Cloud security is full of slogans around doing things a certain way depending on the prism of the vendor or solution strategy. Shift-Left advocates making sure nothing bad can ever happen in production via perfect IaC, vulnerability, and misconfiguration management. Shift-Right advocates for observing all runtime behavior to find active attacks independent of the attack surface.
In this talk, we advocate for the middle path to cloud security zen by not putting all your eggs in any one basket.
No amount of hardening (shift-left) can guarantee a no-attack zone. CVEs cannot be fixed instantly, many are unknown at the time of attack (e.g. log4shell), and misconfigurations take time to detect and fix in the best of organizations.
On the other hand, no amount of accurate and fast attack detection at runtime can keep defending against attacks when the resources are misconfigured widely and full of weaknesses (CVEs).
When CSPM and CWPP talk to each other, outcomes are vastly improved. Active attacks observed by CWPP can prioritize what assets need to be remediated first (from a CVE and configuration perspective) and risky assets identified from CSPM can be prioritized for deeper inspection by CWPP. This allows organizations to navigate cloud risks with the right priority that protects their organizations.
We will walk through these strategies and the benefits of these to a multi-cloud enterprise.