Cloud Security Solutions: CWPP, CSPM, CASB, and More

Learn about the need for cloud security solutions, and the key categories of cloud security tools, including CWPP, CSPM, CASB, data security and compliance.

January 13, 2021

What are Cloud Security Solutions?

Cloud security solutions are used to protect resources and workloads running on public and hybrid cloud services managed by cloud providers, as well as private clouds. Following are the main categories of cloud security solutions:

  • Cloud workload protection platform (CWPP)—a centralized solution for extending visibility into cloud resources, primarily to secure cloud workloads. CWPP enables you to perform security functions across multiple environments.
  • Cloud security posture management (CSPM)—implements continuous, automated security and compliance processes, primarily to secure the infrastructure where workloads are deployed. CSPM helps prevent software configuration vulnerabilities and compliance risks.
  • Cloud access security broker (CASB)—solutions are implemented for the purpose of extending in-house visibility into cloud environments. CASB is located between on-premise and cloud infrastructure.
  • Cloud data security—a range of software to implement storage access controls and practices that protect cloud-based data and applications. 
  • Cloud compliance—software scans cloud environments, searching for compliance violations. The process is often automated, includes alerts, and can generate audits for each compliance standard.  

In this article, you will learn:

The Need for Cloud Security: Cloud Security Concerns

Since the early days of cloud computing, security was a major concern. Even today, many organizations are hesitant to move sensitive data to the public cloud, and prefer to use the cloud for non-sensitive or non-mission-critical workloads. Below are some of the key security issues facing organizations that operate in the cloud.

Data Leakage and Exfiltration

In a cloud-based environment, data can easily be shared. In many cases, environments are directly accessible from the public internet, and users can provide access to information via direct email invitations or public links. Cloud storage buckets and cloud-based databases are often unsecured by default. 

While the open nature of the cloud improves collaboration, it creates major risks to sensitive data. Attackers can scan for misconfigurations to find openly accessible data volumes and compromise them. Any weakness in access control to cloud resources can be leveraged to access and exfiltrate sensitive data. 

Data Privacy and Compliance

Regulations such as GDPR, CCPA, HIPAA and PCI/DSS have strict requirements for information security for organizations that store customer data, with significant penalties for non-compliance. In addition to customer data, organizations also own valuable proprietary business data or intellectual property.

There are advantages to providing this type of data in the cloud, and many cloud services are becoming certified for these and other compliance standards. However, it is still up to the organization to configure cloud services with appropriate security measures. Another challenge is gaining visibility over what is running in the cloud, how it is secured, and proving the existence of security measures to auditors. 

Misconfiguration and Accidental Exposure

Cloud infrastructure is characterized by a large number of computing resources, many of them launched automatically by mechanisms like auto scaling or container orchestration. Each of these resources might contain sensitive data, or enable access to sensitive systems. 

When there are possibly thousands of virtual machines, containers, and storage volumes, it is extremely difficult to ensure that all of them are properly secured. It is too easy for one employee to unknowingly spin up a compute instance or storage bucket, fail to configure security correctly, and expose the organization to a breach.

Data Sovereignty

Most cloud providers have multiple, geographically dispersed data centers. This improves the availability and performance of cloud resources, and makes them resilient to disruptions such as natural disasters or power outages. 

However, in many cases companies that store data in the cloud do not know where the data is actually stored. Many regulations and standards require data to be stored in a specific physical location—for example, the GDPR restricts data transfer by EU citizens outside the EU. 

In addition, different countries and regions have different laws governing access to data for law enforcement or national security purposes, and this can compromise the privacy and security of organizational data.

Cloud Security Solution Categories

CWPP

A cloud workload protection platform (CWPP) is a security solution that can protect cloud workloads such as:

  • Applications running on compute instances (virtual machines)
  • Containerized applications
  • Serverless applications
  • Cloud-based API endpoints
  • Cloud-based storage and databases

Many organizations do not have the controls to ensure workloads are deployed in the right place and have appropriate security measures. CWPP consolidates management and provides visibility of cloud resources across multiple cloud providers in a single console.

CWPP performs security functions like hardening, vulnerability scanning and remediation, network segmentation, system integrity checks, and application whitelisting. 

CSPM

Cloud security posture management (CSPM) inspects cloud environments and warns about software configuration vulnerabilities and compliance risks. These risks are commonly due to human error or oversight. 

According to Gartner, the primary goal of CSPM systems is to automate security and compliance and provide control over cloud infrastructure configuration. 

CSPM is commonly provided as a cloud service. CSPM services can continuously and automatically perform the following activities:

  • Provide an inventory of cloud resources and monitor for creation or modification of resources across the environment.
  • Provide visibility and ensure consistent implementation of policies across multiple cloud providers.
  • Scan compute instances for misconfigurations or settings that are prone to abuse.
  • Scan storage buckets for configuration errors that could reveal data.
  • Review cloud resources for compliance with relevant compliance obligations.
  • Perform risk assessment of cloud systems using standard frameworks like ISO and NIST.
  • Ensure operational activities are running as expected—some of these, like key rotation, may have critical security significance.

CASB

Cloud access security broker (CASB) tools and services mediate between two integrated environments—the infrastructure of a cloud vendor and the on-premise infrastructure of the organization. 

Once installed, a CASB extends the visibility and controls of the organization, by enforcing the security policies of the organization beyond the scope of the on-premises infrastructure. 

To extend visibility and control, a CASB typically leverages the following technologies:

  • Firewalls—for identifying malware and blocking entrance to the corporate network.
  • Authentication—verifies user credentials and prevents access to unauthorized content.
  • Web application firewalls (WAFs)—implemented to prevent and block attacks originating at the application level.
  • Data loss prevention (DLP)—helps prevent unauthorized transmissions of sensitive information outside of the organization authorized pools of data.

A CASB implements these techniques to ensure all network traffic between the cloud and on-premise resources comply with the security policies of the organization. CASBs analyze cloud usage across all cloud resources, and then identify unauthorized use. In some cases, automated mechanisms may enforce relevant policies upon discovery of certain anomalies.

Cloud Data Security

Cloud data security software is used to protect information stored in cloud services or cloud-based applications, by implementing storage-related access controls and policies. 

Cloud data security tools can be used to:

  • Consistently implement security policies across multi-cloud storage systems.
  • Protect data stored in the cloud, or transferred to or from cloud systems.
  • Manage governance, set permissions, and monitor access to sensitive data.
  • Encrypt data at rest and in transit.
  • Apply data loss prevention to prevent sensitive data from being destroyed, modified, or transferred outside organizational boundaries.

Cloud Compliance

Cloud compliance software is used to ensure regulatory standards and enable compliance management for cloud infrastructure. These tools help increase the visibility of cloud workloads and network flows, and automatically identify which parts of a cloud deployment are in violation of specific compliance requirements. They can also automatically generate audits for each compliance standard.

Cloud compliance solutions have some common functionality with CWPP solutions. However, CWPP is mainly focused on management and security controls for cloud workloads, while compliance solutions focus on identifying controls needed for specific compliance standards, alerting about violations and assisting with remediation.

Cloud Security with Aqua

With Aqua Security, you get a complete security platform, which secures cloud native applications from start to finish, at any scale. The Aqua platform protects your entire stack, on any cloud, across VMs, containers, and serverless.

Aqua can help you secure your cloud by:

  • Protecting the build with a “shift left” approach to cloud native security that stops threats and vulnerabilities in their tracks — empowering DevOps to detect issues early and fix them fast. Aqua uses a combination of static and dynamic scanning to find vulnerabilities, malware, secrets, and other risks during development and staging. It also allows you to set flexible, dynamic policies to control deployment in your runtime environments.
  • Securing infrastructure, automating compliance and the security posture of your public cloud services, Infrastructure-as-Code templates, and Kubernetes against best practices and standards. This ensures that the infrastructure you run your applications on are securely configured and in compliance.
  • Protect workloads, including VMs, containers, and serverless functions, using granular controls that provide instant visibility and real-time detection and response. Aqua leverages modern micro-services concepts to enforce immutability of your applications in runtime, establishing zero-trust networking, and detecting and stopping suspicious activities, including zero-day attacks.
  • Secure hybrid cloud infrastructure with cloud native security over hybrid-cloud and multi-cloud deployments, with persistent controls that follow your workloads wherever they run.