How Decathlon successfully implemented a CSPM

Published in

Decathlon Digital

5 min readOct 6, 2021

At some point in your cloud journey, you might take a step and implement a CSPM. Here are a few tips and insights on our journey on how we have implemented a CSPM in our environment as well as the mechanisms we used to improve our Cloud Security and Compliance posture.

CSPM — Concept

A Cloud Security Posture Management product helps you maintain a desired state of a Cloud Security posture. This product allows you to enable specific sets of policies that will be continuously checked across your cloud environment, according to the level of risk appetite of your organization.

CSPM vs Cloud Provider’s native security solutions

As a company with large cloud infrastructure, there are many reasons why you might consider implementing a CSPM. You may find yourself comparing cloud providers’ native security solutions against a CSPM as they provide similar functionalities.

According to our experience, a CSPM should be best considered if:

You seek a metrics-oriented approach and uniformity across the different controls taking place on each cloud provider;
You’re multi-cloud (and can’t afford doing custom development over each CSP’s native security solutions);
You follow a DevOps model, with users actively performing changes on the cloud environment on a daily basis.
You define your own security control framework.

Benefits

The first benefit you will notice is an instant increase in visibility over your cloud environments.

In relation to the number of accounts you have onboarded, you will quickly be submerged with a large amount of alerts. Rome wasn’t built in a day, so pick your battles and stick to it first!

In addition to the default checks available, here are some ideas of use-cases you may find worth having a look at:

Detection of instances with publicly open sensitive ports
Detection of access keys which are too old and not rotated
Detection of secrets in environment variables of some cloud components
Detection of cloud assets in unauthorized regions
Detection of illegitimate peerings between VPCs

With that said, let’s get into more details on how we have implemented a CSPM in our environment.

Step 0 — Recommended initial steps

If you happen to implement a CSPM in a similar fashion as we did, here are a few things you might consider doing at the implementation phase:

Onboard absolutely all your cloud accounts (leave none aside)

Don’t be falsely too confident over some of your cloud accounts, you can expect to be surprised by what you may find, even on barely used cloud accounts.

Define and implement your own ISSP dedicated to Cloud Environments (Information System Security Policy)

We recommend starting with CIS benchmark policies as a base and further add your custom needs/controls according to the risk appetite of your organization. Security-oriented policies related to MITRE ATT&CK framework are also worth being considered.

Define a compliance score relying on your Cloud ISSP to drive teams and management

You can create a compliance score based on the number of assets failing to comply with at least one policy, divided by the number of the total checked assets in the cloud account. This should give you a score ranging from 0 to 100. You can further improve this notion by adding different weights based on severity.

Have an up-to-date repository of your cloud accounts (with up-to-date responsible teams and contacts)

Being able to link a cloud account to a team / contact is utmost important. The higher your data quality is, the better you’ll be able to take actions leading to positive change.

Step 1 — Involve your users

Make the platform a user-friendly experience

We have made the choice to give read-only access to the platform to all of our cloud users by default. We also gave Security, Cloud & Network teams additional privileges so they can better perform checks and investigations.

For each policy that is set, we have made sure to define a succinct title, description and recommendation for remediation. This is highly beneficial to provide educational value to users, as they can directly understand what was done wrong and follow the remediation steps to fix the issue in the same way they would follow a tutorial.

We’ve also fine-tuned the RBAC (role-based access control), so that users get their account automatically created and updated to only see what’s relevant to their cloud perimeter, reducing any kind of confusion.

The easier the experience is for your users, the more autonomous and efficient towards reaching their cloud security posture goals they will be.

Step 2 — Automate, automate, automate!

At Decathlon, we love automation. At this point, tying links with your Security Operations Center team might be a good idea.

Set up Alerting mechanisms

Automated alerting mechanisms will be a key component in order to make the product live, and ensure users have the right tools to constantly reach their cloud compliance goals. It will also be a key component to react as quickly as we can following a detection.

We’ve set up two types of alerting mechanisms:

Compliance: If the compliance score of a team goes below the defined threshold, then a ticket is created in the ITSM system, and is assigned to the right team. The process is repeated every 7 days upon initial detection. Escalations can also be considered.
Security: When a strictly forbidden change is detected, we immediately alert the team through our ITSM, and when applicable, automatically perform the remediation action.
Note: The alert through ITSM is essential to keep the educational value.

Because we’re working closely with the SOC team, Security alerting and remediation actions are directly performed in our SOAR (Security Orchestration, Automation and Response platform — More details to come in a future story!).

Automate lacking features

No matter the product you choose, none is hardly ever perfect! Fortunately, the product might come with fully available API endpoints.

As a product responsible, there might be a lot of maintenance to perform regarding policies, compliance rulesets or your tailor-made RBAC. The good news is that all of the above can surely be automated.

We designed a specific tagging process which, helped by some custom serverless functions, automatically assigns alerts to the right cloud perimeters and to the right compliance rulesets.

We also continuously update all information in the product leading to better RBAC, force-set the correct time zone for users or delete unused users and access keys on the platform.

Step 3— Leverage responsibilities

Involving your management is a critical path to succeed in reaching an ambitious cloud compliance target.

Bring the notion of compliance score at team level, but also at Organizational Unit and Country Level
Make metrics-oriented dashboards accessible to managers and executives
Frequently drive Security Officers based on their perimeter’s score

In short..

Even if the market is still young and evolving, implementing a CSPM should be part of your cybersecurity strategy if you are considering a strong multi-cloud presence. You will instantly be rewarded with a massive boost in visibility across your environment and be able to successfully identify and tackle the weakest points in your cloud security posture.

Setting the right organization around the product is critical to reach goals at company level and bring educational value and awareness to your users; leveraging automation in coordination with the SOC team is also a great opportunity to further increase return on investment. As usual, cybersecurity is a long-term thinking process.

Finally, keep in mind that for advanced security use-cases, the power of cloud providers’ native features is surely not to be taken out of the equation!