Learning Not to Step on Lego: Blast Radius, Cloud Sprawl, and CNAPP

Originally published by CXO REvolutionaries here.

Written by Martyn Ditchburn, Director of Transformation Strategy, Zscaler.

Ever stepped on a Lego block? It hurts, doesn’t it!

If not, imagine for a moment that it’s 2 a.m. and you’re navigating your way to the bathroom in the dark. Your child has spent the day building a perfect Lego Death Star, which you suspect unfortunately still lies somewhere on the floor ahead of you. The chances of you finding and stepping on that doomed space station are hopefully low. However, should it happen that you take on the role of Luke Skywalker and shatter the Lego Death star into thousands of pieces, you’ll be in a world of hurt. You’re also likely to face the wrath of your own miniature Darth Vader in the form of one very angry child.

When we closely cluster our data and applications in a single place – the conventional data center – we erroneously believe we can protect it using the tried and tested castle-and-moat architecture. The problem is, when the inevitable compromise does happen, this strategy often means the damage is so severe, and the consequences so far-reaching, that some organizations simply will not survive it. If this is shaking your belief in the wisdom of castle-and-moat architecture, it should. Remember, if you can reach it, you can breach it.

Concentrating all of the crown jewels in a single data center is akin to walking blindly down a dark hallway with a Lego Death Star floating around unaccounted for. The Empire and countless other organizations have learned the hard way the total devastation that can occur when packing assets too closely together. In military terms, we have expanded the “blast radius” of any successful attack to beyond acceptable levels.

There is, however, an easy answer to the problem of blast radius. Just distribute your assets further apart. Simple, right? For the past decade, the nearly unlimited scale of the cloud has allowed us all to distribute our applications and data across time zones, regions, and even entire cloud providers. I know more than one technologist who smugly believes they have solved the problem of blast radius this way, and I can see their point.

But, returning to the Death Star that's now been blown to pieces in your hallway, aren’t you more likely to step on one of those tiny blocks? I can say from experience that tracking and managing dispersed cloud assets is like trying to navigate down a hallway full of Lego pieces in the dark without stepping on one.

Be careful replacing concentration with cloud sprawl

Cloud sprawl is the unintended consequence of reducing blast radius. We simply traded one problem for another. The consequences of compromise might be less severe, but by spreading our apps and data so widely, we’ve increased the likelihood of any single asset being compromised. Our attack surface has grown significantly. Not only that, our newly siloed visibility makes managing them a formidable challenge.

I encountered this very problem in my past life running infrastructure for a FTSE100 company. In my quest to become “cloud only,” I traded several large data centers for hundreds of cloud-based virtual ones. Exponential growth in the cloud meant we had to double down on DevOps, Infrastructure as Code (IaC), and heavy automation to control the cloud fleet. Even then, it was unsustainable. Despite IaC and localized policy enforcement capabilities, cloud-wide changes meant days of work for them to be implemented fleetwide. Posture consistency across cloud providers was also difficult to maintain. Variations between cloud providers in terminology, capability, and compatibility made it nearly impossible to effectively monitor and manage against a benchmark like NIST.

What if there was a way to eliminate the attack surface and manage blast radius, while at the same time making the spawl more navigable? As it turns out, there is, and it goes by the acronym CNAPP, or cloud-native application protection platform. This type of tool helps to effectively manage vast fleets of cloud-based resources across distributed multiple cloud providers. But make no mistake, not all posture management tools are the same.

Here are a few things to consider when selecting a solution:

• Discover – Asset inventory discovery is a bread-and-butter requirement for any CNAPP. However, in multi-cloud deployments, information all too often remains siloed. Single-pain-of-glass data collation is a must-have irrespective of the cloud provider, and selecting one with an agentless architecture will ensure a rapid and comprehensive non-intrusive discovery.
• Prioritize – Focus on what matters and prioritize risk drivers. Make the tough decisions here because, if everything is a priority, then nothing is. Ensure the solution is context-aware and drives attention toward the things that matter most based on the threat level, the sensitivity of your environment or industry, and the company’s risk tolerance.
• Comply - The solutions should have one-click reports for proving compliance with common data standards including PCI, DSS, NIST, and others. Teams should spend their time working toward business objectives and not on collating complex datasets or generating manual reports.
• Optimize – Enable fast and effective remediation through rich, relevant, and actionable information. Too often tools identify an issue without providing the step-by-step remediation plan to make the diagnosis valuable.
• Integrate – The CNAPP should integrate with IDE platforms, DevOps tools, and code repositories. Close integrations enable problems with code to be identified in the generation phase, before they ever reach production. Prevention and reduction are always better than cure.
• Consolidate – Simplify your environment by combining point products such as CIEM, DLP, and vulnerability scanning into a single platform. This will provide the organization with greater insights and intelligence gathered from a wider range of rich data sources.
• Self-Heal - Ensure the roadmap includes automation for remediation and self-healing. Very few organizations can afford an army of engineers whose sole purpose is to manually remediate issues. Rising threat volumes, a more intense development cycle, and a looming recession will only exacerbate the need for greater automation.

If you’re losing faith in the efficacy of castle-and-moat models for network security, you’re on the right track. But don’t blow up your attack surface in an effort to limit your blast radius. You’ll just increase your chances of stepping on the painful Lego that is a compromised asset. Instead, take advantage of the distributed risk offered by cloud environments, but do it safely with a tool for ensuring safe, smart posture control.