Rapticore | Remediation for Cloud Apps and Infrastructure

View Original

What's in the Cloud?

Melissa: Chief Information Security Officer

Noah: Security Engineer

Amber: Head of Assurance and Compliance

Melissa: How can we get a list of all Cloud deployed applications?

Noah: We don’t have any capability. Everything changes so fast. CI/CD and infrastructure as code makes it rather hard to track deployments across the environment.

Melissa: We have 50 vendors, and we cannot answer that question.

Noah: We can build it. It would be helpful for the Application Security teams, the Incident Response Team, and the Compliance team. DevOps and Architecture teams might find it useful too.

Amber: Would I be able to get details about applications and compliance obligations without going to 20 different teams? Coordination is so hard. It is so frustrating.

Noah: We can build that too. That would be easy. 4 Engineers, A Technical Program Manager, and a business analyst, and we can do it in 8 months, and of course, we have to maintain it afterward. But we can build it.

Melissa: (In her head) That would be a million dollars in just resource cost. There has to be a better way.

“No one knows what’s in the Cloud, especially your Cloud.”

As an industry, we have focused on shiny new things, the best of breed, and whatever is in the news while neglecting the fundamentals. Fundamentals, basic hygiene. Asset management and tracking, program management. Cloud has aggravated this situation. Deployments and the need to generate value quickly are so high that there is a constant churn in most Cloud environments. In that backdrop, most organizations struggle with answering basic questions like:

  • How many cloud applications and workloads do we have in the Cloud?

  • What are their business severity and risk? What data is processed by each?

  • Where are they deployed? When were they last updated?

  • What is the deployed architecture? Does it match the designed architecture? What was changed?

  • What is the relationship between deployed applications and the underlying infrastructure?

  • If I see a URL, can I track it back to my infrastructure and code?

All teams need these answers. For example, incident response teams need it during investigations, and the Application Security team performs Threat Modeling, prioritizing vulnerabilities and approvals. DevOps to monitor changes in the application, Assurance to track evidence, and readiness assessments. The use cases for this fundamental capability are endless. Yet, most organizations struggle with these questions. Pick any Cybersecurity or Information Technology framework. The first control often is asset management. We all struggle with handling the Cybersecurity program without real-time automated asset management. We have all heard about the exposed S3 bucket that no one knew about, that EC2 instance exposed to the public, and that RDS database in a public subnet with Personally Identifiable Information that deployed an application that looks like a completely different beast in production.

Asset management is often delegated as IT’s responsibility. Sometimes that works, but more often than not, it does not. Lack of good asset management often translates to a lack of suitable program performance measurement, that Peter Ducker quote. “If you cannot measure it, you cannot improve it.”

To get better at Cybersecurity, it is time we get better at fundamentals. So instead of running after the latest FUD, we focus on getting the basics right. But not as a standalone capability but as an integrated capability that enriches every other capability — it becomes a Force multiplier. Once the fundamentals are correct, we have a better chance of building something sustainable and right-sized. Perhaps we might not even need 50 vendors.