Introduction:
Have you ever found yourself in a situation where you wanted to prioritize the riskiest misconfigurations on cloud workloads across Azure, AWS, and GCP? Have you ever wondered how to implement a unified dashboard for cloud security posture across a multicloud environment?
This article covers how you can achieve these scenarios by using Defender Cloud Security Posture Management's (CSPM) native support for resources inside Azure, and resources in AWS and/or GCP.
For more information about Defender for Cloud’s multicloud support you can start at https://learn.microsoft.com/en-us/azure/defender-for-cloud/multicloud
To help you understand how to use Defender for Cloud to prioritize riskiest misconfigurations across your multicloud environment, all inside of a single dashboard, this article covers three topic in the following sequence:
- Understanding the benefits of Defender CSPM for multicloud environments.
- Implementing a unified security dashboard for cloud security posture.
- Optimizing security response and compliance reporting.
Understand the benefits of Defender CSPM for multicloud environments:
When it comes to the plethora of different cloud service at your disposal, certain resource types could be more at risk than others, depending on how they’re configured, whether they’re exploitable and/or exposed to the Internet. Besides virtual machines, storage accounts, Kubernetes clusters, and databases come to mind.
Imagine if you have a compute resource, like an EC2 instance that is public exposed, with vulnerabilities and can access other resources in your environment. When combined together, these misconfigurations can represent a serious security risk to your environment, because an attacker might potentially use them to compromise your environment and move laterally inside of it.
For organizations pursuing a multicloud strategy, risky misconfigurations can even span public cloud providers. Have you ever found yourself in a situation where you use compute resources in one public cloud provider and databases in another public cloud provider? If an organization is using more than one public cloud provider, this can represent risk of attackers potentially compromising resources inside of one environment, and using those resources to move to other public cloud environments.
Defender CSPM can help organizations close off potential entry points for attackers by helping them understand what misconfigurations in their environment they need to focus on first (figure 1), and by doing that, increase their overall security posture and minimize the risk of their environment getting compromised.
By knowing what they need to focus on first, organizations can remediate misconfigurations faster and essentially do more with less, saving the organization both time and resources. By identifying what are the organization’s critical assets and potential threats to those assets, organizations can allocate resources more effectively and prioritize remediation efforts for business critical resources. This helps them address vulnerabilities more quickly and reduces the overall risk to their organization.
Implement a unified security dashboard for cloud security posture:
Organizations pursuing a multicloud strategy often find themselves in a situation where they need to operate more than one public cloud environment and manage it in ways that can differ across public cloud providers. This is applicable to security as well. Meaning you should take into consideration different security configurations for each resource type in each cloud provider that you’re using.
When you look at large environments, and especially for organizations pursuing a multicloud strategy, this can introduce security risks, particularly if there is lack of visibility across the entire environment and if security is managed in siloes.
This is also where standardization of cloud security posture across a multicloud estate can help. You need to be able to speak the same language across different public cloud providers. For example, using international standards and best practices, which can be a relevant reference point for senior management. Another one are metrics or key performance indicators (KPIs). You must be able to measure progress and avoid confusion when reporting security statuses. Also, when reporting vulnerabilities to the senior management. One good approach here is to have a centralized CSPM solution (figure 2).
By having CSPM as part of a Cloud Native Application Protection Platform (CNAPP), it helps organizations break down security siloes and connect the dots between CSPM and other areas of CNAPP to help paint a fuller picture.
Optimizing security response and compliance reporting:
Many security teams struggle with the sheer amount of security findings, and needing to prioritize is crucial for effectively minimizing risk in an organization’s environment. Organizations which are not able to prioritize their remediation efforts I see spending a lot of time and resources, and not getting their desired return of investment (ROI).
And ROI is important because it’s used to secure future budget allocations for cybersecurity initiatives. Therefore, it’s critical to have simple KPIs to showcase how efforts have prevented breaches, reduced downtime and minimized financial losses. Several organizations that I work with mentioned a real need for a simple KPI that will help them to break down complex security metrics into easy-to-understand KPI, both for the senior management and for the business owners.
This way, management and business owners, who might not be experts in cybersecurity, can quickly understand why these efforts matter for protecting the business, why they need to prioritize the remediation process, and understand the importance of investing budget in this area.
Another struggle that I see is the need to detect the relevant owners in the organization, who own resources on which an issue or security risk is detected. Ensuring workload owners understand the remediation steps and address the issues quickly is another key point that organizations need to consider. Many organizations already have existing processes in place for this, be it change management or an ITSM, so having a way to integrate with existing business processes and ITSMs can help with this regard (figure 3).
Conclusion:
This article provides food for thought when it comes to prioritizing riskiest misconfigurations across your multicloud environment, all inside of a single dashboard by using Defender CSPM.
Reviewers:
Giulio Astori, Principal Product Manager, Microsoft