Improving cloud security posture with a preventative approach
A preventative approach is far more effective in finding and fixing issues at the point of creation in code, rather than after they manifest in the cloud. The cornerstone of an organisation’s journey in improving cloud security posture is a CSPM solution and a shift-left strategy, that can minimise overall risk. In an interview, Sudeep Das, Head Security Engineer, India & SAARC, Tenable, discusses how organisations can embrace a preventative approach to cloud security.
- How can organisations go about assessing the security posture of cloud runtimes?
Assessment effectiveness is often driven by how well can the assessment findings be implemented to improve the overall posture – one popular approach is to “shift left” with the assessments – if we assess the code that builds the cloud we would be able to provide much quicker remediation and minimising the burden on security teams — all without having to turn developers into security experts. This is the cornerstone of an organisation’s journey in improving security posture. And it’s how organisations with a CSPM solution and an evolving strategy to shift security left, are able to build security at the speed of the cloud and minimise overall risk.
2. Why must cloud security posture management be a board-level concern for organisations?
Despite massive investments into cybersecurity, organisations continue to see disproportionate growth in the volume of cloud breaches. IBM’s Cost of Data Breach 2023 report, found that 82% of the breaches occurred involving data stored in the cloud—public, private or multiple environments. Most cloud breaches are the result of poor cloud hygiene such as misconfigurations, vulnerabilities, or excess privileges that went undetected or unaddressed.
As organisations step up investments into the cloud, it brings with it heightened cyber risks. In nearly 40% of the cyberattacks, attackers were able to gain access to multiple cloud environments, incurring a higher-than-average cost amounting to USD 4.75 million. The cost of lax cloud security is massive, making it a priority for the C-Suite. But too often, organisations are challenged with speeding up and scaling security to the speed of the cloud. The result is overburdened security teams that are struggling to keep pace with growing alert volumes and an inability to cost-effectively scale people, technology and processes as cloud adoption continues to accelerate. At this juncture, it’s very much a board-level concern to pay more attention to their cloud security posture and invest in CSPM as well as shift-left cloud security solutions that help them tackle all the cybersecurity risks effectively.
3. Given the ephemeral nature of the cloud, how can organisations prioritise remediation based on measurable risk?
The dynamic nature of the cloud calls for security to be built into the software development lifecycle. The first step is to weave security in from the start, which requires scanning infrastructure as code (IaC) during development to detect and resolve misconfigurations and establish a secure baseline. It ensures that cloud infrastructure is “born secure.” The next step is continuous monitoring. It is essential to ensure that the infrastructure is provisioned using the secure IaC baseline, and also detect changes at runtime. Detecting misconfigurations in IaC early in the development process and providing real-time feedback to developers is imperative as it increases the likelihood of risks being resolved. More importantly, organisations must invest in solutions that help identify the vulnerabilities and misconfigurations during the software development lifecycles and provide the right context on which ones pose the greatest risk to organisations. Understanding the context of these cloud exposures will ensure that remediation efforts are prioritised based on overall risk.
4. Is there really a preventive approach to cloud security? How can organisations make it an achievable goal?
A preventative approach is far more effective in finding and fixing issues at the point of creation in code, rather than after they manifest in the cloud. Our recent announcement about Tenable Cloud Security agentless container scanning enables security teams to prioritize and prevent container OS vulnerabilities and other risks in multi-cloud environments using a single user interface. Security teams can leverage the same OS vulnerability detection they’ve come to trust from Tenable for container images. By focusing on scanning images stored in container image registries and as part of DevOps workflows and pipelines, security teams can stop risky images from being deployed to production, reduce alert noise and scale container adoption across their organization safely and securely. The container scanning solution in addition to scanning IaC and VMs in cloud environments adds to the overall proactive approach to cloud security that Tenable addresses.
5. What are the benefits of a preventive cloud security approach and what metrics should organisations keep in mind while shopping for the right solution?
One of the most challenging aspects of cloud security is consistency in policy enforcement everywhere. Organisations must determine whether the solutions they intend to adopt provide a single source of truth to enforce policies from code-to-cloud and across multi-cloud environments. Secondly, the technology needs to provide full visibility and context. The right solutions provide actionable intelligence in role-based views to make remediation more effective. It sheds full visibility into asset inventory, misconfigurations, vulnerabilities, drift and related remediations. Thirdly, the technology must continuously track configuration drift between cloud runtimes and IaC code repositories. This reduces toil and rework ensuring all development and production environments are in sync with company policies. Finally, the solution must be able to quantify cyber exposure and how much risk has been reduced overall. These metrics will help organisations adopt the right cloud security solutions to shore up their defences.
