Why Cloud Security Fails: The Posture vs. Runtime Gap
Google’s recent offer to buy cloud security startup Wiz for $23 billion reveals the value of cloud security. Even though that deal fell apart, it shows the demand from CISOs and others for easy visibility into their cloud environments.
As the industry and demand grow, cloud security must be split into two non-communicative spheres, requiring separate tools and creating gaps. These gaps continue to put almost everyone who relies on the cloud at risk.
Cloud infrastructure and cloud native applications must have robust defenses in security posture management and runtime security management. There are enough systems to cover both of those objectives separately. However, their effectiveness can be questioned; over 80% of companies have had a cloud security incident in recent years. That’s a shocking statistic — administrators, app providers, and anyone else who relies on the cloud must ask: Why aren’t cloud security systems more effective?
Part of the answer is recognizing the significant gap in routine cloud security. Posture management security systems provide a huge amount of data on security issues (e.g. misconfigurations, vulnerabilities, etc). However, few provide runtime information overlays to turn this vast hypothetical attack surface into one that can be analyzed for real production-relevant risks. Even fewer solutions use runtime overlay to help companies continuously shrink that focused attack surface in a reliable manner. Therefore, they must prioritize these issues based on runtime exposure and real risk. On the other hand, runtime security systems generate alerts on threats in real-time — but they don’t provide analysis relating to the root cause of that breach. Runtime security monitors that flag suspicious processes can usually not assign attribution of those processes to their sources.
For example, unless the issue in question is something like a DDoS attack, the source of the security threat is likely an issue in DevOps, perhaps a misconfiguration in application code, or some other unknown. This can especially be an issue in cloud security, due to its extensive use of Kubernetes containers — which can contain thousands of lines of infrastructure as code that could easily be misconfigured. Over the years, the pendulum has shifted back and forth, recently emphasizing “shift left” concepts, which meant moving the responsibility for fixing the security issues to engineering teams. The outcome was that most of the security issues assigned to them were either ignored or buried, because of unnecessary “noise” — an overload of non-relevant, exploitable, and non-reachable security tickets. Then, a few years later, the expected burden of security responsibility shifted back to the runtime side. This has been mirrored in the different products that companies have produced.
A truly effective security system for posture and runtime would ignore these trends. Instead, it bridges this gap, with DevOps security providing contextual information relating to runtime security flags and vice versa, thus enabling faster and more efficient remediation of security problems.
It’s not that posture security management systems can’t provide that information; a thorough analysis of code will reveal issues that need to be remediated, and alerts will indicate to administrators or DevOps that something needs to be checked. And if the problem is resolved, the threat won’t manifest in runtime. Studies show that at least 20% — and as many as 40% or more — of all security alerts issued by systems are false positives. After dealing with so many false positives, sysadmins and DevOps get inured to threats; studies show that over 60% of employees responsible for DevOps security say that alert fatigue has caused them or others on their teams to seek other positions, while 55% said that the overwhelming number of alerts (more than 500 a day, in many cases) caused them to miss out on critical issues.
If four out of five companies using the cloud have had a breach in recent years, it’s fair to attribute at least some of those breaches to a lack of contextual data on posture management security. Bridging this gap is not a matter of convenience — for many companies, it’s a matter of survival.
Runtime security is genuinely the last defense against weaknesses that were not solved with posture management — and security should never be an issue of “last resort.” If DevOps security is addressed properly, runtime problems will likely be dramatically reduced; the question is how that security can be reinforced. One option fosters better communication between the runtime side, which can report on the security issues that appear in runtime, and DevOps, where security teams can then examine code to track down the root of the problem.
An ideal system would contextualize the runtime issues in terms of code, narrowing down the potential cause of a threat. If the system determines that a real threat results from a misconfiguration or other coding issue, DevOps will have an opportunity to remediate it. For example, if runtime security flags a process as “suspicious,” a security system that contextualizes runtime issues in terms of security posture would be able to determine if there is a threat. If a container is running as privileged, it may have launched that suspicious process itself and should be left alone. Security alerts will thus only be issued in the case of a real problem. Instead of wading through hundreds of tickets, DevOps teams can zero in on the problem and fix it quickly.
With today’s technology, including eBPF as the common agent in runtime and Kubernetes on the DevOps side, a comprehensive system is indeed possible — as both eBPF and Kubernetes produce sufficient data that can be analyzed together to constantly find the actual gaps and vulnerabilities in security anywhere. Such an approach will close crucial gaps and reduce the number of tools needed by CISOs, fulfilling the true vision of analysis firm Gartner for a unified CNAPP. Several new players are stepping up to this challenge.
Only with a unified approach like this — where runtime alerts are matched up with posture management issues — can administrators rest assured, knowing that both posture and runtime security are in sync. We can’t continue to rely on more and more (bloated and expensive) options in the divided spheres of runtime and posture security; that is akin to relying on miracles or luck to ensure proper, safe, and secure site management. Proper security is the result of something logical and guaranteed. Bridging the security gap will help that happen.
