Getty Images
Too many cloud security tools? Time for consolidation
Does your organization need every cloud security platform and service currently in use? Tool consolidation can reduce the chances of coverage gaps and increase security.
Many organizations find themselves inundated with too many cybersecurity products, especially when it comes to cloud security tools. Along with being difficult to use and manage, having too many cloud security tools introduces potential coverage gaps and vulnerabilities.
Let's look at why too many cloud security tools can be an issue for organizations, as well as how to begin the cloud security consolidation process.
The problem with too many tools
A 2023 Palo Alto Networks survey found the average organization deploys more than 30 security tools, with six to 10 of those dedicated to cloud security.
Having so many tools can introduce coverage gaps and vulnerabilities in the following areas:
- Updates. Cloud-centric or not, all software requires updates and configuration changes over time. Cloud services change frequently, and many security tools need updates to match the providers' changes. This can lead to outages, incompatibility issues and performance headaches.
- Third-party risks. One major distinction with cloud security tools is the need for deep integration across service providers, often via APIs. Cloud-based security services have numerous integration points and dependencies on other providers, making the landscape of third-party and even fourth-party risks more significant. Given the attacker focus on vendors and suppliers today, security teams that rely on multiple vendors must manage an increased attack surface.
- Operational coverage. The more tools and services deployed, the more skills and operational coverage needed. This is a common headache for security teams. Consolidating and limiting the number of distinct vendors and services in use can aid in day-to-day standard operating procedures and monitoring and response coverage.
- Alert fatigue. The onslaught of alerts from various deployed cloud security tools can overwhelm security teams, making it difficult for them to discern alerts worth investigating from noise and false positives.
How to evaluate current cloud security deployments
When reviewing their current cloud security product arsenal -- especially for PaaS and IaaS deployments -- organizations should focus on the most critical and common requirements and capabilities. These include the following:
- File and workload security. Prioritize strong file integrity monitoring and workload-centric data and file protection capabilities.
- Integration. Make sure cloud security tools integrate with and support threat management, vulnerability management and reputation reporting capabilities for images and application components.
- Cloud security features. Look for strong cloud security posture management (CSPM) detection and remediation, both in runtime environments and infrastructure as code (IaC) for all major cloud providers.
- Incident management. Key capabilities in any cloud security service include real-time detection, rapid and flexible response, and evidence collection.
- Orchestration support. Orchestration capabilities, especially for services such as Kubernetes, are paramount for many teams as they grow their deployments.
Cloud security tools to consider
Many cloud security controls and configuration capabilities have melded into a single platform or service fabric as they have matured. This has further reduced the need for multiple tools as some became redundant. With controls that cover the pipeline, workload security, cloud environment configuration, IaC templates, runtime and more, cloud tools and services are evolving into a much more consolidated set of products and platforms.
The primary tool category that fulfills many of these needs is cloud-native application protection platforms. CNAPPs incorporate cloud access security brokers, CSPM, cloud workload protection platforms and DevOps pipeline security controls into one platform.
This model works well for many use cases but doesn't always cover the end-user side of cloud, namely users accessing SaaS platforms. In those cases, organizations might need a dedicated SaaS security service, such as SaaS security posture management (SSPM) -- a tool that has yet to be incorporated into CNAPPs.
Similarly, CNAPPs don't cover end users going to the cloud and internet altogether -- think classic on-site proxy functionality -- which is now covered by zero-trust network access (ZTNA) tools. These are starting to converge, too, but it's not uncommon for ZTNA, CNAPP and SSPM products to coexist in a network.
While these are today's consolidation trends, don't discount cloud-native offerings from respective cloud providers. There are immense benefits to enabling cloud logging and monitoring, network and identity access controls, and other specific services, such as data loss prevention, where available. These don't scale across clouds, so they tend to be more selective in nature.
When embarking on a cloud security consolidation project, make sure to take multi-cloud applicability into account. Look to vendor roadmaps and coverage models to see where your organization can enable more controls with fewer distinct products.
Dave Shackleford is founder and principal consultant with Voodoo Security; SANS analyst, instructor and course author; and GIAC technical director.