When securing dynamic cloud environments, the ability to continuously discover and assess cloud assets allows you to quickly detect issues as new vulnerabilities are disclosed and as your environment changes. Here's what you need to know to get started.
Cloud services and applications are elastic, cost efficient, and more importantly, they enable you to respond quickly to customer needs and manage an ever-increasing remote workforce. In fact, 81% of organizations have at least one application or a portion of their computing infrastructure in the cloud.
But with the benefits of agility and efficiency comes the challenge of protecting and securing your assets and workloads in the cloud. If the lessons from high-profile breaches have taught us anything, it is that you, the data owner, are ultimately responsible for your cloud assets— not your cloud service providers.
With the increasing number of new vulnerabilities across networks, endpoints and cloud environments, you may also realize that your legacy vulnerability management (VM) tools are no match for today's complex IT landscape and cannot protect your modern attack surface. From 2015 to 2020, the number of reported CVEs increased at an average annual percentage growth rate of 36.6%. You need an effective solution to help you prioritize remediation based on the risks they pose to your organization.
So where do you start? My suggestion is to always start with a close look at your people, process and technology, and in exactly that order. Why? Because you may have the best technology deployed, but if your security team is not talking to your cloud team, or if you have broken business processes, you won't be able to protect everything you need to in the cloud.
Three security challenges to address first
- Your people are not talking to each other: I have seen firsthand the disconnect between the security team and the business units. As one of my IT buddies described it, "trying to work with the business groups is like walking my Yorkshire Terrier on a chilly winter morning. I pulled on the leash to go one way, my dog was pulling in the other direction because it didn't want to go along. At the end, we were both exhausted." In many companies, the security team and the cloud team operate in siloed business units. According to a recent Forrester Consulting study commissioned by Tenable, only half of the more than 400 security leaders surveyed say they work with other teams to align risk reduction objectives with business needs. When your teams are not working together, it is difficult for you to protect, control and gain visibility to your cloud assets, putting your security posture at risk.
- Your business process has gaps: With an on-prem traditional network, it is relatively easy to keep track of workloads and applications. With cloud environments, it is difficult to know just how large your footprint might be. This is because non-IT functions such as marketing and developers often create (then sometimes abandon) cloud assets, making it difficult for you to have a realistic view of all your cloud inventory. For example, one organization I met with recently thought they had 2,000 cloud assets in AWS. After a discovery scan, they found close to 3,500 assets. After we investigated further, we found gaps in their business process with untagged cloud assets and lost child accounts. And this is not an uncommon finding in many organizations.
- "You can't protect what you don't know about!": While this is almost a cliche, it is still very applicable when it comes to securing your cloud assets. Organizations are having a difficult time discovering and assessing ephemeral (short-lived) assets in dynamic cloud environments. According to the Forrester study, only 44% of more than 800 security and business leaders surveyed say their security team has good visibility into their organization's most critical assets. Yet, even when assets are discovered, Tenable's own research shows that only 20% of them are actually assessed for exposures. Why? Because the traditional method of vulnerability management for the cloud is difficult and time consuming. Scanners and agents need to be installed and new vulnerability detections can lag for several weeks. In short, traditional IT security is no match for the speed of the cloud.
At this point, you are probably feeling like "geez, when can we get a break?" Well, keep on reading, because help is on the way.
Protecting your cloud assets: 3 critical steps
- Align your teams for the right cloud conversation: Eliminating departmental silos and creating a collaborative environment for your teams is a critical first step towards consistent visibility and control of your cloud assets. Based on the Forrester study, business-aligned security leaders are eight times as likely as their more siloed peers to be highly confident in their ability to report on their organizations' level of security or risk. When talking to the team members who are using the cloud, it is important to frame the impact of cybersecurity threats within the context of their business needs, and use keywords such "scalability," "agility," "quality" and "continuity" in your conversations. It may be helpful to set up regular review meetings and share the security team's performance metrics with business stakeholders. If permission for administrative rights is an issue, come up with creative workarounds such as creating an agreed upon set of permissions for IT security to use, perhaps even implementing it using a common cloud native format, such as creating a CloudFormation template. This approach gives the business results the security team needs as well as lowering the level of effort needed from the cloud administrator.
- Ensure good cloud security hygiene practices: Developing security best practices that can keep up with the speed of cloud is another critical step in securing your cloud assets. Incorporating these best practices into your overall company culture can help you alleviate administrative burden and close security gaps in the business process. For example, implementing a tagging strategy for all your cloud assets can provide you with an effective way to manage resources, control costs and reduce risks. Once the enforcement is in place, developers can enjoy the freedom of spinning up test environments; the security team can keep track of what is being created, and spend less time searching for assets and owners to address security concerns. Another good cloud hygiene practice is to link all your child accounts to the appropriate parent count in the cloud. This gives the administrators a holistic view of your entire cloud estate, enabling them to effectively reduce cyber risks and understand your organization's exposure across any cloud environment.
- Discovery and continuous assessment for vulnerabilities is key: Being able to identify and quickly assess cloud assets is the next critical step in protecting and securing your ever-changing and expanding cloud environment. If you are using cloud services such as Amazon Web Services (AWS), live discovery of cloud assets not only can help maximize the value of your existing investment, it can also give you full visibility of the assets you may or may not have previously known about. Once you have a good understanding of what you have in near real-time, you need an assessment approach that can continuously assess the cloud as new assets are deployed or as new vulnerabilities are disclosed.
As I mentioned earlier, the traditional method of vulnerability management for the cloud can be difficult and time consuming. This is where Tenable's Frictionless Assessment can help. Unlike other vulnerability management tools, Frictionless Assessment — available now in Tenable.io — leverages native AWS tools, including the AWS Systems Manager (SSM) agent, to continuously discover and assess Elastic Compute Cloud (EC2) instances for vulnerabilities without ever having to configure a scan, manage credentials or install agents. This allows you to quickly detect security issues as new vulnerabilities are disclosed and as your environment changes with instances constantly spinning up and down. It provides you with a near real-time view of your cloud environment for an accurate inventory of assets and exposures at any given time. And it is especially effective at discovering and assessing ephemeral (short-lived) assets in dynamic cloud environments.
Frictionless Assessment was designed to work at the speed of the cloud. But it doesn't stop there. As a key element of Risk-based Vulnerability Management, Frictionless Assessment provides comprehensive insight into vulnerabilities, including support for Tenable's Predictive Prioritization to help you focus on what matters.
If you want to learn more on how to set up a full Risk-based Vulnerability Management program in seconds and gain actionable results in minutes, check out the Frictionless Assessment Overview Video.