 |
VOOZH | about |
|
VOOZH | about |
We’re so glad you’re here. You can expect all the best TNS content to arrive Monday through Friday to keep you on top of the news and at the top of your game.
Check your inbox for a confirmation email where you can adjust your preferences and even join additional groups.
Follow TNS on your favorite social media networks.
Become a TNS follower on LinkedIn.
Check out the latest featured and trending stories while you wait for your first TNS newsletter.
Analyzing Infrastructure as Code (IaC) to detect cloud misconfigurations is one of the hottest topics in cybersecurity. An entire industry has popped up around this single topic — and for good reason! But today’s IaC tools analyze security configurations in a limited, myopic way that generates noisy alerts and does not help organizations understand their risk.
Evaluating cloud infrastructure configurations without context is meaningless. The risks of cloud infrastructure and the applications that run on it are inherently connected. An effective understanding of risk requires connecting the dots between the applications and their infrastructure, from design to code to cloud.
Cloud misconfigurations are one of the greatest risks when it comes to cloud computing — not the underlying infrastructure. The issue comes from the speed of cloud adoption and cloud native development. VMs and containers are created and destroyed in near real-time. Entire environments can be spun up and existing environments duplicated, including complex architectures and configuration settings. But traditional means of securing these environments can’t keep up.
It’s time to stop thinking about application security and infrastructure security separately.
Cloud environments can be as secure — or more secure — than traditional on-premises environments, but agility, speed, and absolute consistency are required on the Security and Privacy side. This means automation and IaC, which help prevent manual configuration errors. The idea of IaC has been around for quite some time but it isn’t until now that security is beginning to catch up and make use of its potential.
The issue with the Cloud Security industry is that it focuses on only one aspect of the problem and lacks the context needed to help organizations make risk-based decisions. A cloud environment never exists in true isolation from a security perspective. There are numerous factors that may impact the business risk of a breach, including:
The lynchpin of current solutions of detecting IaC cloud misconfigurations are single-dimensional. They look at individual factors, such as a storage bucket missing encryption, connections being unencrypted, etc. But without context, these alerts are just noise. In an ideal world, all data-at-rest and data-in-transit would be encrypted using the latest algorithms and frameworks.
In the real world, where Security Engineers are overwhelmed with alerts, prioritizing based on risk isn’t a “nice to have” — it’s required. Some data are more sensitive and business-critical than other data and any security tool that can’t effectively make that distinction is failing.
For example:
The point is that risk is multidimensional and existing cloud security tools can’t keep up.
It’s time to stop thinking about application security and infrastructure security separately. Individuals and teams cannot be assigned to one area or the other and be expected to succeed. App and infra security people, processes, and tools need to work together seamlessly in order to build an accurate view of risk:
Watch any experienced Security expert investigate a potential security risk and it will soon be obvious that context is everything! But an understanding of that context shouldn’t be left to manual reviews. Contextual risk assessments of both application and infrastructure code changes need to be performed both continuously and automatically. This is the only way to provide consistency, efficiency, and ultimately, remediate the app and infra risks that matter.
