Discovering Cloud Unknown UnknownsCloud asset discovery is one of the most overlooked and least understood components of most organizations' cloud strategies. Here's why.
Discovering an organization’s Internet edge was a straightforward effort when IT had its own data centers and security was a matter of scanning a static IP address list to ensure asset security. Today, most organizations have, or are building, substantial cloud footprints. A huge driver of this is developers, marketing and other non-IT functions creating (and abandoning) assets in the cloud. Many of these unknown and unauthorized cloud assets are in ephemeral IP space, making it even harder for organizations to get a holistic view of their cloud footprint for security and infrastructure management.
As global cloud adoption climbs, new IT and security challenges emerge that current tools fail to address. While securing known assets is straightforward, it is not possible to secure what is not known -- things like shadow IT and rogue development, both of which abound in the cloud. Enterprise cloud footprints present unique challenges including:
- The failure of existing tools to discover cloud assets across authorized and unauthorized providers in a current, reliable, and comprehensive manner;
- The ease and speed with which unknown and unauthorized cloud assets can be spun up and remain active and undiscovered;
- The deficiency of existing tools to reliably surface owned assets vs. other assets in multi-tenant or ephemeral environments.
Managing and securing assets in ephemeral IP space requires a view of assets that is both current and accurate. Incumbent cloud management tools fail because they track cloud IP addresses to an organization simply because that IP address was once seen hosting a company asset at one time. This information quickly gets stale and isn’t useful or actionable for securing rogue cloud assets. As a result, security paradigms designed for static networks don't work in the cloud. Worse, relying on this ineffective approach can cause IT and security practitioners to scan, penetration test, and waste time investigating assets that aren’t even theirs -- all while missing critical unknown cloud assets that create risk.
Many cloud management tool vendors argue that they provide a comprehensive view of assets via integrations with IaaS management interfaces. Dr. Marshall Kuypers, senior director of cyber risk at Expanse, cautions that "on the surface, this may seem like a good solution, but this strategy only covers what’s already being tracked, and that may provide a false security assurance."
Dr. Kuypers notes that these integrations fail to identify "unknown unknowns," which are routine in large organizations and result from out-of-policy marketing, development, and other business functions that drive rogue cloud deployments. Multi-tenancy exacerbates the issue since assets from more than one company can exist on the same IP.
Dr. Kuypers further states that customers who use Expanses's whole-of-Internet cloud discovery routinely find between a 3% and 70% increase of cloud-based Internet assets they were unaware of -- and these assets typically comprise some of the most risky misconfigurations on organizations’ Internet edge. The discoveries typically include things like exposed (and sometimes already compromised) datastore services, abandoned development environments, and even pop-up e-commerce sites.
The "Whole-of-Internet" Approach
Today, an organization’s cloud assets can reside in any provider in the world - including residential/commercial cloud providers. To fully solve the problem, organizations must take a discovery-first, “whole-of-Internet” approach to cloud security.
Once cloud assets are discovered and any risky misconfigurations are exposed, organizations can then leverage a myriad of cloud security tools on the market, or simply the IaaS console, to manage asset permissions and other configuration items. But cloud asset discovery must be a continuous process to maintain a clear and accurate picture of the organizational cloud footprint.
About the Author
Jeremy Linden is director of product management at Expanse. He has over ten years of experience in computer security, wearing hats that vary from security analyst to engineering and product management. Prior to Expanse, Jeremy held security product management roles at OpenDNS and Lookout.