DevSecOps In The Cloud: How to Manage Security With CSPM

In this article, I want to highlight the peculiarities of security organization in clouds and describe how CSPM products help automate the security process within the DevSecOps methodology.

Shift-Left concept in DevSecOps

Companies are facing challenges in terms of security management when trying to increase the delivery speed of new product versions. Like in the case of code delivery, it is also necessary to ensure product security without reducing the speed and flexibility of development and delivery of new features.

It would seem that it is possible to test the already finished product in detail for compliance with security requirements. Still, the issue is that if problems are detected at this stage, all the previous stages of the product release will have to be passed through the conveyor again. It will greatly increase the development costs. So, the earlier a vulnerability is identified, the cheaper it is to fix. This is called the Shift-Left approach to security.

The DevSecOps methodology is used to ensure security at every stage of development. This approach involves using different security techniques and tools for almost every step of the delivery pipeline.

If you want to learn more about DevSecOps, read my article How to Turn A DevOps Pipeline Into a DevSecOps Pipeline: A Shift Left Concept Overview.

Secure engineering

At this stage, the architecture of the application components should consider important security-related aspects:

• Selection of the code execution environment, including platforms, application servers, and operating systems. After all, if an unsafe environment is chosen, the application's output to Production may be blocked.
• Defining application components, secure protocols, and interfaces of interaction between them. You must elaborate methods, protocols, and interfaces of interaction with external and internal services.

Nice, move on.

Secure development

You must:

• Create development regulations that include guidelines for avoiding vulnerabilities in code, as well as secure design patterns
• Create code design for secure infrastructure deployment (e.g., Terraform)
• Implement static application security testing (SAST)
• Start looking for vulnerabilities in the libraries used (especially Open Source) and external dependencies

Nice, move on.

Secure deployment

This stage includes:

• Checking for vulnerabilities in the application's executable environment, as well as virtual machines and operating systems
• Dynamic application security testing (DAST)
• Penetration testing (PenTesting)

Nice, move on.

Secure maintenance

This is probably the most complex stage of security control. It is necessary not only to check once that the application is deployed and configured securely but also to ensure its protection 24/7 from possible attacks and vulnerabilities, as well as from unsafe configuration changes.

The main tasks of this phase are:

• Ensuring network security
• Continuous monitoring and vulnerability management
• Managing users, rights, and access
• Monitoring anomalous user behavior to detect an attack
• Tracking and analyzing security audit log events

Now, let's move to DevSecOps in the cloud.

DevSecOps in the cloud

The above approaches also apply to applications and infrastructure in the cloud. The main advantages of clouds are flexibility and the availability of virtually any scalable service. So, security in the cloud can be managed with out-of-the-box tools. These greatly simplify and automate security at the last stage, when the application or product is deployed and already in operation on the cloud infrastructure. Cloud environments tend to be complex and multi-tiered, making it difficult to identify and address all potential security threats.

There are many settings and configuration options when deploying resources and services in the cloud. Identity and Access Management (IAM) configurations define who can view, modify, and run cloud resources and services. Network parameters define what other resources the service can interact with. Managed service configurations such as environment settings defined in container images or RBAC (Role Based Access Control) policies in Kubernetes add even more layers and variables to the cloud infrastructure configuration.

I recommend you to read my article The Benefits and Challenges of Implementing DevSecOps.

So, major security issues in the cloud:

• Vulnerabilities of infrastructure configurations. Configuration does not consider security aspects such as open firewall ports and weak authentication policies.
• Data leaks. When sensitive information is not properly protected and monitored in a cloud environment, it's a very bad thing. I mean, for example, unencrypted data storage.
• Poorly configured services. Services used by users that are not configured according to security recommendations are also dangerous. For example, I mean managed database services, k8s, etc.
• Improper access rights distribution. If access distribution is not properly designed, some users may have privileges over the resources of others. This entails the risk of destroying these resources.
• Lack of change monitoring. This can lead to undetected security breaches and corresponding potential opportunities for attackers.

With so many different configuration options, it's easy to make a mistake that weakens the overall security of a cloud environment. A company employee could create an IAM policy that allows any other employee to modify a virtual machine instance, or an administrator could inadvertently define network settings that expose sensitive data directly from the S3 buckets to anyone on the Internet.

So, how do you cost-effectively control cloud infrastructure security? The answer is cloud security posture management (CSPM)!

What is CSPM (cloud security posture management)?

Cloud security posture management (CSPM) products enable you to control security as well as create transparent cloud configurations. CSPM is a proactive approach to protecting infrastructure of any size.

Typically, misconfiguration of cloud environments is one of the most common reasons that can lead to data breaches, so using a CSPM tool can reduce cloud security incidents due to misconfigurations by at least 80%.

How CSPM works and what tasks it automates?

Most CSPMs automatically scan configurations in the cloud and then evaluate settings for security against a broad set of rules typically grouped into standards. CSPM tools can do this continuously, monitoring configurations in real-time and identifying risks as soon as they occur.

Also, many CSPMs provide the ability to handle security incidents that have been identified through scanning and allow for automatic remediation.

How CSPM works:

1. Identify and address configuration security risks in the cloud. It does cloud security assessment, risk identification, prioritization, and remediation.
2. Control of user privileges. It analyzes user rights distribution policies and detects extended privileges.
3. Ensure compliance with safety standards. It automatically audits configurations for compliance with standards such as CIS, PCI DSS, GDPR, etc., as well as internal company security policies.
4. Ensure infrastructure security during the development phase. It analyzes IaC templates from development to deployment.

Most CSPM platforms come with built-in policies, but some have the ability to customize them to meet a company's specific needs.

CSPM tools can also visualize risks and attack vectors and integrate them into the development process, identifying security issues early, before resources are deployed in the cloud.

Conclusion

Whether to emphasize security in the cloud is up to each individual. But regardless of the size of the company, it's important to keep in mind that with the availability of inexpensive and effective tools like CSPM, cloud infrastructure risk management is now possible without wasting time and resources. Also, using the CSPM tool will help prevent security incidents that can cause huge financial and reputational losses.