A Cloud Security Posture Assessment is now providing businesses with an up-to-date snapshot of their public cloud security and compliance posture. Ian Tinney looks at what’s involved.
Do you know what your cloud security posture is? Cloud sprawl, fuelled by the pandemic and the move to a multi-cloud architecture, is making it harder than ever to keep track of which assets are in the cloud and the level of protection they’re awarded.
As new systems are brought online or existing ones reconfigured, the risk of misconfiguration grows and with it the likelihood of a breach. Recent research suggests misconfiguration is now the number one cause of data breaches and it is monopolising resources, with half of cloud engineering and security teams dedicating more than 50 hours a week and 20% over 100 hours a week to remediation.
An unsecured cloud environment can see the business become non-compliant with security standards, endangering your reputation and running the risk of punitive fines. So, it’s never been more important to determine the state of your cloud, yet this can be highly challenging. Many organisations struggle with the lack of visibility of their cloud systems, may not be aware of misconfigurations, and simply don’t have the resources or skills to assess and implement controls.
Health check hold-up
It’s for these reasons that cloud health checks have become so popular. They’re usually offered as part of the onboarding process by cloud providers but involve a protracted process. You’ll typically be quizzed on your cloud environment, then have to embed agents on your network and undergo a minimum of a weeklong monitoring exercise before being presented with a report that offers recommendations. It’s a largely manual, resource and time-intensive process.
None of this makes any sense in an environment that is built for speed and flexibility. Why can’t you assess your cloud deployment in real-time? Why use agents when you can use an API? And why not automate it with no strings attached, so you just get the information you need without being tied into a vendor?
Conducting an automated health check using just an API can provide you with all the information you need in under thirty minutes. You can obtain a detailed inventory of cloud assets, and because it’s platform agnostic, the assessment can be run over multi-cloud deployments that use AWS, GCP and Azure. Any misconfigurations are identified and reported together with advice on remediation. And you can also assess your compliance with industry standards such as ISO 27001, NIST, FedRamp, GDPR, HIPAA, HITRUST, and PCI DSS.
Performing this type of instant assessment is remarkably straightforward. It simply requires a read-only account to be set up to pull down the metadata from your cloud accounts using the cloud providers’ APIs. This is then used to generate reports on security and compliance. Once the scan report is completed, cloud account details and the read-only account are deleted.
Benefits of instant assessment
Being able to determine what is going on over your network in real-time provides you with insights that you can immediately act upon to adjust your security posture, remediate misconfigured systems, and allocate resources to monitor key areas going forward. But it also allows you to expand your cloud with confidence and provides those looking to adopt a multi-cloud approach with the means to manage multiple environments.