Effective digital transformation enables organizations to move at market speeds. The ability to bring new products, customer experiences and capabilities to market are what set competitors apart from each other. In order to make that happen efficiently, people and processes need to be realigned to focus on the line of business (LOB) objectives. In particular, centralized teams often struggle with this realignment.
Information technology, compliance, risk management, enterprise architecture, network, and security operations centers historically have been centralized to provide enterprise-wide services. These teams defined the frameworks for the enterprise because they built, operated, maintained, and secured the environment that the LOBs used to achieve their business objectives. Each central discipline chose the platforms, tool sets, and processes that each LOB would need to conform to in the pursuit of those objectives.
Public cloud changed this dynamic. The change was innocuous at first. Typically, the LOB wanted to investigate whether an application could even run in a public cloud environment. The promise of global reach, elastic scalability, and lower costs fueled those early movements. It was normally the application owners from the business unit that were charged with this “lift & shift” evaluation. Application owners with limited skill sets in infrastructure or security could easily provision minimally required infrastructure thanks in part to the abstraction afforded by new Infrastructure as a Service (IaaS) providers. The nuances of permission or entitlements were set aside initially to focus on the question of application delivery in this new model.
Armed with early success, the business unit began to look at their entire catalog bringing the core benefits of reach and scale to multiple applications. They began to leverage Platform as a Service (PaaS) offerings, increase the use of automation frameworks and emerging cloud native application paradigms to embrace digital transformation at scale.
As more LOBs consumed this new paradigm, it was apparent that existing people and processes needed to be adapted for this new reality. Previously centralized IT teams were faced with multiple new challenges:
- Defining and standardizing a cloud operating model
- Ratcheting back over-provisioned Identity and Entitlements used during “pilot” phases that were never cleaned up
- Extending compliance tooling to evaluate new services that were running in public cloud service providers
- Reducing misconfiguration-induced roll-backs of new applications
- Dealing with the fact that different LOBs chose different cloud service providers (CSPs) resulting in multiple interfaces, query languages, and other tooling required to secure operate and maintain these new environments
The impact of these challenges has been far-reaching.
- Entire consulting practices emerged to deal with these challenges across the industry.
- Tooling exploded to address these specific challenges, many of them targeting specific teams and personas.
- Asset management needed to be able to understand what was deployed and where.
- Compliance needed to understand the configuration of those assets as measured against multiple (and growing) industry benchmarks.
- Incident and response teams needed not only the ability to identify threat vectors but also how to remediate these issues across disparate CSPs.
- Entire ITSM processes needed to be reworked to ingest signals that spanned sometimes disparate and often uniquely configured environments.
And, as is always the case in a new security domain, an entire class of cloud native open source and commercially available tools grew to automate security testing and reporting. These tools had many different classifications.
- Cloud Security Posture Management (CSPM) tools look at the configuration of cloud assets (e.g. compute instances, security groups, databases, cloud storage) to ascertain potential threat vectors
- Cloud Infrastructure Entitlement Management (CIEM) offerings to look at accounts and their IAM roles to highlight over-provisioned or even stale accounts that could be exploited
- Vulnerability management platforms extended their agents to run on cloud workloads to ensure CVE reporting
- Compliance tool sets to take cloud infrastructure and compare it to established industry and regulatory benchmarks like CIS, NIST, PCI, and others.
- Cloud Workload Protection Platforms (CWPP) were created to monitor cloud assets for configuration drift, infections, and imminent threats.
- Infrastructure as Code security tools were built to extend security awareness across the software development life cycle ecosystem.
The end result was rising costs and complexity to stitch together an increasingly brittle framework to allow historically centralized teams to operate in the new public, hybrid, and multi-cloud reality. While some of these tools were extremely effective in their silo, they lacked a holistic platform approach. Cloud Native Application Protections Platforms (CNAPP) offer complete security coverage replacing multiple point products. It provides comprehensive visibility and insights across your entire multi-cloud footprint while reducing friction between security and the DevOps team to better support DevSecOps.
This post is the first of a 6 part series where we will explore how organizations can leverage Zscaler Posture Control, our CNAPP solution to tackle not only the technology challenges, but the people and process challenges that arise as an organization matures along its public cloud journey.
Uncover critical risks across your cloud environment
Sign up for a free automated Cloud Security Risk Assessment to assess your cloud environment security posture and expose any looming threats.