Continuous and Autonomous Cloud Security through SecOps
According to Gartner, by 2023, 30% of a CISO’s effectiveness will be directly measured on the ability to create value for the business. The cloud security teams need to rethink traditional security concepts and adopt approaches that address today’s dynamic multi-cloud infrastructure. Autonomous cloud security at scale involves more than just implementing security controls.
CoreStack’s holistic approach to SecOps empowers your cloud security and compliance and helps you unleash the power of cloud on your terms. Learn more about SecOps and how CoreStack enables autonomous and continuous cloud security in the webinar below. A transcription of the video text is available at the end of this article for your easy reference.
CoreStack uses a unique compliance framework – Abstracted Cloud Compliance Controls (AC3), that enhances cloud security by enabling continuous cloud compliance for enterprises, providing these key benefits:
- Gain Abstract controls across standards such as NIST 800-53, FedRAMP, PCI DSS, and ISO27017
- Leverage additional meta-data for control implementation and monitoring
- Identify equivalent controls across standards
- Map different cloud services to the controls
- Baseline controls for various levels of compliance – Standard, Advanced, Premium
- Support Multiple Industry Standards and Regulations
To learn how CoreStack can help organizations such as yours to achieve autonomous cloud security and compliance, please set-up a no-obligation demo at corestack.io/compliance
—————Transcribed Text-—————
I am Venkatesh Perumal, you can call me Venky, I am part of the founding team and I head the technology sales at CoreStack. I have been in the industry for the last 25 years and what I've really seen in the cloud space for the last decade or so, at least from the hyperscalers' perspective, there are various issues which have been lingering since the last ten years and they continue exist even today — for the right reason — as cloud adoption has been increasing dramatically. With the pandemic, it is almost like a gold rush, and I like to call it a cloud rush.
CoreStack has been in the space of cloud governance, providing multi cloud governance since 2016. We have over 100 customers globally. CoreStack looks at governance in multiple ways. When we talk about governance, implementation of governance, we talk about Operations, Security, Cost, Access and Resource — we call it OSCAR. The OSCAR governance model addresses three key challenges that you see in the cloud. First is with respect to the cloud cost. The second one is the cloud security and compliance, and the third is the cloud operations. We have always looked at these three problems as being interrelated. While they have been addressed in siloes, but we always feel that if you are able to implement a well dedicated practice, you will be able to address all three — FinOps, SecOps and CloudOps.
For today's presentation, I will focus more on the SecOps capability, which lies more on the Cloud Security Posture Management (CSPM) side. Let’s quickly look at how the industry has been in the past. As we know, with a lot of workloads coming in and users gaining more control over all these workloads, there has been a lot of demand for SecOps. Primarily because every cloud provider has made sure that you can provision the resource much more easily and you can change the resource much more easily. But this can also result in potential security risks. Also, Gartner says that 95% of cloud security issues have resulted only because there was some sort of misconfiguration. So, it is important to see and track the configurations that happen in a cloud account, be it AWS, Azure, Google cloud, on a real-time basis and provide a capability to fix it in real-time as well.
We do have examples from the past, where records have been exposed in the S3 bucket, someone left the organization, but their access was still open which resulted in a data breach. But why these things are happening on a continuous basis? That is primarily because we have still not understood this shared responsibility model.
When we move the workloads into the cloud, it is important to understand who is responsible for what, and that is where all the hyperscalers clearly say that anything in the cloud is their responsibility and anything off the cloud is your responsibility. So, whenever I provision a virtual machine or provision in the S3 bucket, it is up to me whether I want to open the S3 bucket access to the world or I am going to put it in the encryption mode, it is totally up to me and it is my responsibility. The moment we understand what our responsibility is, we will be able to implement proactive measures.
However, there are various challenges that we still find. One, as we continue to adopt more cloud, single-cloud or multi cloud, you are also structured in a way that you have multiple accounts, multiple regions, multiple workloads. And first thing that you need to really have is a unified visibility. How can you get a unified visibility of entire security posture?
Security can be categorized into multiple ways. From a CSPM perspective, we look at the three key areas. You need to have a full visibility into security threats, security vulnerability and security anomalies that are rising because of the best practices assessments.
While you have the visibility, it is also important that you are able to remediate these violations in real-time. But then for any configuration change that happens, it is important that while you are able to manage your security posture, it is also important for a certain industry to assess it against a specific standard. For example, for health care, you need to be compliant with HIPAA. So, how do I ensure that all my infrastructure services or PaaS services that I am consuming today are always compliant, and why there must be a continuous assessment which is required in the cloud, is because the nature of workload that continues to change every day, every moment whenever a change occurs.
But when we look at the fourth aspect, which is management and operations from a security perspective — how do you ensure that it is also connected with your enterprise ecosystem from a service management perspective. Any violation that occurs, it needs to be triggered as an incident ticket, any event that gets created needs to be sent to an ITSM tool and so on.
How do we do that much more on a real-time basis and seamlessly? Why have the current methods really failed to address these challenges while cloud providers have provided all sorts of services today? If you look at AWS, they do provide capabilities, they have AWS Inspector Guard Duty, AWS Cloud Conflict. Similarly, Azure has Azure Security Center. But when we look at it from an enterprise scale CSPM perspective, they certainly lack. How do we ensure that there is a unified way of implementing SecOps?
There have been organizations that have developed their own homegrown tools, but can it be developed and be up-to-date at the speed the cloud is changing? Possibly not. Hence it is not scalable. There are a lot of manual processes which are there, but the models are not interconnected to talk to each other.
To address this, what do we need to do? We need to embrace what we call a Zero-test principle that leads to promoting a least privilege governance.
So, what do we really mean by least privilege governance? Whenever you provision any workload or provide access to your users, they need to have only the least privileged access, which means only the necessary access and security policies that needs to be a patched. This is exactly what CoreStack promotes with its SecOps module which is the Cloud Security Posture Management (CSPM). It has a component of security, which provides a unified visibility, which hooks up all the native services, like Guard Duty, Inspector, and CoreStack policies that continue to run against all the infrastructure services that get provisioned or managed day in and day out to provide a single unified dashboard, which provides you the information about what are the open threats, how can you go ahead and fix them, what are the vulnerabilities, and what are the best practices for the violations you are getting. On the compliance front, there are controls which are already set, and that particular module essentially helps you to go ahead and assess your workloads, which are running on a continuous basis. We will go in-depth into each of these modules in a minute, before that let's talk about security operations.
How do we ensure that I am able to remediate, able to pass on all these alerts continuously to the third-party systems? Now, when we look at security operations itself, one of the key things is to get a complete visibility into all these security violations. But more importantly, if I must implement a culture of security first, then I also need to make sure that every provision that happens, needs to go through a scan to see whether it is already compliant with all the security policies even before it gets deployed. That is what we call as proactive security governance. But can we really stop a user from going into the portal and doing a change to their infrastructure services or configuration? Possibly not. Security should not really hinder the speed at which you're doing the development, hence you need to have a proper combination of both proactive as well as reactive checks.
Proactive checks can be implemented right at the source where you are publishing catalogs which are already security compliant so that developers go ahead and consume, and you do not get any violations because it is already adhering to all your required security policies. From a reactive perspective, we need to continuously poll all your resources events, which means every time an event happens, we need to get a posture in terms of what event has occurred and whether that event has resulted in any violations with respect to the best practices, or it could be threats or vulnerabilities. So, all these guardrails need to be implemented and they need to be real-time. Now while you can address the security operations part, how do we ensure that you are put on a continuous compliance mode?
CoreStack has developed a framework what we call as Abstracted Cloud Compliance Control (AC3). This is the industry's first. We have created a parent master control that already ties into various individual industry controls. So, all you need to do is to run an assessment against AC3. But at any point in time, if you want to look at the posture of how you are benchmarked against NIST, FedRAMP or PCI DSS etc., you will get an assessment report on that posture in real-time. Or, if you want to run this on a regular basis, let's say you want to do the assessment on a daily basis, weekly, monthly or half yearly, you can do that as well. And it is important because compliance in the past used to be enough as a three months or six months effort. But, with cloud today, you need to be compliant almost daily. This module essentially provides you capability to do that.
The native hyperscalers also provide what they call a well architected framework. CoreStack supports that well architected framework and allows you to assess it against, such as CIS benchmark, but more importantly, if you want to implement a well architected framework holistically across Operations, Security, Cost, Access and Resource (OSCAR), it can also be done through CoreStack. It provides you a capability to baseline all the controls. But more importantly, what CoreStack also does is, it maps your objective — every audit has got one objective control and within the objective control, it is already mapped to what we call as an automated policy. We have automatically categorized every control objective within an audit as automated check or a manual check because everything cannot be automated with respect to infrastructure services or PaaS services that you are consuming across any of these clouds. You can run automated check to find out whether they are compliant or not. However, there are some manual checks that you need to perform as well. You can always go ahead and enter the check manually and then when you run a full assessment, it provides how are you faring, are you 50% compliant or 60% compliant or are you always 100% compliance? And that is how the compliance module really works now.
From an operational perspective, while you can get all of the insights, you should also get a capability to go ahead and fix the issue. While there are enterprises who only would want to just look at data and then go to the portal and fix it but there are organizations that are moving toward automated remediation. So, as soon as a violation occurs, automatically the remediation process kicks in so that you can fix it before it becomes a huge risk. That's exactly what happens in the operations module. But more importantly for every violation that is being identified, it also requires an automated incident ticket and if you want to configure a completely automated approval workflow within your ITSM, that can also be done for every change that you do through CoreStack. For example, If an S3 bucket is not encrypted and you are going to encrypt it and you want that to automatically get approved from a line manager, it can be implemented along with your ITSM. That's exactly what these three modules really helps you to get into what we call as CSPM on a continuous basis.
Today CoreStack is available in all the marketplaces. We are there in the AWS marketplace, Azure Marketplace, Google Cloud. We support all three hyperscalers. If you want to go to any marketplace and type in cloud governance, cloud compliance and governance, you will see that we offer free trials and if you want to learn more about how we do the automated policy checks, how we put your company's governance in motion, not only from a security perspective, but also for end to end governance, you can always reach out to us.