Cloud 101CircleEventsBlog
Master CSA’s Security, Trust, Assurance, and Risk program—download the STAR Prep Kit for essential tools to enhance your assurance!

How To Achieve InfoSec When Your Tools Do InfraSec

Published 03/27/2023

How To Achieve InfoSec When Your Tools Do InfraSec

Written by Ravi Ithal, Cofounder and Chief Technology Officer, Normalyze.

Originally published by Forbes.

Brings a knife to a gunfight,” sneers Sean Connery while aiming a sawed-off shotgun at the knife-wielding intruder. Since that line in the 1987 movie The Untouchables, we’ve heard the same admonition—Don’t bring a knife to a gunfight—in more than 20 movies. You’d think everyone knows this by now. Alas, it’s a lesson still to be learned by some organizations that try to fight off attacks on sensitive data with tools intended to secure IT infrastructure.

Data Security Is Different From Infrastructure Security

Differentiating security for data versus infrastructure is important for two reasons. Data poses unique risks, and tools for InfraSec are not primed for InfoSec. The term InfoSec refers to the protection of information (the data) that resides in an organization's IT infrastructure. InfraSec refers to the protection of the underlying infrastructure.

To assert that InfraSec tools are not primed for InfoSec is not meant to slam the “goodness” of InfraSec tools, which fill critical roles in the security ecosystem. Teams need to have vulnerability scans of the network, servers, endpoints and applications. They must check the configurations of devices and apps to ensure authorized connectivity is taking place. InfraSec tools tell you what the enterprise environment consists of in terms of devices and software, plus identities with related access rights. Remediation teams must know which systems have received versions of a patch. And so forth. Without InfraSec tools, security teams would be completely in the dark about critical vulnerabilities looming...to the infrastructure.

Take note: The security data revealed to teams by InfraSec point tools might provide vague clues on the security posture of some sensitive data, but InfoSec is not their focus. We’ve previously described specific risks for sensitive data, such as its rapid proliferation in modern environments and how easy it is to lose track of sensitive data stores. Let’s consider reasons why InfraSec tools fall short of data security.

How InfraSec Tools Fall Short For Data Security

There are many tools for doing InfraSec, and it’s easy to get lost in a variety of their point purposes. InfoSec teams should begin asking hard questions about how well InfraSec tools are meeting their direct needs for protecting sensitive data. Here are a few examples:

  • Configuration management database system (CMDB):This tool is a database of information about an organization’s hardware and software assets. With the related population of the CMDB, it may also help teams to understand the business importance of particular assets, which helps determine risk posture and accelerates remediation processes. CMDBs, however, are utterly unaware of the existence of sensitive data inside data stores. This missing information about the data is crucial for InfoSec.
  • Vulnerability scanning: Every enterprise uses one or more vulnerability scanners. This tool looks through an organization’s network, communications equipment, connected devices, applications and APIs to detect and classify weak points that could be exploited by an attacker. Vulnerability scans can also function inside a cloud environment and determine if workloads have potential weaknesses. For doing InfoSec, however, a vulnerability scanner alone will not inform teams about how the threats affect sensitive data tucked inside a myriad of cloud data stores one or more hops away from where the vulnerabilities themselves reside.
  • Identity and access management (IAM): IAM analysis tools provide information about who has access rights and to which corresponding resources. IAM tools fall short for InfoSec because the possible permutations of access and data types are too many to analyze, compare and prioritize. Moreover, if the IAM tool is unaware of the location of sensitive data, it cannot directly assist InfoSec teams in doing their job.
  • Cloud security posture management (CSPM): This InfraSec tool identifies misconfiguration and compliance issues in cloud environments. Misconfigurations are a leading cause of breaches, and CSPM is an excellent way to spot potential risks caused by non-conformance with best practices. CSPM, however, has drawbacks for the InfoSec specialist. You might already have guessed it—CSPMs have no idea where your most valuable sensitive data resides. In addition, they have little to no understanding of platform-as-a-service (PaaS) databases, block storage and file storage. Indeed, InfoSec needs are rarely integrated into CSPM and so, for this purpose, you will mostly get background noise and zero signal for Infosec.

Explore Tools Designed For Data Security

If a tool swamps you with unusable or inapplicable data, the tool is not a tool at all! It just makes your team work harder than necessary to discover, classify and protect sensitive data at risk. The last thing an InfoSec team needs is more alerts and noise. Your InfoSec tools should be purpose-built for finding and protecting sensitive data. Useful capabilities will include:

  • Discovery of where sensitive data resides in your organization’s cloud environment.
  • Classification of all data to inform teams which data are at risk or must meet compliance mandates.
  • Access management for sensitive data wherever it resides in the cloud.
  • Risk and vulnerability management for all paths leading to sensitive data.
  • Compliance support to all instances of sensitive or protected data.

Like Sean Connery said: Don’t bring a knife to a gunfight! The practical lesson here for InfoSec is to never let your guard down in protecting the organization’s sensitive data. Your team may think it has the best tools or maybe hopes its InfraSec tools will keep InfoSec in good shape, but when attackers strike for your sensitive data, you’d better be sure your organization has the right tool purpose-built for InfoSec.

Share this content on your favorite social network today!