Balance innovation and agility with security and compliance
risks using a 3-step process across all cloud infrastructure.
Step up business agility without compromising
security or compliance
Everything you need to become a Kubernetes expert.
Always for free!
Everything you need to know about Magalix
culture and much more
According to the Flexera 2021 State of the Cloud Report, 55% of enterprise workloads are expected to be in a public cloud by November 2021. And per the IDG’s 2020 Cloud Computing Survey, 59% of tech buyers say that they planned to be “mostly” or “all” in the cloud by early 2022. Both studies indicate that public cloud adoption is accelerating rapidly.
Even so, many companies face one challenge along their cloud journey: how to track and manage cloud asset inventory. Most organizations have control points to minimize or prevent issues as they provision their cloud infrastructure and services. And yet, “leakages” along the way increase the risk of security breaches. That’s why it’s critical to build a robust asset management pipeline, and identify and close any leaks as soon as possible.
In this article, we discuss the common types of leaks in cloud-native architectures, and unpack some strategies to plug these leaks and ensure the security of cloud assets.
As the cloud becomes increasingly important, organizations have to contend with numerous assets and “as-a-Service” offerings. They must keep track of these assets, especially if losing track could have a potentially serious negative impact. For example, assets that have administrative control over other assets, or store or process sensitive data must definitely be tracked.
An asset management pipeline enables organizations to identify cloud assets, and identify and address the various “leaks” that pose a risk to them. A pipeline approach provides a holistic view of asset inventory by tracking:
Procurement leaks refer to costs the organization did not expect or failed to see. This usually happens because they work with multiple cloud providers who provision different types of assets based on diverse delivery models like PaaS, IaaS and SaaS. As a result, they either don’t see the expense, or assume that there isn’t one because it’s “free”.
Providers usually charge for these assets, so organizations can keep track of expenditures. However, leaks can still happen. To prevent them, they must review all IT charges. For each expense, the individual responsible for incurring it should provide some limited auditing credentials to automatically pull inventory information. Of course, the inventory system should not be able to read anything but metadata, or modify anything except resource tags. The credentials for inventory automation should not bypass these controls.
Processing leaks happen when the organization fails to specify or itemize the assets from (one or more) cloud providers. All providers offer portals, APIs or command line utilities to help their customers automatically create asset lists. Some also provide inventory or security tracking systems. And yet, not all organizations take advantage of these offerings. Often, some assets are not inventoried, which means that downstream tools and processes cannot perform the necessary checks to ensure proper access control and proper tagging.
To identify, plug or prevent such leaks, it’s useful to review the audit credentials to enumerate what exactly the cloud provider is providing. Information about these assets (or assets inside of other assets) can be pulled from the provider’s portals, inventory systems, command-line utilities, or APIs. Which services are available to audit the usage depends on the provider. For example, AWS provides an API, a portal, a command-line tool, and the AWS Systems Manager Inventory for visibility into the Amazon EC2 and on-premises computing environment. Similarly, Microsoft Azure also provides an API, a portal and a command-line tool, plus Azure Automation Inventory to track and inventory Azure VMs.
If changes are infrequent, a manual inventory may be sufficient. But in most cases, it’s difficult to keep manual inventories up-to-date, so automation using the command-line tools or APIs is preferable.
Organizations can also look into the provider’s inventory or security tracking systems. Some allow asset tracking down to the level of what’s installed on different virtual machines. Some also feed into other security tools like scanners, and import assets from other providers (or on-prem infrastructure). It’s vital to investigate each asset type to find other assets that might be significant from a security viewpoint.
Tooling leaks occur due to assets that the organization knew about, but didn’t check, say, because they didn’t have the required tools or processes to review them for security issues. This is why each tool that checks asset security must be coupled with the asset inventory. It’s even more crucial to ensure that it can easily obtain the information it needs to perform its function.
For example, the web application vulnerability scanner must be able to obtain the URLs of these applications, while a network vulnerability scanner should be able to obtain the in-use IP addresses from information about Virtual Machines (VM) or Virtual Private Clouds (VPC). Similarly, the baselining system should know about the different VMs so it can check their configurations, and the Windows antivirus solution should have a list of all Windows systems to track alerts and update signatures.
Organizations are generally aware of the findings (risks) and alerts generated by tooling systems. But often, they are ignored without review. This usually happens when scanning systems create many false positives and cause “alert fatigue”.
While it’s occasionally acceptable to accept some risks without fixing them; this should only be done after first reviewing them. Choosing to ignore the risks without a review creates a finding leak.
Tagging cloud assets is a useful way to understand their version number, application or project, what data they contain, and what they’re used for (function). This information helps simplify access control, and makes it easier to prevent or close the leaks discussed here.
Magalix enables organizations to correctly inventory their cloud assets and secure them without any findings leaks. This ensures that any risks identified by their security tools are properly addressed based on their criticality and potential impact.
One of the most powerful and reliable ways to protect your cloud assets is with codified security policies from Magalix.
Prevent Kubernetes NetworkPolicy misconfigurations by enforcing policy as code