Prisma Cloud has added drift detection to Bridgecrew helping organizations to secure cloud Infrastructure, announced Palo Alto Networks. The Multi-Cloud Drift Detection detects and flags inconsistencies between how cloud resources were defined in infrastructure as code (IaC) and how they are now set in runtime. Drift Detection helps improve cloud security posture and enables companies to properly manage IT infrastructure, with misconfigurations being a primary source of cloud breaches (GitOps). Drift Detection’s initial rollout includes Amazon Web Services (AWS), Microsoft Azure, and Google Cloud.
According to Gartner®, “Through 2025, more than 99% of cloud breaches will have a root cause of preventable misconfigurations or mistakes by end-users.” While DevSecOps helps to reduce misconfigurations to a minimum by codifying and enforcing security standards, out-of-band changes are unavoidable due to maintenance, incident response chores, and ad hoc adjustments—drift is the term for these out-of-band changes. Detecting and addressing drift, regardless of why it occurs, is critical to maintaining GitOps policies and lowering cloud risk.
“The most effective way to avoid misconfigurations is by adopting infrastructure as code and making all changes through git and a secure continuous integration/continuous delivery (CI/CD) pipeline. That way, misconfigurations are identified and fixed in code before they’re provisioned,” said Idan Tendler, vice president of DevSecOps, Prisma Cloud at Palo Alto Networks.
Also said, “However, even organizations that follow GitOps best practices have ‘break glass’ emergencies where operations teams need to make quick changes to cloud resources directly in production that can result in drift. Detecting this drift is one of the keys to maintaining secure cloud infrastructure.”
Bridgecrew Drift Detection is based on the company’s most recent open-source project, Yor, which tags IaC templates with attribution and ownership information as well as a unique ID that is transported across to cloud services. Drift Detection extends Yor’s code-to-cloud tracing capabilities by alerting developers about drifts and allowing them to rectify them immediately right from the Bridgecrew platform. Drift Detection is a key feature for any organization that is shifting security left and embracing DevSecOps because of the visibility and control it provides.