Understand. Automate. Eliminate. How to Manage Cloud Infrastructure Risk Today.

Originally published by Secberus here.

Written by Fausto Lendeborg, Co-founder and Chief Customer Officer, Secberus.

When it comes to governing risk (specifically when remediating cloud infrastructure misconfigurations) there are three common goals we hear from security leaders:

• Understand your security and compliance postures at any given time within minutes, not days.
• Automate and scale security across all cloud environments.
• Eliminate frustration and reduce the time to prioritize and remediate risk.

In order to solve these problems, perhaps it’s time we look at the vendor landscape differently?

Though simple, this revised landscape view allows you to match the risk with the intention. Is your problem that your developers don’t understand if the risks they are receiving match the intended control? Or is it that you need to answer which of your customer-facing applications need patches due to unknown vulnerabilities? Creating a revised view of the landscape that aligns risk, role and need allows you, as the purchaser, to ask the right questions when evaluating a solution.

If you do find yourself in need of a cloud infrastructure risk solution–a cloud governance platform, rather than a CSPM, may be the way to go. A CSPM is sometimes too narrow a focus for what is needed. A cloud governance platform should help you to advance your overall cloud maturity and business continuity while also assessing, remediating and adapting both security and compliance policies. This kind of solution must also leverage Policy-as-Code.

In order to practice cloud governance in a way that realizes the above benefits you need three things. The 1-2-3 punch of cloud governance, if you will.

Punch 1: Event-based triggering

There is a time and a place for both types of discovery. The point is if you have a need or desire to start assessing risk in near real-time and you have an appetite to change the security culture within your organization then you are in a position to consider what an event-based triggering solution can bring to your table. Event-based triggering will give your security leaders the context to understand and communicate cloud infrastructure risk faster and with higher real-time accuracy. Having this power will inevitably begin to shift the culture of security within your organization.

Punch 2: Policy-as-Code as a built-in core platform technology

Think of Policy-as-Code as the lifeforce of cloud governance. Without leveraging an as-Code approach, you can not reap the benefits of scale or prioritization of risk.

Whether it’s policy, governance, security, or any other business activity, anything “as-Code” encodes human capabilities and activities in a programming language. Doing so is powerful because it transforms these activities into technological capabilities that are editable and scalable beyond human capacities.

“As-Code” is what makes the cloud (and cloud security) so game-changing, because it:

• Enables you to embrace exponential data growth.
• Enables consistency.
• Enables automation.
• Empowers you to build replicable libraries of code around key activities like configuration and policy-enforcement.
• Creates potential for “immutable infrastructure” that is deployed and maintained in code without manual intervention, which means less scope for error and therefore less chance of risk.

Here’s an example of how as-Code works:

Punch 3: Federated risk management

We have heard loud and clear that you want to give your DevOps teams the visibility to enable them to secure their applications and not get frustrated or give up in the process. Hopefully, you may be starting to see how a cloud governance platform can help alleviate this pain. With event-based triggering, we see that changes are detected in real-time. With Policy-as-Code you’re granted the ability to adapt, customize and scale your policies with relative ease. And with the addition of this third punch, federated risk management, you are granted permission to provide risk owners with the appropriate context to remediate risk on the spot. And because risk owners are able to remediate in real-time (including writing exceptions, if applicable) and have those changes applied at scale, alert fatigue becomes a thing of the past.

The combination of federated risk management and centralized cloud security governance provides the best user experience for your organization. Both role-based access control and attribute-based access control must be thought through and applied in order to take full advantage of this offering. As soon as you understand the roles and access privileges you want to provide and to whom, the more you are ready and able to advance your cloud maturity and help reign in the complexity of your cloud security environment.

If you’re serious about evaluating cloud governance, here is a sample of how some of the roles and responsibilities may start to shift within your organization:

If you’re looking to implement this kind of change yet worried about implementing a new process, especially in light of a recession, your next step may be to better understand the total cost and benefits of cloud risk. (Not ready to fill in our form, get the ungated copy here.)