Sticking with our cybersecurity theme around Application Security (AppSec), we will be discussing AppSec and vulnerability management in the context of multi-cloud. It is clear that not only are organizations increasingly adopting cloud, but they are also quickly adopting multiple cloud service providers and offerings, especially if Software-as-a-Service (SaaS) is included. That said, what are the implications and challenges of AppSec when working in a multi-cloud model?
Vulnerability Aggregation
As organizations move towards DevSecOps and cloud-native architectures, we are starting to see robust CI/CD pipelines and toolchains with myriad tools such as SAST, DAST, Secrets Management, Container Vulnerability Scanning, and more. Each of these tools comes with its own specific data formats, schemas, scoring, and metrics. It is challenging to manage these vulnerabilities given the differing formats.
The problem gets further exacerbated when dealing with a multi-cloud environment. Multi-cloud means you need to identify and manage vulnerabilities across multiple cloud service providers and offerings. You will need to bring all of that telemetry together to have a cohesive approach to vulnerability management and understand what your organization’s vulnerability footprint actually looks like.
Vulnerability Sources
When dealing with multi-cloud, you will have situations where you are trying to collect vulnerabilities from myriad data sources. It may be an AWS EC2 instance or a VM running in Microsoft Azure. It may be an AWS Lambda function or Google Cloud Function operating in another environment. Each with its own unique code and associated vulnerabilities.
The same applies to vulnerabilities generated as part of Cloud Security Posture Management (CSPM). This is the underlying configuration of your cloud environments, dealing with things such as networking, storage, and compute. Each of the various CSPs may have findings, all of which need to be collected and governed in some aggregated fashion.
SaaS Vulnerabilities
Everything we’ve discussed so far is in the context of major IaaS and PaaS CSPs like Azure, Google, and AWS. That said, while organizations may be using 2-3 IaaS/PaaS providers, studies show organizations are using 100-plus SaaS providers.
These SaaS environments all have their own unique configurations, data, accounts, and associated permissions. This means that these SaaS environments all warrant vulnerability scanning, which is typically done through SaaS Security Posture Management (SSPM) tools. This also assumes the organization even knows what SaaS it’s using as an enterprise, which many studies show that most organizations do not and that shadow SaaS usage is rampant.
Bringing It All Together
As it’s easy to see, AppSec and vulnerability management in the context of multi-cloud is no easy feat. Organizations will have applications residing in several cloud environments, all with their own unique code, configurations, and associated vulnerabilities.
When you remember that more than 90% of cloud data breaches are due to customer misconfigurations, you quickly realize how this can spiral out of control and leave the door open for severe risks and increased likelihood of exploitation. This doesn’t even touch on the recent push for more granular vulnerability management, down to the open source software component level, with the increased adoption of the Software Bill of Materials (SBOM) and its vulnerabilities and likelihood of exploitation.
In any large environment, vulnerability management is a daunting task. In a multi-cloud scenario, it’s even more challenging. Organizations will need to be diligent and disciplined in their approach to AppSec in multi-cloud environments to ensure vulnerabilities and risks don’t spiral out of control and potentially lead to a compromise of their organization’s data.
