This year at KubeCon EU, the Cloud Native Computing Foundation (CNFC) released a staggering statistic: there are now over 6.5 million “cloud-native” developers worldwide—a number that has nearly quadrupled since the same time last year.
Those 6.5 million developers have created an incredibly vibrant cloud ecosystem that has enabled the products we depend on and admire. They’ve also developed environments that are made inherently risky by the cloud’s scalability, flexibility, and repeatability. To help cloud-native teams reduce risks, the cloud security market has boomed with Cloud Security Posture Management (CSPM) emerging in recent years as a frontrunner.
CSPMs exist to provide continuous monitoring of cloud environments and resources for security and compliance issues. Many CSPMs also provide built-in benchmarking against common best practices and industry standards to verify that infrastructure is compliant and stays that way. CSPM is an integral part of many security teams’ toolkit, and as Gartner analyst Neil MacDonald (who popularized the category) put it, CSPM “is only becoming more important.”
Recent acquisitions in the space confirm that notion and I don’t disagree. Still, as teams become more distributed, adopt new technologies, and configure more infrastructure in code, the traditional CSPM model is certainly falling short.
Cloud vs. code
As CSPM has emerged as the de-facto solution to secure public cloud environments, those very same environments have evolved with the rise of infrastructure as code (IaC).
In recent years, IaC has taken off to help teams more efficiently and reliably spin up and down cloud infrastructure. By codifying infrastructure into machine-readable files, modules, and functions, IaC takes the cloud’s existing scalability and multiplies it.
Because it can also run in parallel to manual cloud orchestration, implementing IaC without visibility at that layer can lead to confusion as to how and where resources are being governed. Deploying misconfigured IaC can result in recurring misconfigurations in production that no monitoring and alerting will be able to fully eliminate.
The only way to truly address those risks is to go to the source. That means shifting cloud security left to IaC. If you’re leveraging IaC frameworks like Terraform or CloudFormation, you need to make sure that your CSPM addresses misconfigurations there—preferably in an automated and continuous way.
Management vs. remediation
Whether you’re using IaC or not, cloud security visibility or “management” is only so good as the improvements you can actually make. No matter how good your CSPM coverage is or how real-time your alerting is, your ability to address misconfigurations is always more important.
We’re starting to see some CSPMs address this challenge, and for good reason: most CSPMs are bought by security who lack source code access or knowledge of the intricacies of AWS architecture, security often cannot address security issues themselves. Instead, they’re relegated to opening a service ticket where remediations then get prioritized and scheduled for engineering.
If your CSPM doesn’t provide both visibility and remediations, you should ask yourself how much risk it’s mitigating versus how many Jira tickets it’s creating.
To automate the identification and remediation of issues, fixes need to be delivered as code. By implementing security as code, developers are equipped with the actual solutions to their problems and have the ability to set policies to govern infrastructure going forward. This also enables teams to take a more proactive vs. reactive approach to cloud security and ensures that it is consistently applied throughout the environment.
Security posture vs. engineering productivity
With the rise of the IaC, DevOps, and shift left movements, it’s becoming clear that engineers hold the keys to the future. While security tooling doesn’t get funded by engineering organizations, it sure does concern them, and many CSPMs haven’t yet addressed that fact.
To reap the full benefits that CSPMs have to offer, you need to leverage the frameworks and processes engineers use every day. That means not only going to the source and scanning IaC for misconfigurations, but doing that continuously on commits or pull requests, and as part of automated build pipelines via CI/CD.
Securing rapidly evolving and growing cloud-native infrastructure in 2020 requires not just automation, but also an accessible end-to-end workflow. Most CSPMs talk about automating security event logging and misconfiguration detection, but the whole cycle needs to be automated for it to not slow teams down. When it comes down to it, engineering productivity and security posture need to be part of the same conversation.
While CSPMs have provided invaluable security automation for thousands of environments, they’ll have to address these gaps if they’re to stay relevant for years to come.
This post originally appeared in InfoSecurity Magazine.