For cloud-native environments, addressing cloud security in run-time alone is no longer enough.
In today’s cloud-native world wherein infrastructure as code adoption is soaring and building cloud environments at scale requires reproducibility and resilience, the ability to change and grow infrastructure quickly is prioritized from the start. It’s intriguing then, that for so many of us, “cloud security” is associated only with addressing misconfigurations and compliance violations after they’ve occurred in run-time.
Identifying infrastructure issues without focusing on the process and code in build-time is at complete odds with how we design and build modern cloud infrastructure. If we build immutable infrastructure, we need to start thinking about how to secure immutable infrastructure, and run-time security in isolation isn’t enough. On the flip side, addressing cloud security risks in build-time alone lacks the full context of production infrastructure, leaving gaps in your environment.
In this post, we’ll focus on security issue detection via scanning in both build-time and run-time, outlining their values and pitfalls to illustrate the importance of leveraging them both.
Run-Time Cloud Security Posture Management
To keep up with clouds becoming more complex, cloud providers supply rich metadata and telemetry surrounding the management of cloud resources. Building a sustainable cloud security program requires the consistent and extensible collection and analysis of that data.
Community-led projects such as Prowler for AWS and Forseti for Google Cloud have emerged to help serve that purpose. Both projects pioneered the usage of exposed APIs to gather configuration data and inspect for misconfigurations and are implemented to detect post-deployment misconfigurations.
Most cloud providers also now include this type of functionality in their control plane management services. Using native tools like AWS Config, Azure Policies, and Google Asset Inventory, it is easier than ever to gain that basic visibility for your cloud.
Run-time cloud security is certainly best practice but comes with its own set of benefits and caveats:
✅ Change Tracking
Scanning in run-time follows the actual states of configurations. When managing configuration in multiple methods, run-time scanning remains the primary viable technique for identifying and evaluating configuration changes over time.
✅ Compliance-friendly
Most regulated industries now require continuous change-control auditing and tracing. To satisfy those requirements, most scanners map their findings to standard industry benchmarks. Once controls are mapped into benchmarks and sections, you can use the scan reports as baseline evidence to satisfy most industry-specific requirements and audits.
✅ Near Real-Time Results
Depending on the scan frequency, run-time scanning can quickly identify and classify ongoing issues. Connecting scanners to ticketing or monitoring tools can help ensure speedier response and mitigation.
❌ Low Signal to Noise
Most scanners still rely heavily on deterministic detection logic that lacks context, resulting in a tide of irrelevant findings—especially for dynamic environments with short-lived resources. For example, in environments utilizing auto-scaling groups, run-time scanning would return inconsistent results between scans and produce output that’s not representative of the latest resource states. Additionally, scanning multi-faceted IAM permissions or full networking topology could falsely alarm against a configuration change.
❌ Impracticable Findings
After flagging a misconfiguration the immediate question is usually “what can we do to fix it?” If fixing a single cloud misconfiguration requires ten manual steps, or a configuration cannot be reverted, then its very escalation ended up wasted valuable developer time.
❌ Recurring Misconfigurations
For teams utilizing infrastructure code frameworks to orchestrate cloud resources, fixing a misconfiguration solely in run-time leaves the risk of it recurring. To ensure that a cloud misconfiguration won’t recur, remediations have to happen at the source.
#cloud #cloud security #devsecops #infrastructure as a code #buid time scanning #run time scanning
