Managing your Code-to-Cloud Security Risks in a Multi-Cloud Environment

So, hello, good afternoon, all my name is anal and today I'm gonna talk about managing your code to cloud security risks in a multi-cloud environment. So when I say code to cloud, that's really about indicating that the security risks that we are managing are very limited to only cloud so far and we are not doing a holistic, or we don't have a holistic view of manage the security risks from the time they originate at the time of application development when they, when they go to the cloud deployment during the runtime and finally into the cloud.

So yeah, I think with that we have been trying to do a lot of cloud security risk management as part of some very standardized, siloed tools. We have got a number of different kinds of technologies and tools available in the market today. They come in a various names and shapes and formats. The most primary one is of course csp, cloud security portion management, where we are trying to understand what are the common cloud misconfigurations and vulnerabilities and trying to address that as part of those workloads when they have been deployed into the cloud environment.

Now again, even words if you're talking about one tool per cloud or even going further down when we are talking about each of those stages into the cloud. So one tool for let's say Azure aws, one tool for gcp and then having a different CS p m just to manage cloud misconfigurations than a tool called cwp cloud workload protection to make sure that you are able to understand what are the vulnerabilities and code vulnerabilities into the application workloads into each of these cloud environments. It's a very segregated, siloed approach, what we are taking to cloud multi-cloud security.

So yeah, understanding, first of all, we have been talking a lot about is I am there yet are we able to manage those security risks into a multi-cloud environment? And everybody of us is talking about how organizations are not being able to just manage the applications and workloads into one cloud, one cloud CSP cloud provider. We definitely have a need today to make sure that we are flexible and we are open to adopting all these different cloud providers and are able to provide consistent and holistic security across all these multiple cloud security providers.

So R access management has been trying to address part of it, the pieces of it, if I'm not wrong, you'll understand. You'll see that in the days when we were running our applications onto Unix servers, Linux servers is versions, we all had controls with some kind of an management and we were still having controls on those systems and applications that were running on the system servers, right? When we are moving those, those workloads and applications to the cloud, we are leaving all that control to the cloud service providers, right?

We are not deploying our own controls, we are not even managing them. Even that's not a part of Discussion when we talk about managing or migrating those applications into the cloud. We talk about only doing a post security risk analysis when those workloads have been deployed and been running into the cloud.

So yeah, can I actually help you to manage and bring, can you bring I into the discussions early on when you're trying to move these applications into the cloud? So they have been multiple terms c a for example, cloud native applications protection platforms, which is more of a holistic and integrated approach to the cloud security, multi-cloud security. And within CAPP there is a specific, I would say a domain or you know very much which is related to anti access management is the key cloud install section, elements management.

Again, these are mouthful of words. They do the very pretty much similar thing what we have been trying to do as part of your TEX access management.

But yes, is Kim there yet Is Kim trying to actually help you manage those entitlements and access permissions that you are actually trying to to address? And finally how you should be operationalizing KE as to how you wanna deploy that and get the maximum success and ROI out of your deployment of ke.

Well, before we go further dive into the exact scenarios of ke, I think some quick understanding of how the market is growing. So c a P market, it's probably about somewhere about 10 point 10.5 billion by degrees seven CGR of 18 point 10%. There are some of the studies from the industry reports in C A P overall, we are seeing that csp, which is the cloud security permission management and CWP cloud worker protection, they are the two predominant technologies which are actually the most buying preferences of the customers. They are estimated about 80 to 85% of the overall CNA market size.

There are a number of technologies and vendors coming to the market to help you address multi-cloud security risks. We have seen more than 10 new products and vendors and also accessing product vendors talk about IG or pam. They're also trying to develop some of the other sort of scheme to actually help you address the existing vulnerabilities and secure risk into multicloud environment. In terms of overall market trends, you'll see of course the cloud native platform market actually dominate.

There have been specific vendors who are trying to do IT proxy way, but again they're trying to move away from that on-prem proxy based architecture entirely into the cloud. Of course, the visibility of cloud security risks across multiple eyes and past platforms remain the key growth, but a key concern.

But again, the consistency of these controls across the cloud providers and the visibility remained the primary concern and also again, the secondary concern for most of the most of the buyers for the CSP and Synapse.

And yeah, finally, we definitely see that when you're talking about the operational success of ke, it's really lying into how you can integrate the key to get that value into the overall Im, so we have got talking about working with KE and the privileged success management and the IG tools, integrating the key and actually taking those entitlements into, for example, when you're looking at providing the just-in-time privileges or previous access to specific resources in AWS or gcp, can you actually enforce those controls using your existing time tool and make sure that the just-in-time roll activations are addressed the same way that you have been trying to do for let's say Azure.

So I think it's about the consistency of those controls, consistency of applying those policies be is access or getting those entitlements into your iga and saying that while I can run not just the access reviews for my users who have access to a specific sources in in Azure, but I can also do that for AWS and GCP and even not that, I can also do it similarly for other environments which are let's say my Kubernetes or the Docker, Docker container environments.

So I think that's exactly what we are trying to do as part of that's part of integration with the PAM and I g that's, that's exactly the domain where the IM or the team has been integrated into IM and Pam tools as well. So yeah, talking about the cloud security stages, when we talk about the IDEX access management, we probably don't look at how actually you are doing the development of these collaborative applications and where exactly IM scheme and CNA is more relevant too. So we talk about the cloud configuration first, right?

So when we talk about getting into the cloud or migrating your workloads in the cloud, you first of all come up with a con I idea concept of doing the cloud configuration. You create the landing zones, you create the reference architecture for cloud, you talk about security zoning, network isolation segmentation. If you're trying to use some templates for INFRAS code, you are using some of those tools around Chef Jenkins puppets cloud formation.

And you have, that's, that's a good point here that if you have already introduced some of the vulnerabilities into any of these templates of iscs, you are gonna continue with that. And if that's only going to going to go aggregated across your cloud providers as well, then of course you have, you're trying to build security for VMs, containers, serverless functions and yes, to an extent cloud security posture management tools are trying to address part and piece of it.

But again, that's again post deployment. When these workloads are already there in the cloud running, you can address some of the MIS cloud misconfigurations and address that to certain extent. Let me talk about the, the workload protection part, right? That's where, when these applications workloads are being developed as part of your different development tools and development frameworks, we talk about DevSecOps, static application secure testing or dynamic SOPHIC composition analysis, securing those C CD pipelines.

When you move this code across different environments and release phases securing the data based on the data sensitivity these applications are dealing with, you have got multiple keys and secrets management. Again, this has been part of the PAM or the IG tools as well of basically the IM domain.

And yes, we are not addressing that. It's still in the, as part of the workload protection. Then you have got vulnerability management and how attacks can through flow across your application development lifecycle for attack path analysis. And then you have got the runtime security when you have got these workloads running into different cloud environments, containers, VMs, how can you provide the runtime security for for IT applications? And that's where again, cloud workload protection comes in. You need to provide security for API protection, threat hunting.

You are gonna do risk remediation, application monitoring and eventually detection and response. So this is, I'm just trying to give you a picture of how cloud security stages workload goes through as part of your overall cloud deployment life cycle. Now the CAPP CAPP gives you the holistic picture here. Cnap actually comprises so far of these four multiple four important pillars, cloud security portion management, which has these functions, cloud workload protection, which has these supporting functions.

Cloud infras development management, which is probably the, the focus of the talk today actually helps you to assess the critical resources, access to the critical resources, help you harden these resources with right sizing of permissions. They are different names to in the market privilege, right-sizing access, right-sizing, just in time privileges, delivering these permissions on demand whenever you need to have these access permissions to let's say administrators or users across the cloud resources and finally do the automated remediation.

Right now we are talking about remediation as very guided approach. You can build remediation, but yes, we also can do policies, policy-based remediation. So you can define policies, let's say if this happens, and this is the kind of anomaly that you see, you can rightsize the, or the downsize the permissions automatically for these users. And then finally, based on the patterns, you can detect anomalies and, and create remediation policies.

Eventually also have got DevOps security as I was talking about that for you to identify the code vulnerabilities, understand what are the integration, integrate security into an entire application development lifecycle and securing the C I C D pipelines. So where does access management can help you in the whole cloud security framework. So this is where exactly the ones which are in the color here are the ones where andex management can come in and start to make the application lifecycle development more secure right from the code to the cloud, as I said.

So when we talk about the building and testing applications, there are different functions, but I management can help you to make sure that you are able to understand where the keys, credentials and access keys lying across the code, understand them built into the where they're embedded and make them, for example, bring into the common vault or how you're managing credentials into organization. It can be a key vault, it can be a PAM tool or whatever.

And of course you are going to definitely deal with multiple number of service accounts and machine identities as well as part of your build and test phases. So IDX management can actually help you scan those, bring them again as part of your development maintenance of your, let's say workload identities or in the kind of tool that you're make using to manage and secure those service accounts.

Again, as for the deployment phases, managing compliance, visibility, governance, any RT based misconfigurations, I think we're talking about a lot about IT TDR right now. So I think that's exactly the piece where, which can be, which can be addressed using, using im. And then finally, account permissions. During the runtime, you exactly need to know what accounts are being used to actually run these applications as part of what permissions, authorizations meet any container or you know, or or containers environment or specific, you know, features.

So I think you can use these accounts with the right authorization permissions to run as part of workload protection. And finally, as part of management and threat detection, you can have the I access management manage detect any of those i t specific attacks anomalies.

Again, it TD are here, automate I access permissions and finally review taxes entitlements, which is part of your I G A. So you can Pfizer entitlements use that as part of your access reviews in the I G CM is exactly, we talk about the lifecycle. These are particularly about how you can, how you can run these entitlements through that entire phase of management.

And Kim exactly helps you to, to manage the entitlements through the discovery phase where the discovered elements across your multi-cloud environment, take them to the threat assessment, understand anomalies, do the privilege right sizing of those permissions. That can be done manually. You can do the automated remediation as you can create those policies, downsize of downsizing of permissions because you don't want to really keep those standing privileges for a long time.

You can automate the, the downsizing remediation for those specific excessive permissions or excessive entitlements that you have that have been given to the users as part of the provisioning of these workloads in the cloud environment. And finally the monitoring and governance. So how you can do the entire monitoring, continuously analyze those permissions.

Again, that comes as part of detecting the unusual activities. And again, when you talk about governance, IG is the best bet for you to actually take those entitlements, integrate the key with iga, make sure that you can run access reviews on those entitlements on a regular basis.

So yeah, there's not enough time. I'm just gonna rush to rush you guys through this one.

But yeah, the key market alignment has been discussed and debated. A lot of times we're talking about whether key is part of c a or should the Im, IM leaders take the key into their, their control and, and and and their, their domain.

But again, it's, it's something which is overlapping right now we see the C A P C A or cloud security portion management and CWP also trying to do a lot of key functions. Most vendors, which are the CSP vendors, also trying to build some of the key components and trying to address the, the, the infrastructure element management. Same time we also seeing that a number of PAM and IG vendors are also trying to get into space, trying to manage the key entitlements because it's easy for, easy for them to extend the governance and the previous access management part of Im into the cloud.

That's exactly what Im leaders need to do today. So yeah, these are specific segments and we are not seeing a tug of war here, but it's easily as part of an overlap functionalities, we'll see that these are some of the functions which KE address for the S Porwal and these are some of the functions which KE can help you address as part of your Im it's again, very easy I would say representation of when you talk about C S P M C W P N KE key across this different lifecycle, what these tools can actually help you manage.

So a quick summary of the slide is that if you look at a CSP that comes as part of the management phase or into the cloud life cloud management lifecycle, if you talk about the cwp, that is probably more around deployment and the runtime, but key actually helps you to manage across the lifecycle and that's what you should be looking at right from the build, deploy, run and manage. Yeah, I think with that, this is a quick slide on how you want to really operationalize the key as part of your multicloud security journey.

This is nothing, not too different than many of the tools when you talk about PAM and iga. So how you want to strategize, how you wanna decide on what, what technology, what kind of use cases then you want to address. Planning phases, deployment phase, this is where exactly the risk as risk assessment features come very handy from most key and CSM tools. They have got these capabilities to, for you to perform the risk assessment into the cloud, you can bring in those entitlements conduct and understand the risk of these phases.

And finally you are gonna do the expansion and scoping into the of your multi-cloud with with key. So yeah, with that, it was quite a run. And thank you all for listening into this presentation and yeah, if any questions, I'll be here. Thank you. Thank you for the presentation.