The cloud is here to stay. But for many organizations, the challenge of managing their cloud assets and associated cloud risk still feels like a moving target.
Cloud visibility is — and should be — a top concern for executives and other leaders in security and IT operations. Organizations are increasingly migrating business-critical applications and sensitive data like PII to cloud services, making cloud security that much more critical. At the same time, their multi-cloud footprints are expanding, making it harder to keep track of all of their assets in the cloud. Eighty-five percent of companies are already operating in a multi-cloud environment and 98% of organizations will be within the next three years, according to a recent IBM survey.
We’ve validated the challenges associated with cloud visibility time and time again with our customers, including a number of Fortune 100 companies. With one major technology company, we found they had cloud assets hosted by over 10 different providers, three times more than they thought they were using. In some cases, we have found customers using over 100 other companies to host their assets including CSPs, third parties, consumer dynamic IP space, and CDNs.
Despite the importance of understanding where their assets reside, most organizations simply don’t have a good grasp of all of their cloud assets. They may understand a slice of their assets and be tracking what belongs to them in Azure or AWS, but they are unaware (or they lack visibility into) a shadow IaaS instance a developer spun up outside of their sanctioned corporate accounts, for example.
Organizations need to secure their assets in the cloud, but they can’t secure what they don’t know about.
The Challenge of Cloud Visibility is Systemic
The nature of cloud infrastructure and the changes in how enterprises are operating today have led us to this point. The movement toward agile product development and DevOps — which prizes speed to market above all else — can lead to people developing outside of known, managed systems. And because IaaS and PaaS are built to be self-service for developers, it’s easy for anyone with an email address and a credit card to spin up new infrastructure. These assets are then unknown to security teams and not monitored for adherence to security policies. Many high-profile hacks in recent years have come through these types of rogue infrastructure instances.
Organizational complexities like remote overseas offices, subsidiaries that operate independently, and acquisition events only increase the risk of not knowing and monitoring all of your cloud assets.
One major health insurance provider we spoke with said that every time they acquire a new company, they have to onboard dozens of IaaS accounts, and oftentimes they don’t fully complete this onboarding or integrate information about those accounts and assets into their other security tools.
Meanwhile, cloud responsibility is also often fragmented and spread across multiple security and IT operations teams, making it that much harder to identify and remediate issues quickly.
Existing Tools Don’t Provide Complete Visibility
Many organizations think they have full visibility into their Internet assets. But they almost all are wrong. With virtually every organization we’ve worked with, we’ve found assets they didn’t know about and weren’t tracking.
Existing tools fall short for the following reasons
- Vulnerability Management (VM) tools discovery and inventory cloud assets and then scan those assets to identify and remediate vulnerabilities. However, they require agents to be installed or use cloud providers’ APIs to inventory assets from within known accounts. They miss assets that are outside of those accounts, leaving a blind spot.
- Cloud Access Security Brokers (CASBs) are either on-premise or cloud-based security policy enforcement points. They apply enterprise security policies as cloud-based resources are accessed and monitor usage. Few CASBs have coverage of IaaS, and those that do can’t accurately attribute cloud infrastructure accurately back to the organization.
- Cloud Security Management Platforms (CSMPs) provide rich functionality to identify misconfigured and noncompliant cloud assets, sometimes even offering automated remediation workflows. However, they also require integration with cloud providers’ APIs to inventory assets from within known accounts. For most organizations, deploying agents on thousands of assets and integrating with hundreds or thousands of IaaS accounts is just untenable.
Cloud Security Can’t Wait
The challenges with cloud visibility and security only increase the longer organizations wait to deal with them. Gartner estimates that by 2021, 50% of enterprises will unknowingly and mistakenly have some IaaS, storage services, network segments, applications, or APIs directly exposed to the public internet, up from 25% in 2018.
Expanse is the only company that discovers, tracks, and monitors cloud assets across all cloud providers without any agents required. Benefits of Expanse’s Cloud Module include:
- Discovery and tracking of all cloud assets across all cloud providers, not just the big three
- The ability to quickly uncover unknown and rogue assets that are not part of sanctioned cloud accounts
- Continuous monitoring of global cloud providers for newly-created assets that tie back to your organization
- Analysis of your cloud footprint to better understand and consolidate cloud asset management into sanctioned IaaS accounts
Don’t wait to discover your cloud assets until they’re hacked. While cloud visibility is challenging, it’s possible with the right cloud visibility and security solution.