As I mentioned in my previous post on cloud security, depending on the kind of cloud solution you have, you might be the one responsible for implementing any and all security controls.
All major cloud providers have risks and also have ways of implementing controls to mitigate those risks. There are whole categories of security providers for various part of a cloud security program. As you begin to plan your move to a cloud solution you will see acronyms like CASB, CSPM, CWPP, and SASE.
It can get a little confusing with all the acronyms, but each product has a reason for existing.
Let’s start with CASB or cloud access security broker
A cloud access security broker ensures that the user trying to access a cloud service (think Salesforce or Office 365 or SAP) should be able to access the service, and that they are doing only the things they are supposed to do.
Obviously, there are some fundamental controls that you want to have in place for your cloud applications. You want to be able to see what your users are doing in the cloud (visibility), you want to detect threats to your systems and data, and you want to make sure you maintain compliance with the regulations that apply to your organization.
At the most basic level you want to make sure only the people you allow can access the cloud services you use. In other words, should John be able to access customer data stored in Salesforce?
In addition—and more importantly—you want to make sure they can only do things they are supposed to do. As a security professional, you want to make sure John does not delete or modify data he shouldn’t. CASB provides controls and visibility over what John does when he signs into Salesforce.
The basics just won’t cut it against today’s security challenges
You might think, I already have Active Directory (AD) or some other identity management (IM) tool (Okta, OneLogin, Centrify, etc.), why do I need a CASB solution? Well, your IM solution might only work for local access, or it might not be tied into or connected to your cloud solution. CASB is designed, as the name implies, to broker the access between the IM solution and the cloud service.
For example, think about the steps that go into giving a new hire access to all the services they need to do their job. You want to give the new hire an e-mail account, access to the payroll system to enter their time, and then—if they are in sales—access to Salesforce or a similar tool to track and follow up on leads. If they are writing or reading reports, they need access to the collaboration tool/Office product (O365 or Google Workspace, etc.).
What is often overlooked is one of the big gaps for a lot of companies: de-provisioning services when someone leaves an organization. Provisioning a new hire with access to the applications they need to do their job is often automated with a well-designed workflow with few manual steps. De-provisioning access is often not as well–automated; frequently employees retain access days or weeks after they have left the company, even when the separation (i.e., firing) was not on good terms.
A CASB solution that controls who has access to what cloud services can help simplify both ends of the provisioning workflow. As a result, you can end up with an automated workflow that can very quickly grant and remove access with the click of a button.
Now we will look at cloud security posture management or CSPM
CSPM is a tool or set of tools that ensures that the controls you want to have in place for your cloud environment are correct. Your organization might have to follow a particular security standard like NIST 800-53 or ISO 27000 due to government regulations. A CSPM tool can ensure all your cloud infrastructure stays in compliance with those security standards.
Numerous security breaches have happened due to misconfigured permissions with cloud storage. Mismanaged Amazon S3 buckets have caused major data disclosures. Companies that thought they had good practices in place—like Booz Allen Hamilton and Deep Root Analytics in 2017—leaked data because of misconfigurations.
A CSPM will constantly monitor your cloud environment for configuration changes and settings to make sure that the rules and controls you want to have in place for your environment are in place. Additionally, some solutions will automatically fix incorrect settings to ensure compliance with privacy laws and government regulations regarding data privacy.
Go straightforward with a cloud workload protection platform (CWPP)
Cloud workload protection platform is designed—as the name sounds—to protect what you are doing in the Cloud from attacks by malware or viruses. Just as you run endpoint protection software on servers in your datacenter, you want the same thing happening in your cloud environment if you are hosting your own servers or virtual machines. Most CWPP solutions offer an agent version, just like you use now, or an agentless version that pulls information from your cloud-hosting environment. While there are advantages to the agent version, you typically get better intelligence from the agent version at the cost of performance in your cloud environment. The agentless version usually has no impact on your cloud workload, but typically you will not get all the details that you get from an agent.
Relative newcomer secure access service edge (SASE) can give smaller business more security attitude
Secure access service edge, known as SASE (pronounced “sassy”), is a cloud-based information technology model where both the network and the security for the network are offered on demand without having ownership of the hardware or security tools. This kind of solution is growing in popularity for small startup companies and companies that are very flexible because you purchase your networking and security as you need it.
SASE typically has four main components:
- A CASB solution to provide security for your cloud applications,
- A secure web gateway (SWG) for access to your cloud applications where you can implement
- Your zero trust network (ZTN), and finally,
- Firewall-as-a-Service.
This is a lot of acronyms and buzz words, but they can and do really work together, with the result that you can implement very good security controls if you design your cloud environment with SASE in mind.
SASE works best and easiest when you have a totally cloud environment. You can see why that would make it appealing to startup companies that do not have legacy hardware and storage and other technology that must have security “bolted” on later to make it cloud-friendly.
I can hear some of you saying, “What is the key takeaway?”
For CIOs and IT Directors, the key takeaway is that there are advantages to moving on-premises storage and computer systems to a cloud service. However, you need to carefully plan what you are moving, why you are moving it, and what controls will you have in place to make sure the systems and data you move to a cloud service (SaaS, IaaS, PaaS) is as secure as you need it.
For security practitioners, you need to recognize that the security controls you use for on-premises assets are not always the same controls you use for cloud assets. Consequently, your thinking needs to shift and you need to make sure the controls you use are appropriate for cloud hosted assets.
If your company is relatively new and does not have a significant investment in on-premises computer resources, your move to the cloud could be smooth and painless. On the other hand, if your company is a mature company with lots of assets on premises and in-house, as well as custom applications, your journey will likely be longer and require significantly more planning and preparation.
I hope this has been helpful, reach out and let me know if you have any questions.
Read more from John Bruggeman:
Weighing the risks and benefits of moving to the Cloud
2022 Cybersecurity Predictions
Cyber Insurance, part 1: What is Cyber Insurance and do I need it?
Cyber Insurance, part 2: Getting ready for the insurance company questionnaire
Cyber Insurance, part 3: Filling out the questionnaire
Cyber Insurance, part 4: What do you do if your cybersecurity insurance policy is denied?