Many organizations find themselves overwhelmed with too many cybersecurity products, especially when it comes to cloud security tools. In addition to being difficult to use and manage, having too many cloud security tools creates coverage gaps and potential security vulnerabilities.
Let's take a look at why having too many cloud security tools can be a problem for organizations, as well as how to start the process of cloud security unification.
The problem with too many tools
A 2023 study by Palo Alto Networks found that the average organization deploys more than 30 security tools, six to 10 of which are dedicated to cloud security.
Having too many tools may create coverage gaps and weaknesses in the following areas:
Updates. Whether or not software is cloud-based, it requires updates and configuration changes over time. Cloud services change frequently, and many security tools need updates to accommodate provider changes. This can lead to outages, incompatibility issues, and performance headaches. Third-party risks. One of the key differences between cloud security tools is the need for deep integration between service providers, often via APIs. Cloud-based security services have multiple integration points and dependencies on other providers, making the third-party and even fourth-party risk landscape more significant. Given today’s attacker focus on vendors and suppliers, security teams that rely on multiple vendors must manage an increased attack surface. Operational coverage. The more tools and services deployed, the more skills and operational coverage required. This is a common headache for security teams. Standardizing and limiting the number of distinct vendors and services in use can help with day-to-day SOPs, monitoring, and response coverage. Alert fatigue. The onslaught of alerts from various cloud security tools deployed can overwhelm security teams, making it difficult for them to distinguish alerts worth investigating from noise and false positives.
How to Evaluate Current Cloud Security Deployments
When reviewing their current cloud security product arsenal—particularly for PaaS and IaaS deployments—organizations should focus on the most critical and common requirements and capabilities. These include:
File and Workload Security. Prioritize robust file integrity monitoring and workload-focused file and data protection capabilities. Integration. Ensure cloud security tools integrate with threat management, vulnerability management, reputation reporting, and support for images and application components. Cloud Security Features. Look for robust cloud security posture detection, management, and remediation (CSPM) capabilities, both in runtime and infrastructure-as-code (IaC) environments, for all major cloud providers. Incident Management. Key capabilities in any cloud security service include real-time detection, rapid and agile response, and evidence collection. Orchestration Support. Orchestration capabilities, especially for services like Kubernetes, are of paramount importance to many teams as their deployments grow.
Cloud Security Tools to Consider
Many cloud security controls and configuration capabilities have been integrated into a single platform or service fabric as they mature. This has reduced the need for multiple tools as some have become redundant. With controls covering pipeline, workload security, cloud environment configuration, IaC templates, runtime, and more, cloud tools and services are evolving into a more integrated set of products and platforms.
A core category of tools that address many of these needs are cloud application protection platforms. CNAPP platforms integrate cloud access security brokers, CSPMs, cloud workload protection platforms, and DevOps pipeline security controls into a single platform.
This model works well for many use cases but does not always cover the end-user side of the cloud, i.e. users accessing SaaS platforms. In these cases, organizations may need a dedicated SaaS security service, such as SaaS Security Posture Management (SSPM) – a tool that is not yet integrated into CNAPPs.
Similarly, CNAPP products do not fully cover end users who are going to the cloud and the Internet—think traditional on-premises proxy functions—which are now covered by Zero Trust Network Access (ZTNA) tools. These tools are also starting to converge, but it is not uncommon for ZTNA, CNAPP, and SSPM products to coexist on a single network.
While these are the current consolidation trends, you shouldn’t ignore cloud-native offerings from the respective cloud providers. There are huge benefits to enabling data logging and monitoring in the cloud, network and identity access controls, and other specific services, such as data loss prevention, where available. These services cannot be scaled across clouds, so they tend to be more selective in nature.
When embarking on a cloud security consolidation project, be sure to consider multi-cloud applicability. Look at vendor roadmaps and coverage models to see where your organization can enable more controls with fewer distinct products.
Dave Shackelford is the Founder and Principal Consultant at Voodoo Security; SANS Analyst, Instructor, Course Author; and Technical Director of GIAC.