In the absence of dedicated CSPM tools, there are several compensating tools and techniques that organizations can employ to enhance their cloud security posture. When conducting cloud asset inventory, organizations can utilize various tools and techniques to discover and track their assets accurately. These tools and techniques help address the gaps and provide alternative approaches for managing and improving security in the cloud. Here are some compensating tools and techniques:

• Cloud security monitoring and incident response: Implementing cloud security monitoring tools, such as Security Information and Event Management (SIEM) systems or cloud-native security monitoring solutions, enables real-time detection of security incidents and threats. These tools collect and analyze logs and events from cloud resources, allowing organizations to respond promptly to security incidents and mitigate risks. For example, when investigating a security incident, cloud security monitoring tools can provide insights into unauthorized or suspicious activities related to specific assets.
• Infrastructure as Code (IaC) security: IaC can be utilized for asset inventory by incorporating asset tracking and management as part of the infrastructure provisioning process. By including asset inventory in the IaC workflow, organizations can maintain an accurate and up-to-date record of their cloud resources. Here are some tools and techniques that can be used for asset inventory within an IaC approach:
  • Terraform: Terraform can be extended to capture asset information during infrastructure provisioning. Custom scripts or modules can be created to gather asset details and store them in a centralized location such as a database or file. This allows organizations to maintain an inventory of provisioned resources alongside their associated metadata.

Example: With Terraform, a custom script can be developed to retrieve information about provisioned resources (for example, virtual machine instances, databases, and storage buckets) and store it in a separate file or database. This provides a comprehensive inventory of assets with associated attributes, such as resource names, types, and configurations.

• AWS CloudFormation stack outputs: AWS CloudFormation allows outputs to be defined within the infrastructure template. These outputs can include asset-related information that is automatically generated during stack creation or updates. The outputs can be retrieved and stored in a centralized system for asset inventory purposes.

Example: In an AWS CloudFormation template, outputs can be defined to capture details such as resource IDs, IP addresses, or endpoint URLs. These outputs can be extracted and stored in a database or file, creating a centralized asset inventory with relevant information.

• Azure Resource Manager (ARM) template outputs: Like AWS CloudFormation, ARM templates support outputs that can be used to capture asset information during provisioning. By defining outputs in the template, asset metadata can be collected and stored in a dedicated system for inventory management.

Example: In an ARM template, outputs can be defined to extract details such as resource IDs, connection strings, or access keys. These outputs can be extracted and stored in a central repository, enabling effective asset inventory management.

• Custom scripts and API integrations: Organizations can develop custom scripts or leverage APIs provided by cloud service providers to gather asset information. By integrating these scripts or APIs into the IaC workflow, asset details can be retrieved during the infrastructure provisioning process and stored in a centralized system.

Example: Custom scripts can be written to call cloud provider APIs and retrieve asset metadata, such as resource names, sizes, or configurations. The scripts can then store this information in a database or file, creating an asset inventory that reflects the provisioned resources.

• Policy as Code (PaC): If the organization has clear and comprehensive asset management policies that cover areas such as asset identification, access control, and data protection, then they can translate these policies into machine-readable code or configuration files using a PaC framework such as Terraform or AWS CloudFormation. This code represents the rules and standards that assets must adhere to.
• Cloud access security brokers (CASBs): While CASB and CSPM tools have overlapping functionalities, their primary focus areas differ. CASBs primarily concentrate on data protection, user and entity behavior monitoring, and policy enforcement, while CSPM tools specialize in assessing and managing the security posture of cloud environments, including asset inventory. However, CASBs can complement CSPM tools for asset inventory purposes in the following ways:
  • Shadow IT discovery: CASBs can identify and track cloud services and applications that are used within the organization, even those not sanctioned or known by the IT department. By discovering shadow IT, CASBs help identify additional assets that might not be covered by the CSPM tools’ native asset discovery capabilities. This enhances the completeness and accuracy of the asset inventory.
  • Cloud service coverage: CASBs can provide visibility and control across various cloud services, including SaaS, IaaS, and PaaS. They can discover assets within each service type and provide information on their usage and configurations. This complements CSPM tools, which primarily focus on the infrastructure layer, by extending asset inventory coverage to cloud services and applications.
  • User and data visibility: CASBs monitor user activity and data flows within cloud services, providing insights into the usage of assets and associated data. By integrating with CSPM tools, CASBs can provide additional context to the asset inventory by associating user activities with specific assets and enriching the inventory with data-related attributes, such as data sensitivity or ownership.
  • Data loss prevention (DLP) capabilities: CASBs offer DLP features that help identify and classify sensitive data within cloud services. By analyzing data flows, CASBs can detect instances where sensitive information may be at risk. Integrating CASBs with CSPM tools can enhance the asset inventory by including data-centric attributes, such as data classification and exposure risk, alongside asset information.
  • Unified policy enforcement: CASBs provide policy enforcement capabilities that can be used to enforce security policies across various cloud services. By integrating CASBs and CSPM tools, organizations can ensure that policy violations identified by CASBs, such as unauthorized access or data sharing, are reflected in the asset inventory. This helps maintain a comprehensive and accurate view of assets and their compliance status.
• Vulnerability scanning and management: Vulnerability management tools can also be used to supplement asset inventory management in the absence of a dedicated CSPM tool. While its primary focus is on identifying and addressing vulnerabilities, a vulnerability management tool can provide valuable insights into asset discovery and inventory. Let’s look at some examples:
  • Example tool 1 – Qualys Vulnerability Management: Qualys Vulnerability Management is a widely used vulnerability management tool that helps organizations identify, assess, and remediate vulnerabilities across their IT infrastructure, including cloud assets. While its primary purpose is vulnerability management, it can provide asset inventory capabilities as well. OpenVAS can contribute to asset inventory for the following capabilities:
    • Network scanning and asset discovery
    • Asset identification and categorization
    • Asset attribute collection
    • Asset dependency mapping
    • Asset tracking and changes
  • Example tool 2 – Open Vulnerability Assessment System (OpenVAS): OpenVAS is an open source vulnerability management tool that can be utilized to enhance asset inventory management. Although its primary purpose is vulnerability scanning and assessment, it offers features that aid in asset discovery and inventory. While its primary purpose is vulnerability management, it can provide asset inventory capabilities as well:
    • Asset discovery
    • Asset classification
    • Vulnerability assessment
    • Continuous monitoring
    • Integration with cloud platforms

By leveraging the asset discovery and vulnerability assessment features of tools such as Qualys and OpenVAS, or any other existing vulnerability management tool, you can compensate for asset discovery and inventory management. Organizations can enhance their understanding of the assets within their cloud environment and maintain an up-to-date inventory of vulnerabilities associated with those assets.

• Compliance and configuration auditing: Organizations can utilize existing compliance auditing tools, such as open source solutions or cloud provider-specific auditing services, to verify their adherence to regulatory requirements and security best practices. These tools check cloud configurations, access controls, and policies against established standards, highlighting areas of non-compliance and suggesting remediation steps. While these tools primarily focus on ensuring compliance and assessing configurations, they can provide asset discovery and inventory management capabilities.
• Cloud governance frameworks and policies: Implementing cloud governance frameworks, such as the Cloud Security Alliance (CSA) Cloud Controls Matrix or National Institute of Standards and Technology (NIST) Cloud Computing Security Reference Architecture, helps define and enforce cloud security policies and practices. These frameworks provide guidelines and best practices for securing cloud assets and can act as compensating measures in the absence of dedicated CSPM tools.

While compensating tools and techniques can enhance cloud security, it is important to note that dedicated CSPM tools offer comprehensive capabilities specifically designed for managing and improving the security posture of cloud environments. Organizations should consider investing in CSPM tools when feasible to gain the full range of benefits and efficiencies they provide.

Summary

In this chapter, we explored the importance of maintaining an accurate and up-to-date inventory of assets within cloud environments. We discussed how a dedicated CSPM tool can play a crucial role in effectively managing and securing cloud assets. CSPM tools provide comprehensive capabilities for asset discovery, classification, and monitoring, enabling organizations to gain visibility into their cloud resources. These tools offer features such as automated asset scanning, configuration assessment, and continuous monitoring to identify misconfigurations, vulnerabilities, and compliance issues. We also examined various aspects related to cloud asset inventory, including understanding the cloud asset landscape, categorizing assets based on their purpose and criticality, and utilizing tools and techniques for asset discovery and inventory management.

In the next chapter, we will dive deep into the CSPM dashboard.

Further reading

To learn more about the topics that were covered in this chapter, take a look at the following resources:

• Introduction to Cloud Asset Inventory: https://cloud.google.com/asset-inventory/docs/overview
• Use asset inventory to manage your resources’ security posture: https://learn.microsoft.com/en-us/azure/defender-for-cloud/asset-inventory
• Prisma Cloud Asset Inventory: https://docs.paloaltonetworks.com/prisma/prisma-cloud/prisma-cloud-admin/prisma-cloud-dashboards/asset-inventory