What is CSPM?

Cloud Security Posture Management (CSPM) helps to mitigate and minimize cloud data security breaches. CSPM solutions automatically assess cloud environments against best practices and compliance standards and help remediate issues, often through automation. CSPM tools verify that cloud configurations follow security best practices and compliance standards such as CIS, Azure and GCP benchmarks and PCI, or HIPAA frameworks. As companies are increasingly moving to the cloud, CSPM is becoming a necessary aspect of security.

How CSPM Works

CSPM tools are designed to connect to the cloud infrastructure and analyze data about the cloud assets, the networks they belong to, user permissions, and tags. When you add a cloud account to a CSPM, data from the cloud environment’s flow, configuration and audit logs are ingested, stored, and analyzed. Typically, you can then interact with this data to configure policies, investigate and resolve alerts, and to forward alert notifications. Relevant data can be sent to third-party tools or systems for further analysis.

Why is a CSPM so Important?

CSPM tools play a pivotal role in helping organizations stay compliant with primary mandates or frameworks and enable organizations to address accidental risk, such as:

  • Mistakes that lead to exposure of databases containing sensitive information
  • Misconfigurations and incorrect settings that lead to non-compliance with a major regulation which your organization is subject to
  • Missettings that allow unauthorized users to access data, applications, or servers
  • Detecting policy violations via continuous cloud monitoring
  • Assessing compliance status for HIPAA, SOC2, and PCI

CSPM Uses

CSPM tools provide continuous monitoring and assessment of compliance and risk across enterprise cloud services. The primary use cases for security and risk management teams include:

  • Continuous discovery and identification of cloud workloads and services.
  • Policy visibility and consistent enforcement across multiple cloud providers.
  • Alerting on risky new deployments or changes to the cloud environment, hosts, or services.
  • Risk assessment versus frameworks and external standards (such as the International Organization for Standardization [ISO] and National Institute of Standards and Technology [NIST].
  • Risk assessment versus technical policies and best practices (such as Center for Internet Security [CIS] and cloud service provider [CSP] best practices).
  • Continuous cloud risk management, risk visualization, and risk prioritization capabilities.
  • Verifying operational activities are being performed as expected (for example, key rotations).

The Cloud Demands Cloud-Native Solutions

The move to the cloud hasn’t solved the problems that existed in the pre-cloud era. Vulnerabilities, misconfigurations, and compromised assets are still very much an issue. However, the cloud brings with it better ways to handle those problems.

CSPM cannot be complete without addressing the intentional threats and the capability to provide a true evaluation of where an organization stands. Security policies that define how security teams deal with asset visualization, inventory and management, incident response, and internal training and education were originally built for on-premise environments, and do not support the cloud environment security posture in a cloud-native way.

Cloud Security Posture Management means managing the posture of your entire cloud deployment, throughout the technology stack. To live up to their name, CSPM solutions need to be supplemented with deeper defense and threat detection capabilities to truly address all aspects of security and compliance for your workloads in the cloud. To help achieve this, consider services and tools that enable the following four value-added capabilities:

1. Get a Centralized View of All Cloud Assets

To properly address security posture in the cloud, you need a macro view of risk and the level of drift from established policies. Let’s have a look at the following common use cases:

  • Misconfigured S3 bucket that makes your data publicly available
  • Internet-facing server running vulnerable web instances
  • Infected asset within your network
  • A machine that holds critical data but publicly accessible from the Internet, protected by an easy to guess password

In order to improve your security posture in the cloud, a centralized view of all your assets and servers in one place is essential in order not to miss critical misconfigurations, policy violations, and mistakes.

2. Get Results in Context

At the end of the day, security teams are overwhelmed by the avalanche of alerts, and fixing security holes comes down to context that enables prioritization. Manual integrations of multiple data points are simply not feasible.

To determine your security posture in the cloud you need a good understanding of what’s going on, and the ability to contextualize the findings.

For example, if you are using one tool to detect whether a machine is running a vulnerable web server and another tool to determine the machine location, then you need to manually assess the alert using data derived from two separate tools. As a result, you may find ten vulnerable web servers, and start patching them right away. The issue is that only one of them is Internet-facing, and your valuable resources will be wasted on issues that are not the highest priority.

To strengthen your remediation capabilities, it is simply not enough that security solutions alert to potential areas of risk or threat. Your team must have an easy and automated way to prioritize those alerts and assess threats in context.

3. Understand Your TCO

The Total Cost of Ownership (TCO) is another important piece of the puzzle. When considering the various solutions for assessing your security in the cloud, ask yourself:

  1. How long will your team need to work in order to implement the tool?
  2. How much intra-organization friction will it cause? How many integration points will I need to perform?
  3. Will I get good enough coverage after spending this amount of time? Will I need to invest additional resources as my cloud environment grows to have this coverage?

Since CSPM solutions provide key capabilities for DevOps, Security, IT, and GRC teams alike, you need tools that contribute to the required collaboration necessary to achieve security and compliance outcomes in the future without wasting precious resources.

4. Focus Exclusively on Cloud-Native Tools

As we discussed above, cloud security differs from what we are used to with on-prem environments. The same issues have both a different meaning and a different mitigation strategy on-prem and in the cloud.

For example, if you have 20 spot instances running the same image that have a vulnerability or misconfiguration, will you see it as 1 issue or 20 unrelated issues? A proper CSPM solution must be able to understand that they are all copies of the same image.

Mitigation strategies must also be adapted and relevant in the cloud. Many times in the cloud you ‘refresh’ images rather than fix them, leaving your organization exposed. But cloud best practice isn’t just to patch transform your images, but to recreate them from scratch using newer versions. Make sure that the products you are using are compatible with the cloud way of doing things, and can provide adequate recommendations for action.

Summary of CSPM Capabilities vs Agents, Scanners, and Orca Security

In conclusion, here’s a helpful table that summarizes the different cloud security solutions.

View PDF

Avi has more than 25 years of experience in cybersecurity. Prior to co-founding Orca Security, Avi was the chief technologist at Check Point Software Technologies and held key positions within Unit 8200, the Israeli NSA. While at Check Point, he built and scaled cybersecurity solutions that continue to protect tens of thousands of organizations to this day. Avi believes that cybersecurity products should always support the organization and not the other way around.