Mismanaging configurations in your multi-cloud environment can put you at an elevated risk for cyber attacks. In the first installment of our \u201cStronger Cloud Security in Five\u201d blog series, we outline five best practices for boosting your cloud configuration management.<\/p>\n
A misconfigured web application firewall. A publicly accessible and unprotected cloud database. An overprivileged user identity. Lax access control to containers. Unchanged default credentials.<\/p>\n
Those are just some of the many configuration oversights and mistakes that attackers can leverage to breach your cloud environment, hijack user accounts, steal data and more. In addition, having misconfigured cloud resources puts your organization on the wrong side of regulatory compliance, and thus open to costly penalties, fines and litigation.<\/p>\n
In a vacuum, it would seem simple to button up most cloud misconfigurations. Surely, we can all agree that leaving an Amazon Web Services (AWS) Simple Storage Service (S3) storage bucket open to anyone on the internet is a no-no. Yet, the \u201cTenable Cloud Risk Report 2024<\/span><\/a>,\u201d based on an analysis of millions of cloud resources scanned through the Tenable Cloud Security platform, found that 74% of organizations have publicly exposed cloud storage.<\/p>\n The reality is that cloud misconfigurations are prevalent. In fact, misconfigurations and inadequate change controls ranked first on the Cloud Security Alliance\u2019s \u201cTop Threats to Cloud Computing 2024″ report. \u201cGiven a cloud\u2019s persistent network access and infinite capacity, misconfigurations can have wide-reaching impacts across an organization,\u201d the CSA tells us in that report.<\/p>\n Why do even large multinationals \u2013 with massive resources and stellar IT, cybersecurity and compliance staff \u2013 routinely fail to properly configure their cloud environments?<\/p>\n In a nutshell: With cloud environments having myriad moving parts and being so dynamic, managing configurations is complicated if you lack the proper processes and tools.<\/p>\n Here are five best practices<\/span><\/a> you can apply immediately to harden your cloud configurations.<\/p>\n If your organization is like most others, it uses multiple cloud security providers (CSPs) \u2014 each with its own configuration settings and with its own shared responsibility model for divvying up security tasks with customers.<\/p>\n That\u2019s why you need a vendor-agnostic, centralized cloud-native application protection platform (CNAPP) with a strong cloud security posture management (CSPM) component.<\/p>\n With CSPM tools<\/span><\/a>, you\u2019ll be able to centrally harden configurations across your multi-cloud environment by consistently and continuously adopting, monitoring and enforcing security policies in areas such as access control and data encryption.<\/p>\n Without an automated, centralized system, you won\u2019t have holistic and comprehensive visibility of your configurations across all your clouds and your organization will be at heightened risk of cyber attacks.<\/p>\n CSPM allows you to continuously scan all your cloud assets and resources and get an unobstructed view of all your detected misconfigurations. Then you can prioritize and document their remediation in compliance reports for your leaders, auditors and regulators.<\/p>\n User and machine identities with excessive privileges pose a major risk in cloud environments because during a breach attackers can leverage those permissions to move deeper into your network. \u201cInitial malicious access attempts on cloud resources frequently target user credentials,\u201d the U.S. Cybersecurity and Infrastructure Security Agency (CISA) points out in its publication \u201cUse Secure Cloud Identity and Access Management Practices.\u201d<\/p>\n Thus, your CNAPP should have a comprehensive cloud infrastructure entitlement management (CIEM) component with granular identity and access management (IAM) capabilities. That\u2019ll allow you to audit your multi-cloud identities and ensure they have the minimum access rights and capabilities they need. This is the concept of least privilege.<\/p>\n At a high level, you need to continuously discover all of your cloud infrastructure\u2019s human and machine identities; understand their scope of cloud-resource access and permissions; assess identities\u2019 level of risk; and make necessary least-privilege adjustments.<\/p>\n Offering policy-as-code (PaC), your CNAPP should automate the process of codifying policies; regularly checking how compliant your multi-cloud environment is with industry, regulatory and internal compliance frameworks; and of generating in-depth audit reports. It should provide actionable findings and automate the process of fixing insecure and faulty configurations.<\/p>\n This will yield multiple benefits for your organization, including:<\/p>\n Trying to manually assess the security of your Kubernetes clusters and fix configuration issues is a losing proposition, especially because many Kubernetes resources are ephemeral and come with default configurations. As Tenable Senior Principal Product Marketing Manager Lior Zatlavi explains in a blog: “The complexity of Kubernetes, combined with its dynamic and distributed nature, makes it a daunting task to ensure that clusters are secure from threats.\u201d<\/p>\n That\u2019s why your CNAPP should have a Kubernetes security posture management (KSPM)<\/span><\/a> tool that gives you:<\/p>\n1 – Centralize and automate the configuration management of your multi-cloud environment<\/h4>\n
2 – Implement least-privilege access across your multi-cloud environment<\/h4>\n
3 – Automatically check configurations against compliance frameworks<\/h4>\n
\n
4 – Secure your Kubernetes clusters<\/h4>\n