Cloud Security: Why You Shouldn’t Ignore Ephemeral Assets

Your scheduled vulnerability scans may not catch short-lived cloud assets, creating opportunities for cybercriminals to exploit security gaps.  

The elastic nature of cloud environments allows cloud assets to be provisioned and decommissioned dynamically, oftentimes by stakeholders outside of security, such as DevOps, web and e-commerce teams. These short-lived assets present challenges for security professionals trying to achieve visibility to all of their organization's cloud assets. Waiting for a scheduled vulnerability scan once a week is not going to help you catch these ephemeral assets, which can spin up and spin down in a matter of hours, causing security gaps. And these gaps can provide cybercriminals with a host of new opportunities. Dynamic, short-lived cloud assets require an equally dynamic approach to vulnerability scanning.  

Why You Should Not Ignore Short-lived Cloud Assets 

Some of you may ask "since they are so short-lived, do these ephemeral assets post a real threat to my company's overall security posture?" Others may argue that "it is not easy to keep an inventory of these short-lived assets, so we are going to stick with other more measurable assets." The truth is that scheduled vulnerability scans provide you with point-in-time snapshots, leaving considerable exposure for the cloud instances that spin up and spin down between scans.

Many cloud assets are clones of one another. When one asset is exploited for its vulnerabilities, it could have a cascade effect on other copies. Once an asset is exposed, even if it was short-lived, nobody can predict its blast radius before it is decommissioned. 

For example, imagine a service that is part of an autoscaling group. When a peak time for your business hits, this service will autoscale to the necessary size to meet capacity. What if a critical vulnerability exists on this newly deployed service? Then it autoscales up to several hundred instances of this service — with each instance containing that same critical vulnerability. 

As you can see, taking either a "maybe-we-will-get-lucky" or an "ostrich-head-in-the sand" approach to short-lived cloud assets can expose your organization to threats and have a negative impact on the reputation and business you've worked so hard to preserve. 

Using Tenable.io to Protect Ephemeral Assets in the Cloud 

Your security team needs continuous visibility into your cloud workloads and instances, which can evolve multiple times a day. Your vulnerability management program should be designed to fortify dynamic cloud environments for effective security, continuous visibility and reliable IT operations. 

Tenable.io provides a comprehensive vulnerability management approach to help you assess your cloud attack surface by detecting vulnerabilities in your entire cloud stack. Tenable.io cloud connectors for Amazon Web Services (AWS), Microsoft Azure and Google Cloud Platform (GCP) enable near real-time discovery of new short-lived compute asset deployments across your multi-cloud environments. 

In addition, Tenable.io Frictionless Assessment helps you continuously assess your cloud assets in AWS environments for vulnerabilities without the need to deploy scanners or install agents. Frictionless Assessment is especially effective against short-lived cloud assets, helping you avoid blind spots and coverage gaps. With Frictionless Assessment, you can automatically scan your cloud environments for new vulnerabilities as soon as they're identified, enabling you to rapidly assess your cloud assets for the latest software flaws..

With a tailored dashboard and reports, you can easily communicate vulnerability priority information with your business groups, including the teams that rely on short-lived cloud assets.

Learn more

• Find out how Tenable helped Netskope increase its visibility into ephemeral assets in the cloud here.

• See the three biggest challenges affecting cloud security here.

• Learn how to improve cyber hygiene with cloud resource tagging here.

• Find out more about how the shared responsibility model affects your cloud security choices here.