Several interesting points are made in the article
"Amazon, Microsoft Cloud Leaks Highlight Lingering Misconfiguration Issues." I can't help but think about how IT asset management can help alleviate some of the pain caused by cloud assets not being adequately managed.
"A string of household names lately have been responsible for misconfigured cloud storage buckets overflowing with wide-open data – once again shining a light on a cybersecurity problem for which there seemingly is no plug."
Is it reasonable to expect cybersecurity to know about every asset? No. Why? An accurate IT asset inventory is only possible when the entire asset lifecycle is managed. IT asset lifecycle management is orchestrating the collection and validation of data from the activities involved in the request, evaluation, approval, receiving, deployment, monitoring, and disposal of IT assets. There is a "plug," and the "plug" is
Cloud Asset Management. Is the Cloud Asset Manager directly responsible for plugging the holes? No. That responsibility rests with the appropriate role of an IT administrator. The Cloud Asset Manager's responsibility is to ensure the proper, accurate data is captured to monitor operations.
"And indeed, the [data] leaks are caused by a variety of misconfigurations rather than any bugs …"
I believe there is a bug, and it is in the processes or the design of the software. The organization requires insight into the cloud service provider's operations. IT standards exist for many reasons, and one reason is an attempt to reduce complexity through well-defined configurations. An IT standard for a laptop defines the laptop's configuration. The same can be applied to cloud components. But cloud components are not only configured by the organization's staff; the cloud service provider also configures them. Therefore, vendor management is critical for cloud assets. Cloud Asset Management embraces vendor management and all tasks necessary to evaluate vendor compliance.
"Overall, 81% of organizations have experienced a security incident related to their cloud services over the past 12 months, with almost half (45%) suffering at least four incidents, according to Venafi."
One benefit of cloud services is the speed of deploying assets. But this benefit is a double edge sword. With speed comes the possibility of more mistakes. Isn't it time for a speed limit? Cloud Asset Management designs speed bumps with the buy-in from those driving over the speed bumps and, of course, speed monitoring. I started my career as a software engineer, and no software engineer wants to be burdened by meaningless processes. This perspective is why the Cloud Asset Manager must work closely with the cloud engineers to educate them on the purpose and value speed bumps bring to the organization. The security of cloud assets cannot rest solely with the cyber security team, nor should it.
"The increase in complexity of cloud-based and hybrid infrastructure, along with a lack of visibility into that infrastructure, has caused the increase in incidents …"
The lack of visibility is because the IT assets exist behind someone else's wall. When our assets were in our data center, we relied on our tools and processes. Cloud Asset Management establishes contractual agreements by the vendor to gain transparency into the vendor's cloud operations. Cloud complexity will only increase as technology advances, delivering more functionality and, thus, more sophistication. Complexity will only increase with the adoption of IoT and the fog layer.
"Yes, misconfigured cloud storage is one of the primary reasons for data leaks — I do believe that this is a trend …"
Cloud Asset Management brings IT standards that must apply to cloud storage configurations. An IT standard for a server has a well-defined configuration, and any request outside that configuration requires approval. Cloud Asset Managers work with IT to design the most efficient approval process and to capture configuration data. Without tools, one has to rely on other methods to obtain information. These methods include acquiring information from cloud service providers.
"Shadow" data — stored in cloned databases test environments, unmanaged backups, and data analysis pipelines — is the main threat …"
Someday, "shadow IT" may just become "IT." Why? Because cloud assets are quickly and cheaply acquired. Cloud Asset Management broadens its reach beyond IT and engages with departments and business units. Just because the IT department can easily be bypassed does not mean the organization's liabilities can be. Cloud technologies further decentralize IT with executive management's permission by distributing IT's budget to other departments and business units. While one can debate the wisdom behind decentralizing IT, one cannot debate the liability risk of using technology. And that is why Cloud Asset Management must provide its services to anyone using cloud services.
"Principle of least privilege must be adopted for every aspect of the data"
Cloud Asset Management defines the end-user roles to understand what technology is required by that role and what data access that role requires. Roles will also determine the type of IT, ITAM, and cyber security training required. Defining end-user roles has always been an ITAM best practice. Roles define the technology needed to set IT standards. Cloud end-user roles cover a wide range from the casual computer user to the technology specialist. Role definitions for technical people are critical because of the complexity of cloud services and the ease of configuration.
Conclusion
Cloud Asset Management brings you accurate inventory and vendor management. An accurate inventory is not only a requirement for cyber security but also ITAM, FinOps, compliance, and the service desk. For an inventory to be accurate, it must be continuously updated as the state of assets changes. These updates require lifecycle management of cloud assets, starting with "I think I need it" through and past disposal.
