We’d like to share what we’ve learned performing cloud security posture assessments for our clients and our approach to rethinking every step of the end to end experience.
Josh and I have both previously had roles performing “traditional” vulnerability assessments and penetration tests in a wide variety of enterprise verticals, so we share similar perspectives on their pros and cons. They tended to last several weeks from start to finish, required multiple team members with complementary expertise, required a significant amount of manual analysis and data review from multiple tools, and meant that we were touching live networks and systems with high degree of risks (even lightly port-scanning certain industrial control systems was risky). Finally, it often generated an extremely long and hard to consume written deliverable report.
Over the past decade, we’ve worked together building, automating, and securing cloud-native systems environments across a variety of projects. It allowed us to realize the power and flexibility gained from leveraging infrastructure and configuration as code, driving change via declarative APIs, and later, the benefits of container-based workloads and serverless approaches. It also helped us understand first-hand the new challenges faced by organizations looking to adapt their approach to securing and maintaining their systems in such a dynamic environment.
As we set out to implement the principles of least privilege, defense in depth, and security visibility in our own environments, it became apparent that traditional assessment approaches need significant modifications to be useful in cloud environments. Many of the cloud provider’s controls for securing cloud services are a part of the same API-driven configuration used to deploy and manage those resources, so the emphasis has shifted heavily toward secure configurations to improve overall security posture. The movement toward automation driving large fleets of dynamically scaling cloud resources also means that new approaches and tooling that understand this environment are needed to tackle this at scale. And with 99% of all cloud security failures in the next few years being the customer’s fault according to Gartner, the importance of identifying, prioritizing, and addressing misconfiguration issues increases. Vulnerability assessments and penetration tests still have their place, but their value is typically maximized after much of the security configuration ground work is done.
Through 2025, 99% of cloud security failures will be the customer’s fault. - Gartner
Many organizations turn to Cloud Security Posture Management (CSPM) services to help them get a handle on these kinds of issues, but our experience has uncovered a few additional challenges that may not be obvious at first. CSPM solutions tend to be Software as a Service (SaaS) hosted, and leverage a specific IAM Role to query your cloud resource configuration or “metadata” on an interval. Depending on the IAM Role granted, (e.g. AWS’ SecurityAudit Role), these tools may not have permission to query all the APIs for configuration of the resources in the environment and leave you with an incomplete visibility. While most CSPM solutions cover the core services well for things like public storage buckets or open firewall rules, very few have insight into the workloads running in containerized environments like Kubernetes clusters and the interconnections with the nearby cloud environment. Most CSPM solutions also lack the ability to check combinations of settings that span multiple resources, so they cannot accurately determine if the environment is susceptible to certain realistic attack scenarios without additional manual effort and expertise.
This became our sole focus as we formed Darkbit: to reimagine what a modern, efficient Cloud Security Posture Assessment (CSPA) might look like and deliver this service to help our clients reduce risk in their AWS, GCP, and Kubernetes environments. Some of the key differences in our approach are:
To see if our Cloud Security Posture Assessment service is a fit for your organization, let’s chat.