Over the past year, our CNAPP solution has gone through progressive enhancements, particularly around secret management. It all began with the ability to identify various secret types across virtual machines (VMs). Subsequently, we expanded our focus to include a wide range of metadata associated with these secrets, providing valuable context.
Today, we are excited to unveil a new capability in Public Preview: Secrets scanning for cloud deployments! Covering Azure and AWS during Public Preview, this capability marks an important step in our commitment to providing a holistic secret management solution across various resource types and different stages of software development lifecycle (SDLC).
What is a Cloud deployment?
Cloud deployments refer to the process of deploying and managing resources on cloud providers like AWS and Azure using tools such as AWS CloudFormation stack and Azure Resource Manager templates. This approach streamlines infrastructure management and enhances scalability and consistency in cloud environments.
In one sentence – a cloud deployment is an instance of IaC template.
Each cloud provider exposes an API to query for historical deployments.
When querying AWS or Azure APIs for cloud deployment resources, you can typically retrieve the deployment metadata. Such as the deployed template, deployment parameters, deployment output and tags.
Why Are Secrets in Deployment Resources Critical?
Our statistical research found that more than 10% of cloud accounts contains one or more cloud deployment with plain text secret that can lead to critical asset, such as a database, blob storage, GitHub repositories and Azure Open AI services.
While traditional secrets scanning solutions often detect misplaced secrets in code repositories, IaC templates, DevOps pipelines or files within VMs and containers, deployment resources tend to be overlooked. These lingering secrets create a blind spot, allowing attackers to exploit an otherwise hidden attack surface within cloud environments. Our new capability adds an extra layer of security, addressing scenarios such as:
In summary, our solution provides extended coverage for securing cloud environments, and prevent lateral movement by discovering and securing exposed secrets in deployment resources, reducing the risk of unauthorized access and breaches.
How does it work:
The scanning of deployment resources operates entirely without agents, relying solely on the control plane’s API. This capability allows for a comprehensive & continuous scan of all organizational deployment resources, ensuring they are safeguarded against secret exposures.
This new capability marks a significant milestone in our journey to enhance security across the entire pipeline, spanning from the software development lifecycle to the runtime of cloud resources.
Enablement:
The new capability is included in Defender CSPM and automatically enabled during onboarding. For existing Defender CSPM customers, no further action is required and the new feature already covers your cloud deployments.
Relevant recommendations for this capability:
If you wish to verify or activate Defender CSPM - there are steps available for you to do so.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.