CSPM Evolution – Start Secure, Stay Secure

For the last several years, the Verizon DBIR report has identified misconfigurations, errors that are unintended actions by an internal party, as one of the top reasons for data breaches. This trend is further reinforced by the results of a recent survey conducted by Cybersecurity Insiders. They surveyed 613 cybersecurity professionals, and 67% of them identified misconfiguration as the biggest threat to cloud platform security. The danger has not diminished, as evidenced by a recent news article, where ethical hackers found 80 misconfigured Amazon S3 buckets, holding PII data totaling over 1000 GB of data and over 1.6 million files, was accessible without any password nor encryption.

Cloud Security Posture Management (CSPM) tools are typically used for securing public clouds. CSPM tools utilize the cloud service provider API, the source of truth for your cloud infrastructure, to report whether the configuration of your resources meets the best practices prescribed by various industry groups. CSPM tools, while effective, have not been able to prevent misconfigurations from creeping up in production environments. The main reason for this is that CSPM tools are reactive, i.e., they detect misconfigurations after the resource is deployed. A hacker can potentially exploit the misconfigured resource from when it was misconfigured to when it is detected and fixed. For organizations with stringent change policies, the time between the detection and remediation can be long, several days to weeks. The bottom line is that traditional CSPM tools will not cut it as they catch these problems too late in the cycle.

The real answer is to prevent misconfigurations in the first place – fix the issues at the source. In many cases, that means fixing the misconfigurations in the Infrastructure As Code (IaC) that was used to create the resources. DevOps teams are increasingly using IaC to deploy cloud-native applications and provision their infrastructure. IaC languages, like Terraform, CloudFormation (CF), Azure Resource Manager (ARM), make it easy to express resource configuration. For example, if you want to create a private S3 bucket, you can do so in just a couple of lines of Terraform code

resource “aws_s3_bucket” “bucket” {   

      Bucket = “my-tf-test-bucket”,    

  acl = “private”   

The above code appears safe – you are simply creating an S3 bucket and have made it private. While there may not be an issue here, at first sight, you are missing many critical configuration settings in terms of security, like enabling encryptions or access logging. The question then becomes how to prevent the deployment of this template. The answer is to shift security left and embed security automation at each stage of the CI/CD process with built-in automated assessments.

Qualys has built a security automation solution for IaC. Qualys is extending CloudView’s capability to assess assets and resources deployed in the cloud for misconfigurations and non-standard deployments to IaC templates. IaC assessment analyzes Terraform, CF, and ARM files and identifies security misconfigurations for resources and services for AWS, Azure, and GCP. IaC assessment can be performed throughout the pipeline – on the source code when it is checked into the source code repository, during the integration phase, and before deployment. IaC assessment can be initiated through multiple means – CLI, API, source code repository plugins, and CI/CD tool plugins. Customers can now assess the security posture earlier in the development cycle, dramatically reducing security risk post-deployment.

A few Qualys’ customers have participated in the private beta, and the feedback has been very positive. One of the beta participants, a security engineer responsible for checking IaC templates for security misconfigurations, has moved away from a manual review process to using the IaC assessment tool. They found the CloudView IaC security assessment to be far more comprehensive in detecting misconfigurations compared to manual efforts. Furthermore, they plan to integrate the CloudView IaC security assessment tool into the source code repository so that DevOps can receive immediate feedback and remediation suggestions when issues are detected in the code.

If you are currently challenged with detecting security misconfigurations in your cloud deployments, then you can sign-up for the IaC beta here. We would love for you to try the IaC assessment capability and give us feedback on how to improve it.


Cybersecurity Insiders 2021 Cloud Security Report

Verizon DBIR report

This post was first first published on Qualys Security Blog’ website by Parag Bajaria. You can view it by clicking here