Infrastructure as code (IaC) security is the embedding of consistent, scalable cloud security coverage that helps to detect misconfiguration in code early in the software development life cycle to prevent vulnerabilities at runtime. It enables organizations to enforce security measures in IaC templates throughout their life cycle, be it in code repositories, continuous integration/continuous delivery (CI/CD) tools, or as early as the developer IDE.

Cloud infrastructure entitlement management (CIEM) is a type of automated cloud security solution that mitigates the risk of data breaches in public cloud environments. CIEMs prevent excessive entitlements by continuously monitoring the permissions and activity of entities to ensure they’re operating within appropriate access controls. An effective CIEM solution provides comprehensive reporting to help streamline access management, strengthen cloud security posture, and minimize DevOps disruption.

Cloud-native application protection platforms (CNAPPs) are a unified and tightly integrated set of security and compliance capabilities designed to secure and protect cloud-native applications across development and production. CNAPPs consolidate a large number of previously siloed capabilities, including container scanning, cloud security posture management, infrastructure as code scanning, cloud infrastructure entitlement management, runtime cloud workload protection and runtime vulnerability/configuration scanning.

SaaS security posture management (SSPM) is an approach to securing SaaS apps and data that unifies continuous cybersecurity risk assessment and compliance monitoring with detection, enforcement, and remediation. Effective SSPM solutions provide critical visibility into the security posture of organizations’ software-as-a-service deployments, ensuring they can continue using cloud services to accelerate and streamline operations.

For virtually every organisation today, the adoption of multiple cloud services continues to expand. A growing number of organisations are aware of the Shared Responsibility Model for cloud security, with its definitive statement across all cloud consumption models: Infrastructure as a Service (IaaS), Platform as a Service (PaaS) and Software as a Service (SaaS), cloud consumers are responsible for the security of their data stored and used in the cloud. In every yearly edition of the Thales Data Threat Report, organisations say that encryption is the right way to protect data in the cloud.

Cloud Providers increasingly offer their own encryption services as a convenience to their customers. But, the imperative for customer management of encryption keys for cloud provider encryption keys is growing as fast as cloud consumption. A growing number of cloud providers offer “Bring Your Own Key” (BYOK) services. BYOK enables customer-controlled cloud key management. The challenge of BYOK and cloud key management depends on the number of clouds and keys to be managed or brought to the cloud.

Cloud key management may be considered in various ways:

• Logging into each cloud console and managing cloud keys created by the cloud provider
• Finding a source to generate keys and then using cloud provider CLI commands to download wrapping keys and upload wrapped keys

Micro-segmentation involves creating zones within the network to isolate and secure elements of the network that could contain sensitive information or provide access to malicious actors. A zero-trust security approach benefits from micro-segmentation because once the secured area has been micro-segmented, it’s protected from threats. The firewall or filter that forms a barrier around the zone can also block threats from exiting the zone, which protects the rest of the network.

A Full Lifecycle Container Security Solution scans for vulnerabilities during the entire CI/CD pipeline, from Build to Ship to Run. Use the Jenkins plug-in to scan during build, monitor images in registries and run automated tests for security compliance. Prevent deployment of vulnerable images with admission control, but also monitor production containers. Blazing fast, highly scalable image vulnerability analysis scans thousands or hundreds of thousands of images.

Full-Lifecycle Security Diagram

• Scanning and admission control during build, test and deployment
• Scans containers, hosts, and orchestration platforms during run-time
• Audits host and container security with Docker Bench and Kubernetes CIS Benchmark for security tests

Cloud security posture management (CSPM) is a key component of cloud data security that scours cloud environments and alerts staff to compliance risks and configuration vulnerabilities in cloud services, most of which stem from human error. In its Innovation Insight for Cloud Security Posture Management report, analyst firm Gartner defined CSPM as a category of products that automate security and compliance assurance and address the need for proper control over cloud infrastructure configurations. In 2020, according to Gartner, the adoption of CSPM solutions was strong, projected to reach 25% in just a few years as more organizations recognize them as must-have cloud security tools.

Broadly speaking, CSPM protects you in three ways:

1. Provides visibility into your cloud assets and configurations. Enterprise CSPM discovers misconfigurations, changes in policy or metadata, and more, and helps you manage all these policies through a centralized console.
2. Manages and remediates misconfigurations. By comparing your cloud configurations against industry standards and other pre-built rules, CSPM reduces human error that can increase your risk of costly breaches.
3. Discovers new potential threats. CSPM monitors your cloud environments in real time for inappropriate access and anomalies that may indicate malicious activity.

In the security world, everyone is familiar with the concepts of cyber threat protection and data protection. Whether these protections are delivered from a cloud security platform or they’re handled by appliances in a data center or regional gateway, they essentially prevent bad things from coming into the network and stop sensitive data from leaking out. Workload protection is a different sort of security control that has to do with securing the communications that occur between applications, such as ERP software in one cloud that communicates with a database in another, a line-of-business app that communicates with financial software and collaboration tools, a project management application that exchanges data with CAD software—the possibilities are endless.