fermer
fermer
Le réseau de demain
Le réseau de demain
Planifiez votre chemin vers un réseau plus rapide, plus sûr et plus résilient, conçu pour les applications et les utilisateurs que vous prenez en charge.
          Essayez Netskope
          Get Hands-on With the Netskope Platform
          Here's your chance to experience the Netskope One single-cloud platform first-hand. Sign up for self-paced, hands-on labs, join us for monthly live product demos, take a free test drive of Netskope Private Access, or join us for a live, instructor-led workshops.
            Un leader sur SSE. Désormais leader en matière de SASE à fournisseur unique.
            Un leader sur SSE. Désormais leader en matière de SASE à fournisseur unique.
            Netskope fait ses débuts en tant que leader dans le Magic Quadrant™ de Gartner® pour le SASE à fournisseur unique.
              Sécuriser l’IA générative pour les nuls
              Sécuriser l’IA générative pour les nuls
              Learn how your organization can balance the innovative potential of generative AI with robust data security practices.
                Modern data loss prevention (DLP) for Dummies eBook
                La prévention moderne des pertes de données (DLP) pour les Nuls
                Get tips and tricks for transitioning to a cloud-delivered DLP.
                  Réseau SD-WAN moderne avec SASE pour les nuls
                  Modern SD-WAN for SASE Dummies
                  Cessez de rattraper votre retard en matière d'architecture de réseau
                    Identification des risques
                    Advanced Analytics transforms the way security operations teams apply data-driven insights to implement better policies. With Advanced Analytics, you can identify trends, zero in on areas of concern and use the data to take action.
                        Les 6 cas d'utilisation les plus convaincants pour le remplacement complet des anciens VPN
                        Les 6 cas d'utilisation les plus convaincants pour le remplacement complet des anciens VPN
                        Netskope One Private Access is the only solution that allows you to retire your VPN for good.
                          Colgate-Palmolive protège sa "propriété intellectuelle" "grâce à une protection des données intelligente et adaptable
                          Colgate-Palmolive protège sa "propriété intellectuelle" "grâce à une protection des données intelligente et adaptable
                            Netskope GovCloud
                            Netskope obtient l'autorisation FedRAMP High Authorization
                            Choisissez Netskope GovCloud pour accélérer la transformation de votre agence.
                              Let's Do Great Things Together
                              La stratégie de commercialisation de Netskope privilégie ses partenaires, ce qui leur permet de maximiser leur croissance et leur rentabilité, tout en transformant la sécurité des entreprises.
                                Solutions Netskope
                                Netskope Cloud Exchange
                                Netskope Cloud Exchange (CE) provides customers with powerful integration tools to leverage investments across their security posture.
                                  Support technique de Netskope
                                  Support technique de Netskope
                                  Nos ingénieurs d'assistance qualifiés sont répartis dans le monde entier et possèdent des expériences diverses dans les domaines de la sécurité du cloud, des réseaux, de la virtualisation, de la diffusion de contenu et du développement de logiciels, afin de garantir une assistance technique rapide et de qualité
                                    Vidéo Netskope
                                    Formation Netskope
                                    Grâce à Netskope, devenez un expert de la sécurité du cloud. Nous sommes là pour vous aider à achever votre transformation digitale en toute sécurité, pour que vous puissiez profiter pleinement de vos applications cloud, Web et privées.

                                      Addressing Configuration Errors With CSPM and SSPM

                                      Oct 26 2021

                                      Even though cloud computing isn’t all that new anymore, learning how to use it effectively can be overwhelming. It’s unfortunately very easy to make mistakes. We know the vast majority of cloud security failures are configuration mistakes of some kind or another, so developing the discipline of correct configuration — aided by properly implemented cloud security posture management (CSPM) and SaaS security posture management (SSPM) — is the best thing an organization can do to ensure that they use the cloud safely and securely.

                                      When further analyzing CSPM and SSPM, there are specific factors to consider to fully understand how to take advantage of each, especially when facing such configuration errors.

                                      Cloud Security Posture Management (CSPM)

                                      CSPM has emerged as a robust product category to help organizations cope with today’s cloud complexities. CSPM allows organizations to interrogate the security posture of the workloads they have deployed into a public infrastructure-as-a-service (IaaS) cloud.

                                      But what are they interrogating against? There are several baselines — minimum security control recommendations established by industry groups like the National Institute of Standards and Technology (NIST) and the Cloud Security Alliance (CSA) — plus many CSPM vendors also have their own baselines. These baselines all look for common issues. For example, one of the most common mistakes that we see over and over again in public clouds is a storage object that is open to the world (in AWS, that would be an S3 bucket, or in Azure, that would be a blob). Anybody who can point their browser at this object can then read the contents of what has been stored.

                                      Public cloud resources are generally closed by default. The only entity with initial access to the object is the person who created it. However, let’s say a storage bucket is created and an application needs to read from it. An organization may not take the time to go through all the pain of writing a complicated bucket access policy, which is a little pile of JavaScript Object Notation (JSON) code. For expediency, the default access control list can be quickly changed to grant the world read access — and then it can be returned to the default just 30 minutes later.

                                      What happens next is pretty predictable — 30 minutes have passed, and the bucket’s owner’s attention has drifted elsewhere. Now, that bucket of sensitive information is just sitting there, tempting anyone who might happen to discover it. Open storage bucket mistakes happen all the time for similar reasons. Eventually, someone or something will come along and find it. Attackers can download tools from the internet that scrape the S3 namespace looking for such opportunities. Fortunately, a CSPM can automatically check bucket permissions to make sure nothing is misconfigured and left open.

                                      SaaS Security Posture Management (SSPM)

                                      Did you know that software as a service (SaaS) actually eats up more budget than IaaS? According to research (paywall) by Gartner, Inc., most organizations spend one and a half to two times as much on SaaS as they do on IaaS and PaaS, yet for one reason or another, the security of SaaS hasn’t historically received the same amount of attention. Maybe this is because, up until very recently, SaaS has been exceptionally self-service. 

                                      While there’s a lot of SaaS out there, most of an organization’s mission-critical data resides in a shortlist of strategic applications. These typically have their own security controls; they may be wildly different in quantity and degree (e.g., Office 365 has far more built-in controls than Dropbox), but they still require proper configuration. Unlike IaaS, where objects that are created are “closed” by default, the opposite is true with SaaS.

                                      For example, the default configuration of an Office 365 tenant is such that if users have access to a file, they can share that file with anyone in the world. Whoever finds the link can forward it to anyone else in the world. Microsoft decided to facilitate sharing — it wants it to be as easy as possible for individuals to collaborate. It’s a business decision, but it has ramifications, so it’s very important to think clearly and deliberately about how to configure native SaaS controls.

                                      This is where the new SSPM product category steps in. I first noticed this was an emerging market last year, and I placed it within the 2020 Gartner, Inc. cloud security Hype Cycle (subscription required) — giving it the SSPM name. Today, many security vendors are adding SSPM capabilities as part of their larger SaaS protection offerings. As organizations finally begin to grapple with the fact that they’re spending a lot of money on SaaS and storing a fair amount of critical business information in a handful of strategic SaaS applications, having the tools to properly govern these platforms is critical in order to fully benefit from SSPM.

                                      Getting Started

                                      A logical starting point for verifying the correct cloud configuration is to use the native tools from your cloud providers. All the major IaaS/PaaS providers offer a CSPM, and a handful of SaaS providers offer SSPM. These tools may be considered adequate for single-cloud companies — however, most companies these days are truly multicloud.

                                      It’s more sensible to rely on independent, provider-neutral CSPM and SSPM tools for a number of reasons. A single CSPM for all IaaS/PaaS and a single SSPM for all SaaS ensure that posture is consistent and repeatable across your entire cloud ecosystem. Posture management tools sit alongside your cloud deployments, and because they rely on cloud APIs to investigate your configuration, you don’t need to schedule any production downtime or lengthy integration phases to begin deriving value from them.

                                      Increasingly, CSPM and SSPM vendors are adding automatic remediation capabilities, but don’t enable this immediately. Instead, spend time with the tools to verify that their suggestions are applicable. Once you’ve gained some trust that the tools have adapted to your specific environment, then consider enabling automatic remediation.

                                      As cloud adoption continues to accelerate, organizations need to maintain an adequate security posture. By deploying an effective CSPM and SSPM strategy, organizations can continue to observe and prevent cloud security failures rooted in configuration errors.

                                      This article was originally published at Forbes Tech Council.

                                      author image
                                      Steve Riley
                                      Steve Riley is a Field CTO. Steve has held technology roles for more than 30 years, including Gartner Inc., Riverbed Technology, Amazon Web Services, and Microsoft Corp.
                                      Steve Riley is a Field CTO. Steve has held technology roles for more than 30 years, including Gartner Inc., Riverbed Technology, Amazon Web Services, and Microsoft Corp.

                                      Restez informé !

                                      Abonnez-vous pour recevoir les dernières nouvelles du blog de Netskope