A famous quote attributed to bank robber Willie “the Actor” Sutton states: “I rob banks because that’s where the money is.” Well, in recent years, as more of our data migrates to the cloud, crime follows.
According to a recent report by intelligence firm IDC, 98% of the companies surveyed had experienced at least one cloud data breach 18 months prior to the study. The Identity Theft Resource Center (ITRC) recently disclosed that due to unsecured cloud databases, during Q3 of 2021, the number of data compromise victims reached 160 million (higher than Q1 and Q2 of 2021 combined).
The rise is not limited to quantity. According to IBM, the severity and cost of breaches (from lawsuits, fines, reputation damage, customers and revenues loss) also grew, whether the breaches originated from a company, the company’s cloud provider or both. IBM’s 2021 Cost of a Data Breach Report (CODBR) found that the average breach cost reached $5.12 million for companies with high levels of cloud migration.
As more and more governments, companies and organizations move to the cloud and as the technology becomes more complex, so do the threats. This can be seen in microservice architecture, which has many security vulnerabilities and is difficult to scan for vulnerabilities and network security.
What is cloud security posture management (CSPM)?
Since cloud environments have completely changed the way we access and store data, the old ways of “traditional security” are not enough and are sometimes irrelevant.
In a report from 2019 Gartner, Inc concluded that “Nearly all successful attacks on cloud services are the result of customer misconfiguration, mismanagement and mistakes. Security and risk management leaders should invest in cloud security posture management processes and tools to proactively and reactively identify and remediate these risks.”
They went on to define CSPM (Cloud Security Posture Management) as “a continuous process of cloud security and improvement and adaptation, which reduces the likelihood of successful attacks”. Thus, the term CSPM, became the common name for sets of tools, systems, processes, protocols and policies that are aimed at reducing the risk of public cloud data or compliance breaches. Here are the 10 best CSPM practices.
10 Best Practices for Cloud Security Posture Management (CSPM)
- Define the distribution of responsibilities for security in the cloud
Unclear boundaries can result in misunderstanding, gray areas and eventually vulnerabilities. Cloud security posture management should start with creating and following a clear definition of responsibilities.
Cloud services (Google, Amazon, Azure etc.) have a shared responsibility plan that details responsibilities for security in the cloud, between the cloud provider and the customer (see for example AWS Shared Responsibility model, Google Cloud Platform: Shared Responsibility Matrix and Azure’s model ). In the most simple sense, the cloud provider is responsible for the security of the cloud, while the customer is responsible for security in the cloud.
- Gain full visibility into your cloud resources
Since cloud configuration is decentralized by nature, sensitive data is continuously created and processed by countless systems, applications and networks in many different locations. Before taking any security action, it is extremely important to identify, classify and map the data locations and flows.
This can be done using several tools or by using Polar Security’s “Cloud Data Security Posture Manager” (DSPM). Polar’s DSPM platform automatically locates, maps, and labels all relevant data (including undocumented data shadows that are often overlooked), i.e it allows you to constantly and automatically monitor for data vulnerabilities and compliance violations and fix them before they become a costly problem.
- Protection against common misconfiguration
Misconfigurations are considered one of the main causes of data breaches. In order to avoid this problem be sure to take steps such as:
- Establish a baseline for configurations and check for deviations;
- Continuously monitor changes and their sources (which settings are modified, when, where, and by whom);
As will be discussed below, it is important to employ tools to automatically and proactively detect and resolve such problems.
- Protect against internal breaches
IBM's Cost of a Data Breach Report found that almost half of data breaches originated from internal threats. These includes - Social engineering, data sharing outside the organization, use of informal undocumented channels (for example shadow data), use of unauthorized devices and apps, theft of company devices etc.
Employees should be constantly educated, briefed and trained in areas such as:
- Internal security policies and procedures
- The ways they may be approached by outside attackers and how to respond to such approaches
- The risks coming from remote working (using unsecured networks, device theft etc.)
It is also important to take actions including:
- Limit USB and peripheral use
- Use strong encryption
- Enable remote wipe options
- Automatically detect and monitor all kinds of data created across all systems, networks and apps
- Constantly monitor security policies and procedures adherence
- Create a cloud governance program
A good cloud governance program (a set of rules, policies, direction, control, and activity monitoring) should create a delicate equilibrium - meeting the users' needs while ensuring the implementation of the strictest and best security rules and practices.
When creating such a cloud governance program, you should:
- Consider controls, such as those described by The Center for Internet Security - CIS (and more if necessary)
- Define target environments (in which environments they apply or not - internal, external, development, testing, production, etc.)
- Determine exceptions - what are they? When and how long is each exception in place? For which users?
- Incorporate automation where possible
As discussed above, one of the weakest points is the human factor. Complying with rules, regulations and practices can be complicated and tedious, leaving room for human error in the management of cloud security. Moreover, attackers today rely extensively on ever faster and automated tools.
In order to minimize customer misconfiguration, mismanagement and mistakes, it is essential to incorporate automation into managing cloud security where possible.
- Use secure coding standards
Many problems can be detected and avoided in the development stages. It is important that developers build secure software by adopting verified uniform coding standards and integrating security configurations from the beginning of the development process (constant testing during all stages; continually use cloud security tools, etc.).
Secure coding standards can help developers locate, eliminate and prevent errors that could lead to software security issues. A good example is OWASP (Open Web Application Security Project) a nonprofit foundation that provides developers tools, resources, education & training such as a yearly standardized application security awareness document.
Other standards include:
Common Weakness Enumeration (CWE and CWE Top 25), a community developed list of software and hardware security weaknesses.
CERT Coding Standards, a site that supports the development of coding standards through a community effort.
DISA STIG, “Security Technical Information Guides” (STIG) of DISA (“Defense Information Systems Agency” of the American department of defense,) that stipulate how an organization should handle and manage security software and systems.
IEC 62443, a set of security standards created by the International Electrotechnical Commission (IEC) that provides a thorough and systematic set of cybersecurity recommendations.
NVD , a U.S. government repository of vulnerability management data (connected with the CVE list and provides additional content, including how to fix vulnerabilities, severity scores, and impact ratings)
PA-DSS (Payment Application Data Security Standard), a global security standard that applies to the development of payment application software. It was created by the PCI SSC (Payment Card Industry Security Standards Council).