CMI #4 - Cloud Security Posture Management (CSPM)

The cloud can be a dark and stormy place. Let’s take a look at the vendor landscape surrounding the exceptionally hot area of identifying and mitigating cloud security risks.

Mike P
Mike P

Table of Contents

Terms You Might Hear

  • Cloud Data Protection
  • Cloud Guardrails
  • Cloud Infrastructure Security Posture Assessment (CISPA)
  • Cloud Posture Management (CPM)

Associated Technologies

  • Cloud Access Security Broker (CASB)
  • Cloud Workload Protection Platform (CWPP)
🤖
Its worth noting that this category has been included into a higher level category called Cloud Native Application Protection Platform (CNAPP) by the industry.

Why it Matters

Nearly all successful attacks on cloud services are the result of customer misconfiguration, mismanagement, and mistakes.

Problem Statement

  • Cloud services can be incredible for your business agility and extremely complex and challenging to manage securely.
  • Cloud services are continually evolving. Regulation and cybersecurity best practices for the cloud are continually evolving.  It’s hard to keep up with the pace of change and get secure, let alone stay secure.
  • Per Gartner, “at least 99% of cloud security failures will be the customer’s fault.”
  • The models of securing and tracking compliance of server resources that work in the data center do not extend well to the Infrastructure-as-a-Service (IaaS) cloud. You can’t effectively use what you may already have.
  • Governing the use of the cloud at a company by committee is not preventative. As such, Shadow IT is born and just about anyone with a credit card can deploy services in the cloud without proper security controls in place.

Market Solutions

Enter the Cloud Security Posture Management (CSPM) product market space.

  • New technical and architectural models of operating require evolved techniques and models to become secure and compliant. CSPM products provide continuous cybersecurity monitoring and compliance to detect, prevent, and fix cloud misconfigurations. This could be a cloud virtual machine, a service, an application environment, or a whole cloud tenant.
  • CSPM products allow for cloud guardrails. Companies can programmatically specify what kind of resources will be allowed vs. not allowed in the cloud to limit your attack surface and ensure regulatory compliance.
  • CSPM products can ensure consistent application of security policies across the cloud footprint. They can make changes in the cloud if services are abused or deployed without meeting standards.

Players in the Space

Product Space Predictions

  • CSPM products will become a universal need for companies of all sizes that have any cloud footprint and workloads. Regulators and auditors have had a consistent focus on cloud security and drive widespread adoption. This is no longer a nice-to-have.
  • CSPM products drive the conversion of security into operations and operations into security. This change makes certifications, audits, and compliance that much easier.
  • A convergence of cybersecurity written policies and real-time cloud controls will drive the adoption of Policy as Code (PaC). PaC is like pushing security and compliance into Infrastructure as Code (IaC) to make security a standard part of cloud operations. JupiterOne is already doing this.
  • The need for adoption of CSPM products will increase with an organization’s speed of adoption of serverless functions like AWS Lambda. I predict this will continue to increase the need for CSPM-like tools as companies push to low-code and no-code services.
  • Cloud Service Providers (CSPs) like Amazon and Microsoft will continue to deploy these types of CSPM features into their existing cloud services. This will further increase CSP lock-in, but who better to secure the cloud than the CSPs themselves? Then again, one CSP won’t help you with a multi-cloud strategy and independent vendors could pick up the slack and better support your company.
  • CSPM products will become the multi-cloud glue. They will help customers see how to make security and compliance consistent across Cloud Service Providers (CSPs).
  • CSPMs are too narrow at their current iteration and will need to expand in the "next gen" arena. First mover advantage isn't always a good thing in the cybersecurity field.
  • There will be many "[X]SPM" [Anything] Securtiy Posture Management sub-categories (or clever marketing) that will follow. Data Security Posture Management (DSPM) is already here.
  • CSPM products will give you more granularity into the cost of securing the cloud from a billing perspective. This will help companies make better-informed investment and risk management decisions. CloudZero is already tackling the cloud billing and cost management problem.

Product Space Opportunities

  • Show me the zero trust - or lack thereof. CSPM products could show the relationships of accounts, services, and servers to a given cloud entity, helping customers understand if they are actually achieving that zero trust state they all want. This would be a great first step to getting your zero trust approach in order.
  • Visualize the blast radius. Combine the view of user and services permission rights, accessibility to and from the Internet, and vulnerability/patching data to see what the real vs. perceived impact is if something gets compromised in the cloud. RedSeal has been doing this for years at the data center level. Attack Surface Management (ASM) has entered the chat.
  • Loop CSPM products into DevOps from a Change Management standpoint. Keying off the auditability theme, connect into code repositories and CI/CD pipeline workflows to see what code was pushed and who pushed it. This can help with post-deployment oversight and reinforce best practices.
  • Audit-driven development. Similar to test-driven development, the CSPM product space can make audits more manageable and faster. The products can automatically collect examples of what good and bad evidence look like to support audits. JupiterOne is already doing this, too.

Key Insights

  • CSPM products simplify operational management and overhead for IT operations and developers alike. The less time you have to think about your overhead, the more time you can spend delivering value.
  • CSPM products can let you visualize your biggest risks. Use this information to guide prioritization efforts to close your most significant gaps.
  • CSPM products provide a connection between monitoring for security and compliance and automation. This has been an evolution in the CSPM space, and one now that entrants into the products space cannot afford to skip over. It’s not enough to just see, but you also have to fix and prevent issues.
  • This type of product has only become available because of the cloud. The services you can deploy in cloud environments are standardized, and the underlying technology is the same. Traditional data center deployments will have dozens, if not hundreds, of bespoke architectures and deployments that require many different teams with fractured ownership. This creates a nightmare for consistent compliance.
  • CSPM products alone cannot eliminate all security risks in the cloud, there needs to be cultural and procedural changes at the business level to really mitigate risks.
  • CSPM products are more of a Cloud Operations / DevOps play than a security play and will work best with those closest to cloud workloads. Security teams should help with oversight, guidance, and post-production reviews.

Pro Positions

What type/size/stage company should leverage these platforms?

  • Startups (1-250 employees)- If you’re a cloud-first start-up, a platform with this capability should be on your radar after you meet basic compliance requirements like SOC 2.
  • Small and Medium-sized Businesses (SMBs) (250-500 employees) - Same as above. Pair this with a managed security provider or managed SOC to complete the incident response function.
  • Larger Companies (>500-1,000 employees) - This is an absolute must for larger companies. The more systems, people, and data you have, the more you are exposed and the harder it is to understand your full risk picture.

What makes one of these platforms “good?”

  • Look for solutions that enable your teams to be more efficient and more effective with their time. This kind of platform should reduce the time and effort needed to identify and remediate vulnerabilities, so you can measure if it is actually improving.
  • Look for platforms that can determine if you are missing any other security controls or security principles where they should be.

Out of the Players listed, who are the top ones I would consider?

References

category-report