During her presentation at the inaugural edition of the InfoQ Dev Summit Munich, Danielle Sudai, security operations lead at Deliveroo, explored the fundamentals of cloud security posture management (CSPM), stressing how a single misconfiguration can damage your company's security. She emphasised the importance of bridging the gap between the different layers of the organisation, from governance to technology.
Sudai started her presentation by retrospecting the most significant data breaches in recent history, emphasising that some of them were caused by seemingly innocent misconfigurations as small as a vulnerability within a bucket.
After a refresher of cybersecurity terminology, Sudai defined CSPM as
... a technology that helps to identify misconfigurations using its metadata to identify potential threats that lead to actual breaches.
She describes its lifecycle as inventory (any attributes related to the security of the cloud infrastructure, including rules, policies and tooling), scanner (the tool that analyses any event happening in the infrastructure permitting identification changes over time), detects (identifying in the inventory the exposed components based on the events extracted during the detect), notify (the alerting mechanisms pointing the potential fault to the users) and enforce (templating mechanisms which facilitate an improved security posture), indicating that the secret is the collaboration between the different technical functions of the organisation.
By asking the right questions, you can identify the potential threats to which your infrastructure is exposed and further mitigate the potential risks inflicted on your organisation.
Even if the vulnerabilities are present, it doesn’t necessarily mean that you will be affected, so to measure the potential impact and likelihood of the threat, Sudai points to several organisations and standards that can be used:
- The voluntary frameworks are provided by The National Institute of Standards and Technology (NIST).
- The information security standards provide guiding and best practices (ISO 27001 and 27002).
- SOC2 defines criteria for managing customer data based on five "trust service principles"—security, availability, processing integrity, confidentiality and privacy.
- HIPPA focuses on the safeguarding of electronic protected health information.
- GDPR is a European Union law that establishes guidelines for collecting, processing, and storing personal data. It ensures individuals' privacy and gives them control over their data.
Using the above frameworks or others, you can define measures for your company depending on your most important assets. In this way, you can activate only the most essential things for your organisation, deciding to ignore those that are not relevant.
Implementing cloud security posture monitoring will increase your organisation's transparency and visibility about its potential cybersecurity risks, allowing you to identify and fix the root cause of existing threats quickly. Further, integrating it into the DevOps ecosystem will give you a unitary alerting system across the organisation, enabling you to have rapid response times regardless of the nature of the disruption in your system. Last but not least, by bridging the gap between the governance and the technical side, you are sure to react in the most critical situations for your organisation.