Pulumi today added a Pulumi Insights application for discovering cloud assets in addition to generally making available a previously launched tool for centralizing the management of cloud security.

Announced at the company’s annual PulumiUP conference, these offerings extend the company’s portfolio beyond the infrastructure-as-code (IaC) tool the company initially provided.

Pulumi CEO Joe Duffy said neither Pullumi Insights nor Pulumi Environments, Secrets, and Configuration (ESC) require organizations to have adopted the Pulumi IaC tool. However, organizations that do can better apply security controls to cloud computing environments that are typically configured by developers using IaC tools.

At the core of the Pulumi platform is Pulumi CrossGuard, its policy as code engine, that has recently been extended using a generative artificial intelligence (AI) tool dubbed Pulumi Copilot. In total, Pulumi now supports more than 170 public, private, hybrid and software-as-a-service (SaaS) platforms.

More than a decade after the arrival of cloud computing, organizations are still struggling with securing these environments. The challenge that many face is cloud services are usually provisioned by application development teams that are more concerned with productivity than necessarily security. Many of them lack the expertise needed to securely configure those services. Cybercriminals, meanwhile, have become especially adept at discovering and exploiting, for example, a misconfigured S3 cloud storage service to exfiltrate data.

Cybersecurity teams, unfortunately, often lack the tools needed to first discover what assets they have in the cloud and then, secondly, determine what level of security is being enforced. Exacerbating that issue further is a shared model for cloud security that often leaves many organizations unsure of what they are responsible for securing versus what precisely their cloud service provider will secure on their behalf. The latest additions to the Pulumi portfolio are designed to help close that gap, said Duffy.

It’s not clear exactly who within organizations is now assuming responsibility for cloud security. In many cases, it’s still the responsibility of cybersecurity teams but with the rise of platform engineering as a methodology for managing IT responsibility of cloud security is in some cases shifting. DevOps engineers that typically comprise those teams are increasingly employing best DevSecOps practices to programmatically ensure cloud resources are secure. However, the level of DevSecOps maturity that exists from one organization to the next is likely to vary widely.

As the number of cloud platforms employed by organizations increases, the more challenging it becomes to implement DevSecOps practices. The more cloud platform an organization employs the more probable it becomes one or more of those services will be misconfigured. More problematic still, too often application developers view cybersecurity teams as an impediment to productivity despite the level of risk the organization might unwittingly now be taking on.

Regardless of the approach to solving that issue, both cybersecurity and emerging platform engineering teams have a vested interest in ensuring cloud security, especially as part of any effort to better secure software supply chains.

The challenge, as always, is aligning the people around a consistent set of processes to ensure that cloud security goals are both achieved and, just as importantly, maintained.