CSPM: A Comprehensive Guide

CSPM - short history & definition

The increasing rate of cloud adoption encountered in the last few years has brought new security challenges along, the main one being the need to correctly configure cloud infrastructures.

Employing a cloud-first strategy, using Infrastructure as Code (IaC), or having an API-driven approach gained popularity and opened the door to new vulnerabilities and potential misconfigurations.

According to Gartner's report from 2016, “By 2020, 95 % of all security breaches in the cloud will be caused by misconfigurations”. Something had to be done, and fast!

The Cybersecurity market responded with innovation, and so a new security category was born: the Cloud Infrastructure Security Posture Assessment.

The main objective of tools in this category was to report configuration errors discovered in the rapidly changing environment that is the cloud.

As the products quickly evolved and gained in complexity, the initial name was changed to CSPM - or Cloud Security Posture Management, but the main purpose of the solutions remained the same: to monitor the cloud infrastructure, identify potential misconfigurations and help with security policy enforcement.

In this age of rapid technological advances, it's crucial to recognize the ever-evolving cloud security challenges. With the digital landscape shifting constantly, businesses face new threats and vulnerabilities. It's against this backdrop that the importance and necessity of solutions like CSPM become even more evident.

Included in Gartner's “Top 10 Security Projects for 2019”, the CSPM represents one of the most important technologies that leaders should invest in when using cloud or multi-cloud infrastructures.

When to choose a CSPM and when not to

A Cloud Security Posture Management solution is a critical part of a Cloud Security Program because it covers the unintentional risks that can expose your data.

These unintentional configuration mistakes are likely to occur because of the complexity of the environment or because of poor visibility. Regardless of the reason, it is important to understand that even one misconfiguration can lead to data breaches and possibly data leakage.

Misconfigurations - cause and effect

We've all heard about major breaches that happened because of AWS S3 buckets being publicly accessible. (This exact misconfiguration happened to Romania's largest real estate portal ).

Many cloud application creators or maintainers don't believe this can happen to them, but, for example, when new virtual machines are launched in a hurry by a less experienced DevOps engineer, mistakes can occur and networks that should have been private are now public and exposed.

Other common misconfigurations that attackers are often exploiting are overprivileged credentials. Restricting users' access to data and resources to only what is strictly required for them to do their jobs is a must, in other words, you need to use the least privilege principle.

The CSPM tool will report and advise against using overly permissive account settings for your users, and at the same time remind you to use encryption, thus strengthening your security and making it even harder for an unauthorized or malicious individual to access and expose your data.

The advanced CSPM solutions we see these days offer continuous monitoring, risk assessments, remediation recommendations based on security best practices, and assistance for compliance with the most common security frameworks and standards.

What if you could have a powerful solution that offers full visibility over your cloud accounts, enabling better communication and collaboration between your Security team, the DevOps, and the Compliance team?

This solution exists! You need to implement a CSPM to improve your cloud security posture and to build a strong Security Program.

Unlike other security software which takes a lot of time to set up, requiring multiple steps to achieve proper installation and configuration, a CSPM platform is agentless. To have it up and running takes only minutes and best of all, it has no negative impact in your infrastructure's performance.

The scan of your cloud account infrastructure will start immediately after onboarding and the results, meaning the identified issues and security risks will be displayed, usually ranked by severity or risk score.

Take advantage of the extra visibility

A CSPM will provide you with a comprehensive overview of the vulnerabilities in your cloud infrastructure, making it easy to prioritize the order and urgency of solving these issues.

Your cloud infrastructure is not a one-way road, cloud assets are interconnected, and it is critical to understand how this can lead to exposed resources.

The complete cloud assets inventory will automatically be compared against a set of best practices.

Having full visibility is key when implementing security best practices.

Managing your cloud assets from a single dashboard is an important and useful feature.

Your Security team is responsible for monitoring the cloud against threats, possible attacks, or malicious behavior. Your DevOps team is rapidly building and deploying applications in the cloud (and therefore adding new cloud assets), while your Compliance and Auditing team needs to make sure the company and its cloud infrastructure stay compliant with regulations and standards. What a dedicated solution such as a CSPM does for you, is to make sure that the relevant information is available to each of these teams in an easily comprehensible manner.

Better security for your cloud environments with the CSPM solution

Some cloud providers like AWS, Azure, or Google Cloud Platform have security recommendations in place, however, you need to understand that they apply only to that specific cloud provider and in many cases, they turn out to be false positives, since the context is not taken into consideration.

Not to mention that a multi-cloud strategy will complicate security efforts since IT security teams must deal with the fact that configuration is different from one cloud provider to the other.

CSPM solutions do not require the deployment of any additional resources to enforce cloud security best practices and will identify and help mitigate these security risks across cloud providers.

According to Gartner, CSPM tools can identify risks in the configurations of your cloud infrastructure security and will immediately react either with automatic remediations or with specific instructions on how to fix the misconfiguration and eliminate risks.

There are other types of tools that handle sensitive workloads and data in the cloud or that monitor user activity. All these tools are enforcing security policies and together they can ensure the proper protection in the cloud.

Solutions such as Cloud Workload Protection Platforms (CWPP) or Cloud Access Security Brokers (CASB) can have similar features with a CSPM.

CASB software, for example, was created to monitor and enforce enterprise security, and it is not necessarily cloud-based. It can be installed on-premise, placed between cloud applications and their users acting as a central gateway that controls users' access to the cloud. It includes DLP (Data Loss Prevention) capabilities, Governance, Data encryption, MDM (Mobile Device Management).

CWPP comprises agent-based solutions that offer visibility and security management for workloads. So, the provided inventory mainly covers VMs (Virtual Machines), public cloud IaaS (infrastructure as a service), and container-based application architectures. A CWPP solution does not provide event monitoring outside workloads.

Even if CASB, CWPP, and CSPM may sound similar at first, their scope and coverage are different, as they represent different categories. You will need to decide which tool or tools are the right ones for your organization.

Compliance controls across your environment in the cloud

Companies that closely follow regulatory compliance are using Cloud Security Posture Management tools to avoid breaches that usually ruin the brand reputation and bring monetary fines to the company.

A CSPM solution can offer predefined Policies needed for compliance with the most common benchmarks and regulations such as CIS, NIST, HIPPA, ISO27001, or others.

Considering the compliance aspect, you could be tempted to believe that a CSPM solution is just another GRC tool (Governance Risk and Compliance), but in reality, it is more than that.

Using CSPM software, you can get a grip on your cloud compliance strategy in just a couple of steps:

Start by identifying the applicable standards for your company.

Usually, you will find a specific section in the platform where the most common standards and regulations are defined and implemented from a cloud security perspective. PCI-DSS, NIST, GDPR, CIS, ISO, HIPPA - are just some examples of what you can expect to find.

Next, you will determine the requirements and start documenting your compliance processes.

Predefined compliance policies are offered, but you will be able to define custom ones, specific to your needs. Policies have technical controls attached that are automatically assessed. In case of a failed assessment, remediation actions are suggested.

A CSPM solution can be a powerful reporting and evidence collection tool, making it easy to always be prepared for audits and inspections.

When it comes to defining Policies and Procedures for the governance of your organization — for example, Access Management Policy, Change Management Policy, and so on — Cyscale's solution offers these out-of-the-box and you can use them as baselines, customizable to your needs.

The last but very important step is to monitor changes and configuration drifts.

This is when the ongoing monitoring capability of the CSPM software comes in handy. Once you define your set of policies, the solution will help identify compliance drifts.

Your Compliance Officers can use the CSPM as an in-house audit tool, assisting them in preparing for externally conducted or formal compliance audits.

A CSPM tool will help you handle compliance concerns, minimize threats, catch errors and empower you to align cloud security strategy across the company.

When you are looking for a CSPM solution, keep in mind that visibility and context go hand in hand and that Cyscale Cloud Platform can offer the most comprehensive context thanks to its unique Security Knowledge Graph™.

As Gartner stated: “the use of a CSPM tool can reduce cloud-based security incidents due to misconfigurations by 80%”. So, although, there are cases when a CSPM solution's functionalities can overlap with those of other security tools, it could never be fully replaced by any of them.

Photo by Hal Gatewood