expose sensitive data to the open internet. According to Fortinet’s Cloud Security Report, 67% of security leaders thought misconfigurations were the biggest threat to public cloud security. CSPM tools come with predefined configuration issues that they can automatically address to help prevent accidental data breaches.
- Compliance You Didn’t Know You Needed: Most tools come with libraries of common standards and best practices that you can choose to scan for to ensure compliance. This can be helpful as you may not even be aware of all of the regulations that you need to abide by.
- Identity and Access Management: According to Zscaler’s 2021 State of Cloud (In)Security Report, 91% of accounts had been provided permissions that they never used. CSPM tools can help with identity and access management by providing alerts when multi-factor authentication is not turned on, or you have overly liberal account permissions. It can also provide recommendations for following best practices such as least privilege and role-based access.
- Integrate with DevOps: CSPM tools can provide visibility across multi-cloud environments and should be able to integrate with other DevOps tools, which can help provide a clearer overall picture of vulnerabilities earlier in the development process.
In conclusion, CSPM tools are not a silver bullet to ensure complete cloud security but used in conjunction with the expertise of your security team and other cloud security tools, they can be extremely useful in mitigating risk of non-compliance and accidental data breaches.