The only thing that is consistent is change

Cloud computing officially turned 15 years old this year and is preparing for her Quinceañera. In 2006, Amazon Web Services started offering technology infrastructure services to third parties in the form of web services. Google followed up by launching Google Cloud Platform in 2008 and Microsoft launched Azure in 2010. Now each of the platforms combined offer an abundance of compute, serverless, storage, backup, AI/ML, and IoT services or features among others. Additionally, there are an estimated 750+ security or privacy relevant configuration properties across all three platform. These properties can be changed manually or programmatically and persist with little visibility in environments that lack automated desired state configuration. It’s no wonder security teams and auditors find it increasingly challenging to secure, monitor and audit public cloud infrastructure and services. 

Enter Cloud Security Posture Assessment (CSPA) and Cloud Security Posture Management (CSPM). These services and solutions are designed to provide the visibility that security and audit teams require to enforce guardrails and validate a cloud environment’s infrastructure against one or more standards or frameworks. An example of a framework that would be included in scope is the AWS Well Architected Framework. Mature assessment methodologies and solutions also provide technology and security teams with the capability to auto-remediate security issues and audit findings enforcing near real-time desired state configuration. The best solutions provide you with clear instructions on how to remediate compliance and security issues manually and programmatically in the event auto-remediation is not desirable. 

Secure and compliant cloud consumption depends largely on a shared responsibility model that isn’t always well understood by business and technology practitioners alike. As a result, project teams often pursue cloud migration or adoption projects with little to no thought on how to secure the environment, how to monitor for compliance, or how to detect configuration drift post deployment. This lack of visibility propagates assumptions that public cloud is the so-called wild, wild, west and for uncontrolled environments that sentiment is largely true. The introduction, maturity, and cost effectiveness of Cloud Security Posture Assessments and Management services promises to change that sentiment once and for all. 

Manny Landron is the vCISO and VP of Security Solutions and Advisory Services at Aligned Technology Group. ATG helps its clients design, build, and mature cost effective and sustainable corporate, cloud, product, and physical security programs.