Asset management is often cited as the most critical—yet frequently neglected—component of a modern cybersecurity program. As the cloud perimeter dissolves into a complex web of SaaS integrations and ephemeral workloads, maintaining a real-time inventory of assets is no longer a luxury; it is a necessity.
In a recent discussion, Kesten Broughton shared his deep expertise on this topic. Kesten has an extensive background spanning software development, DevOps, and offensive security, having worked at Praetorian, Nuro, and recently joining the security infrastructure team at Crunchyroll. He has also presented at Forward CloudSec on subjects ranging from cloud asset inventory in GCP to confused deputy problems in AWS.
Based on his insights, here is a deep dive into the challenges and best practices of modern cloud asset management.
You can read the complete transcript of the epiosde here >
Why Asset Management is the Core of Cloud Security?
At its most basic level, a robust asset inventory allows a security team to answer fundamental questions in seconds.
- Security teams need to quickly identify if an IP address belongs to their organization, if it is malicious, or if it resides in AWS, GCP, or an on-premise environment.
- Without a centralized data lake or data warehouse for asset feeds, tracking down system owners and verifying IP addresses can take a day or longer.
For early-stage startups, Kesten recommends prioritizing the tracking of third-party SaaS vendors.
- Organizations today typically grant access to 300 to 500 different SaaS tools, effectively turning the traditional perimeter into “Swiss cheese”.
- Tracking these tools ensures the organization knows its exposure if a vendor is breached, helps justify the financial cost of the tools, and ensures every tool has an active internal champion.
When building out tracking, teams should work from the “outside in,” starting with DNS.
- Dangling subdomains are a major risk; if a service is turned off but the DNS record remains, it points to an ephemeral public IP that an attacker could claim.
- Attackers write scripts to continuously request and discard IPs until they land on the one pointed to by the dangling domain, allowing them to exploit the domain’s SEO or inherent trust.
The Kubernetes Challenge: Ephemeral Workloads
Tracking static assets like EC2 instances or DNS records can easily be handled with daily snapshots. However, Kubernetes introduces a completely different paradigm.
- Workloads and IPs attached to Kubernetes are highly ephemeral and are often less than a day old.
- If a security incident occurs, a daily snapshot will likely be out of touch with the current state of the cluster, making troubleshooting impossible.
- A common anti-pattern is attempting to run a “for loop” script across hundreds of Kubernetes clusters and namespaces, which takes too long and risks DDoSing the cloud APIs.
- The correct approach relies on event-driven streaming; cloud providers already hold the state information, so organizations should utilize continuous feeds (like GCP Cloud Asset Inventory feeds) routed through a Pub/Sub topic to update their backend databases in real time.
Overcoming Cloud Provider Limitations Through Data Enrichment
Native cloud asset inventory tools, such as AWS Config or GCP Cloud Asset Inventory, provide a basic GUI but fall short when complex analysis is required.
- These native tools lack full SQL query capabilities and do not support data joins.
- To run advanced queries, organizations should dump their asset inventory feeds into robust query engines like BigQuery or Athena.
Raw asset data is not enough; it must be enriched to be actionable.
- An IP address is more useful if the inventory also identifies whether it sits behind a load balancer, a CDN like CloudFront, or bot protection.
- Finding the owner of a vulnerable asset is critical for remediation; ownership can be enriched by utilizing infrastructure-as-code files, GitHub codeowners, or cloud tagging.
- Enforcing tags via linters that refuse to deploy untagged infrastructure is a great way to build ownership directly into the tooling.
Taking enrichment a step further, organizations can implement a graph layer.
- A graph layer transforms a flat spreadsheet of assets into a “spider web” of interconnected relationships.
- This allows security teams to trace the exact path from an IP, through a load balancer, up to Route 53, enabling a holistic view necessary for configuring defenses like bot protection.
Balancing Automation, Friction, and Developer Velocity
A recurring theme in Kesten’s philosophy is that security teams must avoid becoming the “house of no” and actively look for ways to help engineering go faster.
- Security engineers should monitor DORA metrics (which measure engineering velocity) and ensure their requests do not negatively impact those scores.
- Placing code scanning tools as a blocking gate before deployment can interrupt tight development loops; depending on risk tolerance, shifting to post-deployment checks can help teams hit their sprint objectives.
Interestingly, Kesten warns that security automation and Infrastructure as Code (IaC) can sometimes be overdone.
- While Terraform is essential for maintaining consistency across dev, stage, and prod environments, it introduces maintenance overhead.
- Terraform state can drift, and provider updates (e.g., a default value changing from an empty string to “none”) can break deployments unexpectedly.
- For “deploy and forget” security configurations that won’t be touched for a year, deploying manually or via CLI scripts may be a better use of time than maintaining an IaC module.
Rethinking Traditional Security Practices
Kesten also offered unique perspectives on traditional security practices:
- Unrestricted Access: While granting unrestricted access in a production environment is a terrible idea, it is highly beneficial in non-production scenarios to help developers move faster. Security teams can support this by provisioning individual AWS accounts or GCP projects that use automation to completely annihilate all resources on a weekly basis, preventing data accumulation.
- Periodic Security Audits: Expensive, $100,000+ third-party pentests often devolve into mere checkbox exercises for compliance. To get actual value, companies should use bug bounty programs to gather diverse attacker perspectives and ensure internal vulnerability scanning is continuous and streaming, rather than quarterly.
- Security Training: A one-size-fits-all training program is ineffective because it bores experienced engineers and fails to address the specific threats faced by non-technical teams. For example, finance departments need highly specific training to combat fake invoice attacks, while legal departments require tailored joint workflows with security.
Additional Reads
- Master the challenges of ephemeral Kubernetes workloads. Learn how event-driven streaming, DNS hygiene, and data enrichment transform cloud asset inventory.
