Cloud native applications have enabled a new level of agility and scalability for many organizations. With that growth has come increased risks and difficulty in managing cloud sprawl and maintaining compliance across an ever-growing portfolio of assets.
Let’s look at compliance challenges that are especially inherent to cloud native applications:
- With limitless scale comes the difficulty of observability and visibility. Countless assets can be created and destroyed at any time, making manual tracking of assets nearly impossible.
- With programmable infrastructure and the convenience of containers comes the potential to propagate misconfigurations. If the image is created incorrectly, all subsequent containers will contain issues as well.
- With cloud sprawl comes the complexity of maintaining a centralized audit trail. The volume of data generated and the complexity of managing multiple cloud environments can strain systems that are not designed for the task.
With these challenges in mind, let’s consider five best practices for DevSecOps teams looking to ensure compliance in a modern cloud environment.
Best Practice 1: Inventory Your Resources and Assets
Discovery and visibility are essential to ensuring that you are operating within compliance regulations. Simply put: You can’t protect what you can’t see. If you don’t know about it, it’s not being protected, and – in a cloud environment – we may be talking about hundreds or thousands of instances.
In any inventory/discovery process, there are three key questions to ask:
- What assets/resources belong to my organization?
- Where are these assets and who has access to them?
- When new resources are spun up or existing ones are spun down, how will we keep track?
- Are other stakeholders (compliance and DevSecOps teams) in the loop to understand those assets from “their” perspective?
Don’t just assign someone the task of inventorying everything manually. Traditional security doesn’t work in the cloud, and manual tracking can leave blind spots. Adoption of new cloud services created by cloud service providers and developers happens at a breakneck speed, and that adds to the latency of understanding by security professionals.
In a cloud environment, automating the process of discovery and visibility is essential. A cloud native application protection platform (CNAPP) will scan, catalog and monitor your cloud environments in real time, eliminating blind spots and surfacing the true state of your network. The platform approach also allows for viewing changes in the cloud from different perspectives, driving calls to action to meet their needs. From there, you can begin the journey toward compliance.
Best Practice 2: Implement Observability for All Your Resources
Once we know what our assets are, we can move toward monitoring the state of each asset with observability. Observability ensures that you can know – in real time – the state of every resource. If there is an issue with a resource, observability tools give you insight into the cause. Observability answers the following questions:
- What is the state of each of these resources?
- If the state of any resource changes, how will we know about it?
Both the scope and scale of modern cloud environments make manual observation unfeasible. An observability solution should:
- Aggregate large amounts of data.
- Provide quick access to that data.
- Analyze and generate meaningful statistics based on that data.
By providing the above, an observability solution can lower the mean time to repair (MTTR) of your organization.
For compliance, organizations should employ an observability solution that can provide compliance dashboards for Center for Internet Security (CIS) benchmarks. This allows the observability solution to help with monitoring assets to keep them in compliance.
Best Practice 3: Establish a Threat Detection and Response Plan
With our assets discovered and under observation, it is time to establish a plan for how to respond to and mitigate threats. When an attack has already occurred, you’re too late. Before that attack happens, a plan must be established – both for how to detect ongoing threats, as well as the process for responding to those that are detected.
For threat detection, time is of the essence as organizations have only a short time to respond to any attack. To add to that challenge, the ephemeral nature of the cloud creates dynamic views of the threat surface. The traditional breadcrumbs you want to follow will lead to more U-turns and dead ends. A CNAPP solution with automated, real-time threat detection can filter out noise, fight alert fatigue and reduce threat investigation times. Threat detection systems also provide dashboards and alerts, which make it simpler for humans to monitor and respond to events as necessary.
Compliance issues are similar to threats in that they should have real-time detection and remediation. The best CNAPP includes compliance monitoring as well, meaning that any compliance issues in your assets can be discovered quickly and in real time. From there, the system can provide remediation steps and detailed, drilled-down information, making compliance remediation quick and easy for your DevSecOps team.
Best Practice 4: Track and Monitor Configurations
A misconfigured asset is one of the most common causes of cloud intrusions. As software and platforms are continually updating and new security vulnerabilities are being discovered, configuration and compliance must be validated and monitored in real time. Additionally, cloud environments lend themselves to any configuration issues being propagated across hundreds or thousands of assets at once, making any issues even more dangerous.
As such, it is not enough to configure an asset once and trust that it will remain compliant. We must ask: If the configuration of any asset changes, how will we know about it? To address this, we must monitor configurations in real time. The best CNAPP not only monitors but can also suggest best practice configurations along with remediation steps for any known issues.
Best Practice 5: Adopt a Strategy for Data Governance
Finally, data is a significant part of compliance, so a proper data governance strategy is imperative. Cloud applications are increasingly generating huge amounts of data, and this will overwhelm traditional approaches to data governance. As with asset discovery, observability and monitoring, overseeing the entire data life cycle is critical. For proper data governance, you must understand how data in your systems is acquired, transmitted and stored – and this must be done at scale. This applies not only to the data from your applications, but also to the metadata generated by your security solutions as they observe and monitor your applications.
From discovery to observability and more, cloud environments bring both new opportunities for organizations as well as new challenges for DevSecOps teams. By leveraging a unified security platform that integrates CNAPP and observability solutions, DevSecOps teams can stay on top of these challenges and enable their organizations to continue achieving their goals securely.
(The author is Mr. Scott Fanning, senior director of product management, Cloud Security Product Group, CrowdStrike and the views expressed in this article are his own)
