Subscribe to our cybersecurity newsletter for the latest information.Anthony (Tony) Sabaj is currently the Director of Channel Security Engineering for North America at Check Point, with over 25 years of experience in the Cyber/Information/Network security. Tony has been at Check Point since 2002 in a variety of sales and technical roles. Prior to joining Check Point, Tony was a Senior Product Manager at Telenisus, a startup MSSP/VAR in Chicago. In 2001 the MSSP business of Telenisus was sold to Verisign to start their MSSP business and the VAR business was sold to Forsythe to start their Security Practice. Tony joined Forsythe shortly after that acquisition as a Security Consultant and Certified Check Point trainer. Tony started his career with Arthur Andersen/Andersen Consulting, building their worldwide IP network, designing the security controls for the firm and helping build their external Security Consulting Practice.

In this two part interview series, Tony Sabaj discusses Cloud Security Posture Management (CSPM). From making CSPM a top priority to the opportunities and challenges that come with implementing CSPM solutions, this interview provides premium cyber security insights.

What questions should CISOs ask themselves or their teams to determine whether or not cloud security tools need upgrades?

One of the first questions CISOs need to ask is ‘Does the organization have visibility into its cloud environments?’ Many organizations have moved rapidly to adopt cloud technologies and infrastructures. One of the major benefits of the cloud is the agility and speed to bring applications and services to bear.  This agility requires security tools to be able to operate at the “speed of the cloud”; they need to automated and operate in real-time.  Another, equally important, question that CISOs need to ask is ‘Are teams applying consistent security across a multitude of cloud providers?’

Over 75% of organizations will be adopting a multi-cloud or hybrid cloud strategy.  Organizations will be utilizing services from multiple public cloud providers, such as Amazon Web Services (AWS), Microsoft Azure, Google Cloud Platform (GCP), Oracle Cloud Infrastructure (OCI) or Alibaba to name a few of the larger players. Even hybrid cloud solutions like Azure Stack, AWS outposts, VMware NSX or Cisco ACI, need consistent security enforcement and monitoring.

Is Cloud Security Posture management a top cyber security priority or should it be?

It should be for any organization with any exposure to public cloud. Any organization that is not implementing continuous compliance of their cloud environment is missing one of the easiest ways to reduce their risk and achieve better visibility of their public cloud infrastructures. According to Check Point Research, misconfiguration of cloud environments ranked highest among organizations, at 68%, for risk in the cloud. CSPM tools offer the best defense to mitigate the risk of misconfiguration.

What is Cloud Security Posture Management and how does it differ from traditional cloud security?

This is a great question. Traditional cloud security will try to mimic security techniques used in physical data centers or on premise networks. Many security tools and organizations took traditional security gateway/firewalls, reverse proxies or some type of intermediary device and virtualized that tool for use in the cloud. These more traditional security techniques very much have their place in cloud security, but CSPM differs in nature because it uses native controls.  Most of the functionality of CSPM tools will use APIs exposed by the cloud providers. The use of APIs allows a CSPM solution to operate with little to no impact on the performance or architecture of the cloud environment. CSPM should not require the installation of agents or virtual machines but should only require the proper credentials to the cloud accounts to access the exposed APIs from the cloud provider.  A properly deployed CSPM tool should be one of the first tools used in a cloud deployment or cloud migration.

What are the benefits of CSPM solutions and why do they matter?

CSPM has many benefits. The benefits may differ from organization to organization based on industry, regulatory/compliance requirements and the maturity of the organization’s cloud transformation. A few of the universal benefits of CSPM include:

  • Continuous monitoring and assessing of compliance polices
    • CSPM offers continuous compliance against known compliance rules sets, PCI-DSS, HIPPA/HITRUST, SOC2, AWS Well Architected Framework, and many others, including custom rulesets that are unique to the organization. CSPM provides monitoring of compliance rulesets on a continuous basis. CSPM does not have to be a point in time assessment; more importantly used as real-time, continuous monitoring with instantaneous alerting and remediation.
  • Monitor and enforce “least privileged access” concepts
    • Overly permissive access roles are one of the biggest issues that lead to security vulnerabilities in the cloud. CSPM can identify and monitor access roles permissions.
  • Inventory and classify assets
    • One of the most obvious benefits of CSPM is to provide an inventory of assets in the cloud and classification. CSPM can identify, catalog, and provide specific data, including tags.
  • Visibility
    • CSPM tools can provides visibility not only through asset management; also by diagraming the connectivity of networks (VPC/VNETs) and showing connections to unmanaged/unknown networks.
  • Misconfigurations
    • According to the Cloud Security Alliance, misconfigurations are the top cause of cloud data breaches. CSPM can look for misconfigurations in all aspects of a cloud environment, including servers and application that are exposed to the public, unencrypted storage, and proper multifactor authentication (MFA) settings to name a few.
  • Log enrichment and threat hunting
    • One of the blind spots in the public cloud is the nature of cloud logs.  Due to the dynamic nature of the cloud, IP address, machine names, function names and other identifiers may have little to no meaning once the event occurs. CSPM tools can enrich logs with meaningful and relevant data. The enriched data can be sent to larger SIEMs/XDR utilities, and also stored within the CSPM tool for historical threat hunting purposes.

Stay tuned for part two of this interview series. Also, discover more cyber security insights and analysis when you sign up for the Cyber Talk newsletter.