Angel Israel Gutierrez
cto
A3Sec
/
Expert Contributor

Keeping It Simple Is All About Automation and Integration

By Angel Israel Gutierrez | Thu, 09/08/2022 - 11:00

The cloud is still growing and expanding its potential among organizations of different sizes and types. When thinking about security, the question is how can we establish a good security strategy in an environment that seems ephemeral, external and where we only have control of certain layers of work. Cloud computing services, where physical servers reside in multiple data centers distributed around the world, have allowed organizations to focus on their core and on the user experience when offering their products and services.

In 2022, multiple drivers have led organizations to consider a digital transformation without borders, with distributed work teams and equally distributed technology. Some of these organizations know that security in the cloud can be a significant challenge in many aspects. Some organizations that have adopted a cloud culture have suffered multiple impacts, either in cost or data exposure. There are multiple risks that an organization can face and the security posture tends to be somewhat different as well.

According to the report, State of Cloud Native Security 2022, from PaloAlto, “A majority of organizations (55 percent) reported a weak security posture and believe they need to improve their underlying activities, such as gaining multicloud visibility, applying more consistent governance across accounts, or streamlining incident response and investigation, to achieve a stronger posture.”

If we understand risk as the probability that an impact affects the infrastructure and generates an impact, we have to consider that the risks of impacts on cloud infrastructures are different; however, the steps toward security have certain similarities, such as understanding and knowing the challenges with an infrastructure as ever-changing as the cloud, such as having a consistent and updated inventory system almost in real time. In addition, many organizations have gradually adopted migration to the cloud, so they have local physical infrastructures and cloud infrastructures. They can also have multiple cloud providers as they verify which offers better capabilities for particular workloads.

So, we have a combination of various elements:

  • Risks and impacts for the cloud

  • Legacy physical systems

  • Cloud systems with provider one

  • Cloud systems with two or more providers

If we start to combine these elements, we have systems to control and verify with a high level of load and complexity.

Unifying an inventory that has the ability to concentrate this adaptable information is the first challenge to address, and it must be an inventory that has self-discovery capabilities and connectivity to multiple clouds.

What items are or should be considered in our inventory?

  • Applications

  • Users

  • Service infrastructure

  • User endpoints

All these elements reside in the cloud and are part of the business, so the cloud security strategy cannot ignore them.

Once this is implemented, it is important to perform different object creation tests and understand the speed with which our inventory reflects this change; we must remove devices and see if our inventory system considers it a normal or extraordinary activity or as a failure.

Let us consider the following assumptions:

  • See what you must see

  • React to the shape change in a time consistent with my organization

  • Generate reports suitable for the next steps

Next steps:

Now that we know our inventory, let's start with context information about their weaknesses or failure points. To know how resistant it is to attack, we must ask the following question: Due to its nature, what risks does it incur? In other words, does it have known vulnerabilities due to its software version or manufacturer? Whether it is a network element, an operating system, an application or a communication interface, any object in our inventory is susceptible to testing its possible vulnerabilities.

Our digital inventory assets were built or configured securely, according to a template from the CIS

 (Center of Internet Security), which has published a series of security configuration recommendations for multiple assets, security standards, such as PCI (Payment Card Industry), and also has provided guidelines. So the next question we must ask is how compliant are our digital assets in percentage terms? 

When asking ourselves these two questions, we must consider validation activities to understand their possible vulnerabilities as well as their percentage of compliance with possible assurance or hardening models.

These tests must be dynamic and constant. According to how the objects in our inventory appear, this can definitely be a challenge in the security strategy due to the points that we have raised previously. Difficult but not impossible. There are more and more technological solutions that allow these tests to be carried out.

So, if we already have the digital inventory system aligned to our organization, implementing these test systems should be the next step, since knowing our weaknesses and level of compliance is a fundamental step for a security that is resilient to cyberattacks.

The results of these tests can sometimes be overwhelming, with hundreds or thousands of configurations, patches or updates to implement and many action steps to execute. Many organizations at this point can see an infinite world to address a consistent security strategy. They can even start to refocus their scope and begin to consider less equipment and reduce inventories. This may be an option; however, we have a different proposal.

Often, weak configurations or vulnerabilities seem to be very important according to some standard or external agent but have we really tested these possible vulnerabilities or do we really have to execute the changes manually?

Automation must be an important factor to consider as well as the risk assessment.

At this point, risk analyses, asset inventories and security tests begin to converge.

If we have considered the following elements in our inventory, we could redirect our actions and focus security control activities gradually from the most important to the rest. It is important to remember that we must cover as much as possible the corrective actions related to risk.

In conclusion, from this starting point, a security cloud strategy should consider what you have and how strong it is. If you can start from here, establishing a good control schema could be less painful and you will have better coverage.

Keeping it simple in a complex world is about automation and integration.