Understanding the threat vectors that introduce business risk is an important early step towards developing a strong cybersecurity strategy. The same is true as your organization embraces the public cloud. There are five key areas that can introduce risk when working with the public cloud which must be understood and properly protected.
Five key public cloud threat vectors
- Configuration – This is the realm of cloud security posture management (CSPM) tools. This is where you gain an understanding of the configuration of all of the services and resources in your cloud environments, the corresponding security posture, and misconfigurations that need to be remediated.
- External exposure – Anything that is exposed to the internet is a potential target for bad actors. But workloads need internet access as well as access to other clouds and to your traditional data centers. Understanding what can be attacked from the outside is absolutely critical.
- Lateral movement – Even if you’ve appropriately configured all services and have minimized your exposed attack surface, there is still the possibility of someone or something getting in. Knowing and preventing bad actors from moving laterally across your public cloud footprint can help ensure that the impact of any breach is minimized.
- Crown jewel data and applications – Many organizations are migrating sensitive data and applications to the public cloud. Knowing where these crown jewel assets are and applying additional protections can help minimize the impact of a breach.
- Entitlements – The final piece of your public cloud attack surface is the one most commonly overlooked: entitlements and permissions. An organization with hundreds of cloud users and thousands of cloud resources will have hundreds of millions of discrete permissions granted. This may include unused permissions, non-federated dormant accounts, misconfigured permissions, and more.
Cloud Infrastructure Entitlement Management
The emerging category of products addressing the growing cloud permissions problem is known as Cloud Infrastructure Entitlement Management (CIEM). How big is this problem? According to Gartner, “by 2023, 75% of cloud security failures will result from inadequate management of identities, access, and privileges, up from 50% in 2020.”1
This is why we’re so excited to welcome Trustdome to the Zscaler family. Trustdome is an innovator in CIEM, providing permissions security across all cloud environments, while preserving DevOps’ freedom to innovate. The platform provides full governance over who has access to what across all your clouds, resources, identities, and APIs. You get a 360° view of all your permissions and the ability to automatically find misconfigurations and get remediation plans teams can act on, all from one unified platform. And with zero disruption to DevOps, they’re free to deploy code rapidly, freely, and securely.
Key use cases for CIEM include:
- Cloud permission governance – Discover who can access what and how permissions are utilized across human, machine, and external identities
- Least privileged configuration – Clean up unused, default, and misconfigured permissions, maintaining a simple and transparent permissions model
- Guardrail enforcement – Implement a unified cloud permissions guardrail policy across major cloud platforms including IaaS, PaaS, and SaaS
The Trustdome product will become Zscaler CIEM, a critical element of Zscaler Cloud Protection (ZCP) services. ZCP simplifies and automates zero trust security for workloads on and between any cloud platform, providing comprehensive coverage for all five threat vectors of the public cloud.
To learn more about Zscaler CIEM or to schedule a demo please connect with us directly.
1 Gartner, Managing Privileged Access in Cloud Infrastructure, June 9, 2020, ID G00720361
Forward-Looking Statements
This blog contains forward-looking statements that are based on our management's beliefs and assumptions and on information currently available to our management. These forward-looking statements include our intention to acquire Trustdome, the timing of when the acquisition will be completed and the expected benefits of the acquisition to Zscaler’s product offerings and to our customers. These forward-looking statements are subject to the safe harbor provisions created by the Private Securities Litigation Reform Act of 1995. A significant number of factors could cause actual results to differ materially from statements made in this blog, including those factors related to our ability to successfully integrate Trustdome technology into our cloud platform and our ability to retain key employees of Trustdome after the acquisition.
Additional risks and uncertainties are set forth our most recent Quarterly Report on Form 10-Q filed with the Securities and Exchange Commission (“SEC”) on March 4, 2021, which is available on our website at ir.zscaler.com and on the SEC's website at www.sec.gov. Any forward-looking statements in this blog are based on the limited information currently available to Zscaler as of the date hereof, which is subject to change, and Zscaler will not necessarily update the information, even if new information becomes available in the future.