Rapid cloud adoption isn’t an accident.
As the number of enterprises looking to tap into the efficiency, accessibility, and scalability of the cloud increased dramatically, the number of service providers and infrastructure platforms available enjoyed the same meteoric rise.
Unfortunately, the explosion of cloud adoption has resulted in some collateral damage. While service providers address the security of their own platforms, it’s the enterprise’s responsibility (in conjunction with their implementation partners) to ensure the appropriate configuration of the robust security control capabilities the providers enable. As a result, enterprises are left with disparate security capabilities pieced together across multiple platforms, and the risk surfaces that are often unprotected can be huge.
To shore up security, enterprises must approach cloud security posture management (CSPM) with renewed vigor. CSPM is about discovering vulnerabilities before bad actors can take advantage of them, and the practice is the foundation of an enterprise’s cloud security strategy.
Common CSPM Obstacles
Cloud infrastructure is constantly changing. Whether it’s new development or updates to existing software, the continuous evolution in the cloud inevitably results in the creation of misconfigurations or vulnerabilities. According to research from Gartner, these misconfigurations will account for some 95% of all cloud security issues in 2020 and 99% by 2023. In other words, hackers almost never have to force their way into cloud environments. They simply have to choose the right door to open.
Such was the case in the 2019 breach of Capital One that exposed the personal information of more than 100 million customers. A simple firewall misconfiguration allowed a woman from Seattle to access sensitive files stored on Amazon Web Services servers, including the bank account and Social Security numbers of a combined 220,000 people.
Because the data was stored on AWS, the notion that the cloud services provider — in this case, Amazon — is to blame is a common misconception. In one survey of 550 IT leaders by Barracuda Networks, 64% felt it was
the cloud provider’s responsibility to secure customer data. In reality, the shared responsibility model demonstrates that the cloud provider is responsible for the security of the cloud itself, while the customer is responsible for the security of its contents or the information they store in it. AWS didn’t experience a breach during the Capital One incident. Instead, a misconfiguration allowed the wrong person to freely access information that Capital One should have been protecting.
Security and Salesforce
As one of the most popular platform-as-a-service solutions, Salesforce is commonly an organization’s first foray into the cloud. On the one hand, the robust capabilities built into the platform allow any enterprise to deliver an incredible experience for their customers. But it’s not just your CRM anymore. The robust processes for which organizations are now using Salesforce necessitate that companies capture and store a wealth of valuable data. Historically, any governance and verification of security controls was addressed by the line of business because “it’s Salesforce.”
Today, enterprises realize the need for independent and evidence-based oversight that’s architected in line with the way Salesforce is being used (it’s a platform, which evolves very quickly based on an organization’s business needs, with capabilities that can be extended almost endlessly).
Salesforce includes powerful security controls, but it can be a challenge to verify what data you are storing in the platform (data classification) and gain insights into how the security controls have actually been implemented in your specific configuration (e.g., user authorization, protection, retention, and data loss prevention).
Implementing a CSPM approach is a key enablement tool for transparency of what’s happening in your environment so that your center of excellence and line of business can continue to go fast without adding unnecessary risk (internally and externally). Start with these steps:
1. Identify key stakeholders
It’s not your cloud service provider’s job to apply your organizational policies to securing your data, so who should be manning the helm? Whether these responsibilities fall to your CISO, an appointed CSPM task force, or a third-party cloud security management firm, ensure that you’ve assigned clear responsibility of cloud security duties. By removing ambiguities, you prevent basic misunderstandings or miscommunications from compromising your company’s cloud security.
2. Audit security systems
Depending on the needs of your organization, you might be relying on software-as-a-service, infrastructure-as-a-service, or platform-as-a-service models — or even a combination of all three. These cloud environments each necessitate different security measures, and it’s important to clearly identify these differences so you can take them into account when establishing your security strategy.
CSPM isn’t a destination; it’s a never-ending journey. Cloud security is continuously improving, but hackers are also enjoying advancements in tools and processes to breach your defenses. In these shifting sands, it’s important to monitor your cloud environments continuously. By detecting vulnerabilities before bad actors do, you can save your company and customers from exploitation.
More to explore:
- Learn about Cloud Security Cockpit® to implement, manage and prove Salesforce security controls
- Free Download: The CISO's Guide to Salesforce
- Shared Responsibility of Salesforce Security
- Contact us to learn about a Salesforce Security Risk Assessment