What Is CSPM According to Gartner?
Cloud Security Posture Management (CSPM) is a security solution category that can identify and help remediate cloud misconfigurations. Gartner introduced the CSPM category, and officially describes it as a solution that automates security and provides compliance assurance in the cloud.
CSPM starts from a framework based on regulatory requirements, industry benchmarks and company policies, and continuously manages cloud risk by preventing, detecting, responding and predicting cloud infrastructure risks.
At the heart of CSPM technology is active and passive detection and assessment of risk in cloud service configurations, for example network and storage configuration, and security settings, for example encryption and assigned permissions. In many cases, if the configuration is not compliant, the CSPM product can take automated corrective action to reconcile it with compliance and security requirements.
This is part of our series of articles about Cloud Native Application Protection Platforms (CNAPP).
In this article:
What Are the Factors Driving the Need for CSPM?
Here are key factors driving the need for CSPM:
- The increasing adoption of cloud computing—enterprises are using more and more cloud services, utilizing an increasingly complex environment. To satisfy more needs, cloud vendors offer a multitude of services, each with its own configuration options, making it difficult to monitor and understand the security implications of those configurations.
- Cloud visibility issues due to cloud sprawl—enterprises usually do not have complete visibility into their cloud deployments and services. This is due to many teams having the capability to set up new cloud accounts and services, often across multiple providers.
- The dynamic nature of cloud infrastructure—cloud services offer scale-out capabilities that constantly add or remove new resources.
- Complex environments lead to security issues—as enterprises adopt multi-cloud and hybrid cloud strategies, visibility becomes crucial for proper security.
- Self-service IaaS and PaaS—self-service capabilities enable developers to eliminate their reliance on IT and security personnel during planning and deployment phases but do not provide adequate security and visibility coverage.
- Lack of security expertise—developers and cloud operations teams are not security experts but are required to make risk and security decisions regarding aspects like encryption, service authorization, and key management. They must have adequate visibility and control to avoid mistakes and misconfigurations.
- No adequate tooling—while enterprises shift to DevOps to increase speed, traditional security tools are too slow and cumbersome to manage cloud risk. Additionally, teams must integrate compliance and security checks directly into development pipelines.
How Does Cloud Security Posture Management Work?
CSPM tools work by examining the cloud environment and comparing it to best practices and known security issues. CSPM tools alert the owner of a cloud resource when security risks need to be fixed, and in some cases use automation to remediate issues automatically, such as revoking inappropriate account privileges.
CSPM is typically used by organizations adopting a cloud-first strategy and wanting to extend security best practices to hybrid and multi-cloud environments. CSPM was originally used to secure Infrastructure-as-a-Service (IaaS) cloud resources, such as Amazon EC2 compute instances, but can be used to identify misconfigurations in platform as a service (PaaS), such as cloud databases, as well as software-as-a-service (SaaS).
CSPM solutions may rely on several data sources. Typically, the cloud provider APIs are accessed to gain visibility into service configurations. Other sources might include cloud monitoring of events (e.g., AWS CloudTrail), log analysis, or analysis of cloud block storage volumes in order to find vulnerable workloads.
Some CSPM tools can only use best practices defined for a specific cloud environment or service, while others are more flexible, letting the organization specify custom compliance standards or policies. This is important to consider when selecting tools—because specific tools may be limited to detecting misconfigurations in specific cloud environments, and may not work across multiple cloud accounts.
Most CSPM tools support continuous compliance checks according to common regulations and industry standards, including HIPAA, GDPR, and PCI DSS.
CSPM Security Benefits and Risks
CSPM products provide continuous monitoring and assessment of compliance and risk of cloud services. This is implemented using native cloud platform APIs, avoiding the use of proxies. The benefits of this approach include:
- High visibility of security policies and consistent enforcement across multiple clouds
- Real time discovery and security checks for new cloud workloads and services
- Alerting about new, risky deployments or changes to a cloud environment
- Cloud risk management, risk visualization and risk prioritization
- Oversight over operational activities
However, CSPM tools also have limitations:
- Cannot evaluate and secure shadow IaaS/PaaS/SaaS deployments.
- Might not understand the context of the data, for example, if data is sensitive or if an application could be malicious.
- Generate a large number of alerts, which requires skilled cloud security experts to interpret and respond to. These experts are in short supply. Newer approaches mitigate this alert fatigue by surfacing the highest risk issues for remediation, by correlating multiple sources of risk.
3 Tips for Successful CSPM Implementation
Automate Compliance with Benchmarking
CSPM tools should perform automated benchmarking and resource auditing. Leverage service discovery to automatically discover and benchmark components as soon as they are created. Combine official security benchmarks from your cloud provider with third-party benchmarks issued by the CIS or regulatory authorities.
Prioritize Efforts According to Risk
When dealing with security issues and vulnerabilities, the order in which problems are found often does not match the level of risk they represent. Prioritization is critical—avoid spending time on lower-risk issues while ignoring major risks.
Focus on vulnerabilities that could affect critical applications and workloads, and can potentially expose sensitive data or assets. Once the higher-priority risks are managed, you can start working on the lower-risk ones.
Enforce Security Checks in Development Pipelines
When developing software in a DevOps process, you must incorporate security checks into your workflow. DevOps pipelines create and tear down environments very frequently, and without careful control, security vulnerabilities can easily be introduced.
This approach is often referred to as IaC (infrastructure as code) security. Many CSPM tools include the ability to scan IaC templates in tools such as Terraform to prevent misconfigurations before they happen in production.
Leverage CSPM to integrate automated policies and vulnerability checks into your pipeline, to prevent misconfigurations in every environment—dev, test, and production. This will prevent security vulnerabilities from creeping into cloud resources and eventually finding their way to production.