Living through managing a large scale cloud team with 1000s of multi-cloud accounts and networks, I would highly encourage looking into CSPM tools to help provide a single pane of glass to manage your networking deployments and controls. We had built our own native tooling which was always tough to keep up with the pace of user requirements and changes with AWS, Azure and GCP.
For CSPM tools I am a bit biased on Turbot as I work for the company, however we have a unique stance on being able to detect and resolve cloud networking configuration issues in seconds plus you can use Turbot to deploy networking stacks across clouds while Turbot ensures there is no configuration drift from the deployment state.
If real-time remediation and deployments are not your requirements, for simple querying and reporting across your cloud services I enjoy our open source project Steampipe (https://steampipe.io). Steampipe works right in your terminal where you can use SQL to explore your cloud resources, build custom security controls and visualize with your favorite SQL client or BI reporting tools.
Our customers consider a broad view of their perimeter in AWS, Azure and GCP for IaaS and PaaS capabilities from:
1) IaaS networking (VPCs / VNETs, Security Groups, Routing, etc.) classic components per your original post that house compute and database resources
2) PaaS resource configurations; resource access policies in services like S3, KeyVault / KMS, Lambda, IAM etc that allow trusted access from outside parties.
3) Identity Perimeter,
a) preventative controls to block major boundaries such as services, regions, CIDRs, etc.
b) time based authentication to mitigate credential exposure.
c) time based permissions granted in need for specific use.
The integrated architecture of the networking, resource configuration, access policies, etc across your IaaS & PaaS make it incredibly challenging to understand which resources are truly exposed or misconfigured. Breadth of coverage in your tooling is important to surround the various services components, having a single pane of visibility and control is critical to get ahead of it. Cloud COEs scope is often just AWS, Azure and GCP as the problem set within these providers is complex to control costs and security posture across 100s to 1000s of different workloads from many app teams.
When thinking broader across SaaS and IaaS/PaaS visibility; our voice of customer has mainly been about breadth of coverage across many cloud services like GitHub, Zendesk, Slack, AWS, OCI, DigitalOcean, Slack, Cloudflare, etc. Primary goal is to simplify how to gain visibility of resource and identity configurations across many APIs. A tool like Steampipe is interesting as it simplifies how to discover and gain insights across a large array of APIs and data structures with just SQL which would give you a view across IaaS, PaaS and SaaS. While a CSPM tool like Turbot will go deep into a specific set of cloud services that require depth in control capabilities given the complexity of perimeter configurations.
Living through managing a large scale cloud team with 1000s of multi-cloud accounts and networks, I would highly encourage looking into CSPM tools to help provide a single pane of glass to manage your networking deployments and controls. We had built our own native tooling which was always tough to keep up with the pace of user requirements and changes with AWS, Azure and GCP.
For CSPM tools I am a bit biased on Turbot as I work for the company, however we have a unique stance on being able to detect and resolve cloud networking configuration issues in seconds plus you can use Turbot to deploy networking stacks across clouds while Turbot ensures there is no configuration drift from the deployment state.
If real-time remediation and deployments are not your requirements, for simple querying and reporting across your cloud services I enjoy our open source project Steampipe (https://steampipe.io). Steampipe works right in your terminal where you can use SQL to explore your cloud resources, build custom security controls and visualize with your favorite SQL client or BI reporting tools.
Great feedback. I'll check out both. Seems like a solution for IaaS based infrastructures. What have you encountered for SaaS/PaaS?
Our customers consider a broad view of their perimeter in AWS, Azure and GCP for IaaS and PaaS capabilities from:
1) IaaS networking (VPCs / VNETs, Security Groups, Routing, etc.) classic components per your original post that house compute and database resources
2) PaaS resource configurations; resource access policies in services like S3, KeyVault / KMS, Lambda, IAM etc that allow trusted access from outside parties.
3) Identity Perimeter,
a) preventative controls to block major boundaries such as services, regions, CIDRs, etc.
b) time based authentication to mitigate credential exposure.
c) time based permissions granted in need for specific use.
The integrated architecture of the networking, resource configuration, access policies, etc across your IaaS & PaaS make it incredibly challenging to understand which resources are truly exposed or misconfigured. Breadth of coverage in your tooling is important to surround the various services components, having a single pane of visibility and control is critical to get ahead of it. Cloud COEs scope is often just AWS, Azure and GCP as the problem set within these providers is complex to control costs and security posture across 100s to 1000s of different workloads from many app teams.
When thinking broader across SaaS and IaaS/PaaS visibility; our voice of customer has mainly been about breadth of coverage across many cloud services like GitHub, Zendesk, Slack, AWS, OCI, DigitalOcean, Slack, Cloudflare, etc. Primary goal is to simplify how to gain visibility of resource and identity configurations across many APIs. A tool like Steampipe is interesting as it simplifies how to discover and gain insights across a large array of APIs and data structures with just SQL which would give you a view across IaaS, PaaS and SaaS. While a CSPM tool like Turbot will go deep into a specific set of cloud services that require depth in control capabilities given the complexity of perimeter configurations.