everythingpossible - Fotolia
Organizations' increasing use of cloud services and resources results in a staggering variety of cloud administrative consoles and interfaces and thus more responsibilities.
The collective term for the consoles and interfaces is the cloud control plane -- and it can be difficult to secure. The cloud control plane can encompass a wide variety of elements. The simplest is the cloud administrative console itself, which must be meticulously locked down. Limited privileges and user access, in addition to multifactor authentication (MFA), are critical steps in securing the cloud administrative console.
But, as the cloud is a software-defined infrastructure platform, there are many other aspects of the cloud environment that may fall into the cloud control plane category. First, there is a wide variety of APIs open and available in the cloud, including command-line management interfaces for IaaS or those associated with Kubernetes and other orchestration technologies. The second aspect of control plane security is the network zoning and segmentation put in place between assets and from external networks.
Common obstacles to control plane security
Many cloud security issues arise from a lack of oversight into what controls are in place, how they're configured and what changes are made in cloud environments. Because cloud configuration issues drive many of today's security challenges and incidents, security teams must prioritize the following list of factors, which consistently drive the need for cloud security management and oversight:
- The cloud is programmable. It's easy to make a configuration mistake in the cloud, and with little to no oversight, this is almost a guaranteed outcome.
- Cloud leads to major sprawl. This is because many new technologies are available, and implementation is only "a click away" for technologists.
- The cloud is unlike on-premises tools, technologies and services. While the concepts may be similar in some cases, the cloud is its own software platform, and every cloud is unique.
- Cloud inventory management is challenging. This is especially true in cases of sprawl and a lack of monitoring. Though cloud platforms enable more flexibility in building and querying inventory of assets, it can be difficult to achieve a continuous asset inventory without deep and highly embedded monitoring.
In addition, privacy and regional requirements for security controls can make sound cloud security management even more challenging, as can multi-cloud implementation. But there are steps cloud security teams can take to bolster control plane security at their organizations.
How to mitigate control place security issues
Gartner defined cloud security posture management (CSPM) as a group of security products and services that includes compliance monitoring, dynamic cloud and DevOps integration, more thorough investigation and incident response capabilities, risk assessment and improved reporting for the cloud control plane.
CSPM tools and services can monitor a wide variety of issues within any cloud environment. The intention is to create a policy to define the "desired state" or "desired configuration" for the cloud infrastructure, in addition to monitoring the reality of what is in place.
CSPM tools can identify the following common cloud control plane issues:
- no encryption enabled for cloud storage or databases;
- no encryption for traffic in sensitive data in motion;
- lack of sound key management, including old or stale keys;
- poor identity and access management (IAM) policies that don't adhere to the principle of least privilege;
- privileged accounts without MFA enabled;
- open or permissive network access controls;
- exposed data storage, such as accessible S3 buckets; and
- minimal or no logging enabled within the cloud environment.
Key features of CSPM service offerings
There are many cloud security posture management offerings available, including Palo Alto Networks' Prisma Cloud, Rapid7's DivvyCloud, CloudCheckr, Aqua Security's CloudSploit, FireEye's Cloudvisory and Outpost24's Cloudsec Inspect.
When evaluating CSPM options, security teams should look for the following key features:
- Configurable and automatable remediation capabilities. Ideally, any discovered issues can be remediated automatically or with minimal manual intervention.
- Custom policy and rules engine enforceable across a multi-cloud environment. The granularity and flexibility of a policy engine is one of the most important features for any CSPM tool. Policies need to properly and accurately assess cloud service provider settings and asset configuration.
- Integration with DevOps pipeline stages and tools. For any code or image repositories, build tools, etc., a CSPM platform should ideally be able to integrate and monitor activity here as well.
- Detailed and configurable reporting. As CSPM is a monitoring tool at heart, reporting is critical.
When applying CSPM to security operations, organizations should consider the following:
- asset inventory and classification speed and accuracy;
- focus on identifying access to the cloud control plane;
- monitoring policies for configuration and compliance;
- monitoring operational policies and configuration for performance;
- collecting artifacts and insight into incidents for incident response; and
- visualization and reporting of control plane risks.
Finally, security teams should consider the integration of CSPM offerings with their various cloud service providers. Most cloud security posture management platforms are integrated through cloud service provider APIs and IAM service accounts. However, security teams should closely evaluate the privileges needed and ensure any new IAM accounts are carefully set up and monitored.