For most organizations – whether cloud-native or going through a digital transformation – managing your cloud and non-cloud digital assets has followed form with how IT manages physical assets.
When security and compliance teams purchase security licenses or when engineering teams add new DevOps tools, this information is collected into an asset management tool or configuration management database. But in a world where critical digital assets are increasingly ephemeral, manually keep track of what is and isn't in your cloud becomes impossible. Traditional approaches to cloud security can't keep up with the speed of DevOps.
Not only that, but digital environments are becoming increasingly complex, with the ability to assume roles, constant hiring and an emphasis on continuous development and delivery. With new instances spun up regularly, organizations simply don't have the time or resources to keep up with the changes.
This is the very reason your organization can become increasingly vulnerable as it grows or your product matures.
Asset Discovery: The Next Level
In order to maintain a pulse of their security or compliance postures, security teams need to prioritize automating visibility into the changes happening in their environment. You can't protect what you can't see, so knowing what new assets exist is essential to security assurance. Asset discovery solutions typically integrate directly with your tools and providers to aggregate data.
These integrations should be configured to run routinely, and frequently. Knowing what your environment looks like on a monthly or even weekly basis leaves too much time for a breach to occur. Instead, these integration jobs should run at least daily – and even more often for your assets that are critical (especially if they can change often). That way the feedback loop on what is new occur frequently, speeding up remediation.
With that data in hand, it becomes easy to visualizes changes in your environment over time, which simplifies spotting anomalies.
Go Beyond a List with Configuration Monitoring
It doesn't stop with collecting a list of assets, though. The state of an asset and its relationships with other assets and resources will give you a better understanding of the context of your digital environment. You will have a greater grasp into the potential risks and can more accurately model out threats when you know what can talk to, access or even change an asset.
Configuration monitoring involved collecting the metadata around resources and assets. Without the right solution and workflow, however, this can very quickly become overwhelming.
Each asset in your environment carries dozens of details: who owns the asset, when it was last updated, what this asset has access to, etc. Tracking what is normal and expected when it comes to these relationships is essential to determine when things get out of whack. This information can also be used for prioritizing your time when numerous things are out of whack.
Asset Discovery & Configuration Monitoring are Foundational
Building out a cloud security program when you don't know what's in your cloud is like driving blindfolded. Sure, you could get to your destination. It's definitely possible. Unlikely, yes, but possible.
Taking the blindfold off isn't a guarantee you are going to get to where you want to go without an accident either, but your chances of success are a lot better. You can see the inputs of your surroundings and adjust, rather than just hope.