By Roland Kissoon, a Cyber Security Leader with over 20 years’ experience in multiple security domains. He has a wide array of hands on skills, having served in roles ranging from Technical to C-level positions for multi-national organizations in the Aviation, IT, Telecommunications and SI industries. He now has the privilege of working with Check Point Software Technologies, where he has worked in Sales Engineering, Professional Services and Business Development roles.

He is passionate about contributing to his field of choice: Being founder and past Chairman of a Cloud Security Alliance (CSA) Chapter, Associate Chair of the CSA Worldwide Congress (2011 – Orlando FL, USA), Reviewer and Contributor of the CSA Cloud Control Matrix, Member of CSA’s Mobile Security Working Group, Member of ISACA’s Research Funding and Academic Relations Committee, Adjunct Lecturer at several Universities in the UK and Caribbean.

Ideally, one would have a well-thought-out cloud transformation blueprint, with awareness of organizational and technical challenges that are carefully planned out in terms of strategy and approach. But, unfortunately, that isn’t the case for many. This article is geared towards showing where we can look to that strategic approach and it is also meant to help a layman to cloud security understand how to address a specific issue in the short-term…

A Decade Ago: Almost 12 years ago, I had the privilege of presenting on cloud security audit at a local ISACA chapter. The audience primarily consisted of audit professionals who shared a sense of anxiety that there was a lot of ambiguity in the industry on the subject, at the time.

Lift and Shift: The challenges discussed with these audit professionals included how there was no single classification for cloud as there were different types (Hybrid, IaaS, PaaS, SaaS) and, more importantly, what, if any, of the security controls used in existing IT infrastructure audit would be applicable. Back then, organizations were mostly moving their on-premise data center infrastructure to the cloud (referred to as “Lift and Shift”). The Cloud Security Alliance pioneered research into this topic, developing a slew of materials and also the Certificate in Cloud Auditing Knowledge CCAK certification, which are now considered by many to be the baseline in the industry.

The Challenge: Fast-forward to today, and those concerns for “Lift and Shift” have been settled, but the caveat is that cloud infrastructure is now used in many different ways and by a variety of teams as compared to a decade ago. This has resulted in multiple new threats being introduced, which changes the risk profile compared to yesteryear.

One example where this is pronounced, and that has resulted in several recent high-profile beaches, is the increasing software developer adoption of cloud services to develop, deploy and scale applications with an unlimited number of resources in real-time. In this case, the software development lifecycle is sped up and enables businesses in a way that was not possible in the past. In this process, the software is often deployed with misconfigurations and hard-coded secrets for instance. So, where do we start? Solutions to address these are discussed in the section below.

Hype Cycle for Cloud Security: But before we get into the specifics of addressing the issue above, it should be noted that there is a wide cross-section of others which are highlighted in Figure 1 below, the Hype Cycle Cloud Security Report, which gives a wide cross-section of some of the technologies that auditors now need to understand.

The report indicates,“the scale and dynamism of cloud computing complicate visibility and control over all workloads, storage and processes”. The report goes on to state that,“Consequently, most cloud security failures remain the result of customers failing to implement appropriate controls”. 

Hype cycle for cloud security 2021, courtesy of Gartner
Figure 1: Hype cycle for cloud security 2021, courtesy of Gartner.

CNAPP: To address the challenge introduced above, an understanding of the CNAPP (Cloud Native Application Protection Platform) will be our starting point. A single cloud-native security platform which, an analyst firm outlines, is the combination of a single platform of:

  • CWPP: Cloud Workload Protection Platform
  • CSNS: Cloud Service Network Security
  • CSPM: Cloud Security Posture Management

Figure 2 below illustrates the CNAPP model from a high level.

High level CNAPP framework.
Figure 2: High level CNAPP framework.

Some more details are illustrated in the figure below.

High level CNAPP framework, image courtesy of Gartner
Figure 3: High level CNAPP framework, image courtesy of Gartner.

We’re getting deeper into the weeds, and Figure 2 can be broken down into further details. For anyone who wants more granular information on the topic, you can obtain it here.

The Solution to our Challenge:

Returning to our specific issue #1 – How do we ensure that we address any misconfigurations before it goes live? How do we continually monitor for them?

CSPM (Cloud Security Posture Management). These tools include capabilities to:

  • Automate governance across multi-cloud assets and services
  • Visualize and assess security posture
  • Detect misconfigurations
  • Enforce security best practices and compliance frameworks

CSPM is not only a valuable tool for cloud security teams, but it is also an important toolset for developers and for any audit team.

Issue #2 – How do we ensure that we catch any hardcoded secrets and continuously scan code through the development lifecycle (shifting security left)?

Another contemporary toolset that is being adopted by both DevOps and cloud security teams include tools that “shift security left”. Security is incorporated into the development cycle from the onset. Some of the features and capabilities of these tools include the ability to perform:

  • Infrastructure-as-Code Scanning
  • Code Tampering Prevention
  • Hardcoded Secrets Detection
  • Source Controls and CI/CD Security
  • Source Code Leakage Detection

As stated in the opening paragraph, ideally, an organization would have a strategic blueprint and cover these during a planned program. Check Point can assist with a workshop to review and update or help develop one for your organization.

Check Point can also assist with Audit & Compliance, Cloud Security and DevOps teams. Our CNAPP aligned CloudGuard portfolio of solutions is centrally managed and consists of the following in figure 4, below:

Check Point Cloudguard CNAPP (high level)
Check Point Cloudguard CNAPP (high level)

For more details, please contact: https://www.checkpoint.com/cyber-hub/cloud-security/what-is-a-cloud-native-application-protection-platform-cnapp/