Organizations have been forced to accelerate their digital transformation projects in light of recent demands on their network. Cloud migration brings not only operating efficiencies but also cost savings. However, organizations will be unable to see these cost and efficiency improvements when they don’t have a complete and continuous view into their attack surface. While teams are stressed and operating under pressure, attackers are constantly on the lookout for an accidentally exposed vulnerability.
While organizations have developed cloud governance strategies to address some issues that this rapid cloud development has created, CISOs are often left with an incomplete picture when they ask their teams – How are we ensuring whether our cloud policies are enforced?
Since cloud deployments can be done with as little as a credit card and an email address, rogue cloud instances are one of the most inadvertent ways in which an organization’s cloud attack surface grows rapidly. While an organization might have policies around approved providers such as AWS, GCP, Azure, etc., it is normal to find cloud instances other than the sanctioned providers within an organization.
Traditional solutions don’t work in the cloud
Deploying a CASB (Cloud Access Security Broker) and instituting governance policies are a good first step, but don’t solve the problem of rogue cloud deployments. While CWPP (Cloud Workload Protection Platform) are great at protecting data inside cloud-based SaaS tools, they are not helpful in identifying shadow IT infrastructures like a development instance spun up by a test engineer. The ability to track whether employees are adhering to policies is also critical. CPSM (Cloud Security Posture Management) tools help manage policies but they only do so for known cloud instances.
Get unparalleled visibility with Expanse
Expanse overcomes limitations and goes further than traditional solutions to locate all cloud exposures and enforce an organization’s cloud policy. With Expanse, organizations can monitor and remediate a wide range of critical issues that arise during cloud migration projects.
|Discover cloud assets accurately||Expanse platform: Our powerful attribution system identifies all known and unknown domains and hostnames that belong to your organization which can be resolved to IP addresses to improve the scanning accuracy of your (Vulnerability Management) VM tools for the cloud. Additionally, customers can also scan Expanse identified Fully Qualified Domain Names (FQDN) for accurate cloud scanning. |
Legacy solution: Without Expanse, traditional IP scanners don’t work for the cloud since the IP addresses are always changing and they also don’t have a complete list of target accounts to scan.
|Eliminate cloud sprawl||Expanse platform: We independently discover all cloud instances belonging to an organization and go beyond the big three (AWS, GCP, Azure).|
Legacy solutions: Should be manually deployed across each account and are limited to the top 3 cloud providers.
|Identify and remediate shadow cloud||Expanse platform: Our platform can identify and attribute all cloud instances that belong to your organization which will help you bring in services hosted on other providers into your sanctioned provider list.|
Legacy solutions: CWPPs can only protect data inside your SaaS applications and cannot identify all instances that belong to your organizations.
|Discover cloud dev environments||Expanse platform: Can identify and alert on any dev environments that are accidentally exposed to the public internet.|
Legacy solutions: No comparable solution exists.
|Identify insecure certificates||Expanse platform: Discover public facing certificates and alert based on certificate misconfigurations, including expired certificates, long validity, etc. |
Legacy solutions: Legacy solutions can only track known certificates which have been manually added or imported into a certificate management solution.
|Identify and patch Web app services||Expanse platform: Our platform and data enrichment process help to ensure that all web server software versions are approved and are not using End-Of-Life (EOL) software versions or have other misconfigurations.|
Legacy solution: Legacy solutions are incomplete since they can only scan known assets.
|Identify co-located cloud||Expanse platform: Discover and remediate some of the most commonly exposed co-located cloud services like SSH, FTP, and POP3 to prevent potential breaches.|
Legacy solutions: No comparable solution exists.
|Enforce cloud policy||Expanse platform: Enforce your cloud governance policy with a complete and continuous view of your cloud assets and their respective owners/business units across all your known and unknown cloud providers.|
Legacy solutions: Even to enforce on known providers, the solutions have to be manually enabled across every single account across every provider.
|Enable seamless integrations||Expanse platform: Leverage Expanse engineering support to build custom integrations to seamlessly integrate our platform into your workflow.|
Legacy solutions: Limited documentation support and do not support the development of custom integrations.
|Audit your M&A cloud assets||Expanse solution: Ensure your organization is paying the right price by independently assessing the security risks of potential acquisitions. Expanse can also drastically reduce the amount of time it takes to discover and integrate an acquired company’s assets,|
Legacy solutions: No comparable solution exists,
|Benchmark against your industry||Expanse solution: Reports are based on the independent discovery of assets on the public internet and patented attribution technology used to benchmark your progress against your industry standard.|
Legacy solutions: Reports are based on self-reported surveys and are hence incomplete and highly inaccurate.
Save Costs with Expanse
While most cloud migration projects result in cost savings, a sub optimal digital transformation project could actually end up costing you more in the long term. For security teams, maintaining full visibility into co-located cloud infrastructure is extremely difficult, since they don’t have a complete view of unknown/unsanctioned cloud instances and their known cloud assets are also ephemeral and don’t link to a static IP address.
With Expanse, you can identify co-located cloud exposures (ex: an exposed database server hosted on the same IP as one of your Web Applications) which helps your team with an accurate picture of your cloud and on-prem assets to accelerate and digital transformation initiatives. Customers can also save costs by getting more out of their existing infosec tools since the Expanse platform compliments them to improve the operational efficiency of an organization’s workforce by reducing Mean Time To Discovery (MTTD) and Mean Time To Remediation (MTTR).
With Expanse’s differentiated ability to inventory co-located cloud assets, customers get an unparalleled understanding of their total attack surface in the cloud. Since Expanse independently identifies all of the known and unknown on-prem and cloud instances, it also helps you in tracking the speed of a digital transformation project while ensuring that the cloud sprawl is kept in check which helps you save on cost and time.
Stay secure with Expanse
The shift to WFH has forced IT and security leaders to move their data and workloads to the cloud as quickly as possible but at times this comes at a risk to data security. With Expanse, IT teams can set up alerts based on assets hosted in unapproved cloud providers to ensure that cloud governance policies are enforced. In addition to this, Expanse is updated daily with the latest data which ensures that cloud instances are adequately protected and any accidental exposures can be quickly identified and remediated.
In conclusion, while organizations are moving into the cloud to save costs and to be agile in their operations, improper implementation will result in more expenses. Expanse provides IT operations, DevOps, and Security teams the confidence that cloud governance and digital transformation projects are pursued and implemented securely and according to policy, and that they stay that way over time.