Cloud Security Solutions: What is CSPM in Cloud-native Security?

Cloud adoption and innovation have created a need for more specific and dynamic cloud security solutions. This driver is particularly valid as organizations engage in cloud-native, hybrid, and multi-cloud environments with the major public cloud service providers.

While other cloud security solutions – cloud workload protection platforms (CWPP) and cloud access security brokers (CASB) – focus on different aspects of protecting cloud assets, cloud security posture management (CSPM) solutions, however, identify misconfiguration and compliance issues. CSPM focuses on the visibility, detection, and mitigation of security risks with the infrastructure where workloads are deployed.

Whether using Infrastructure as a Service (IaaS), Software as a Service (SaaS), or Platform as a Service (PaaS) cloud environments, CSPM is pivotal to cross-environment, comprehensive cloud security.

What is Cloud Security Posture Management (CSPM)?

Cloud security posture management solutions monitor, identify, and visualize cloud misconfiguration vulnerabilities and compliance issues across cloud and hybrid environments. Many solutions also provide continuous, automated security and compliance remediation once risks are uncovered.

CSPM targets the primary cause of cloud security risk and maintains proper data privacy and security compliance.

Two reasons why CSPM is needed

Many organizations erroneously believe that their cloud service provider is responsible for their data and infrastructure security.

CSPM monitors for cloud misconfigurations

The cloud customer probably has cloud security policies and processes in place; however, they don’t target the most significant cause of cloud breaches…cloud misconfigurations. According to Gartner, cloud environment misconfigurations are a top cause of cloud breaches. They estimate that a CSPM tool can reduce cloud security incidents caused by misconfigurations by 80%.

There are a number of cloud misconfigurations, including:

• Mismanagement of multiple connected cloud-based resources
• Inability to see resources interactions and dependencies
• Sticking with the default cloud security settings
• Allowing improper access control
• Exposing data buckets, containers, or assets publicly
• Sharing resources across accounts
• Lack of encryption keys to protect data
• Lack of multi-factor authorizations

CSPM automatically detects these misconfigurations across all cloud environments, including containers, Kubernetes, cloud-native, and multi-cloud environments.

CSPM supports regulatory compliance maintenance

Storing and sharing data within and among cloud and hybrid environments come under the purview of many data security and privacy regulations, as well as mandatory or voluntary industry guidelines. These regulations and requirements could be across industries (e.g., GDPR, ISO 27001, CIS, PCI DSS, SOC 2, ISO, and NIST) or specific to one sector (e.g., HIPAA or HITRUST). A CSPM solution monitors, identifies, and can often remediate the threat. A CSPM may also provide streamlined evidence generation for demonstrating ongoing compliance.

What are the benefits of using a CSPM solution?

As a stand-alone solution, CSPM provides greater visibility across multiple cloud environments, enabling a broader view of sources of misconfigurations and policy violations. The context-aware nature of CSPM gives IT, SecOps, and DevOps teams the ability to continuously monitor cloud environments in real time for threat detection and automatic remediation.

High-value CSPM capabilities

There are a number of high-value, high-impact capabilities that any CSPM solution should offer. Here are the top four feature areas with questions to ask when vetting a platform purchase.

Streamlined, real-time threat visibility

• Does the solution provide centralized, real-time visibility across cloud environments?
• Can it analyze and normalize data sources and create an asset inventory?
• What kinds of easy-to-use data visualizations and reports present findings and actions taken?
• Does it score risks, giving context to what actions were or should be taken and why?

Cloud governance

• How does the solution implement and consistently enforce the customer’s cloud policies?
• What methods does tool use to prioritize security alerts across multiple environments?
• What features highlight security actions that were automatically deployed or should be done manually?

Compliance oversight

• Which capabilities support compliance and how?
• Which standard data privacy and security frameworks are integrated?
• Are reports audit-ready, or will they need to be configured or customized further?
• How does the solution enable security teams to investigate audit data for abnormal user behavior or possible account compromises?

Risk detection and mitigation

• Can the solution automatically remediate security risks, and which ones?
• Does it use robotic process automation (RPA) to remediate issues automatically? How does that work?  
• Will the platform automatically remediate cloud misconfigurations? What types?
• Which public cloud service providers do the solution monitor and maintain configurations?

Reviewing these questions with stakeholders helps reveal your CSPM priorities and fetters out other features necessary to your cloud scenario.

Creating a comprehensive cloud security strategy, including CSPM

A CSPM solution provides a powerful and prioritized view into hard-to-discover cross-cloud misconfigurations and critical compliance misalignments. When combined or included as part of a comprehensive cloud security strategy, CSPM is essential to protecting cloud-native and multi-cloud infrastructure and its assets.

[CTA] Modern Cloud-native security relies on Panoptica

Cisco’s Emerging Technologies and Incubation (ET&I) team is paving the way with “DevOps-friendly” cloud-native security solutions that fundamentally simplify conventional offerings. Built from the ground up to meet the needs of mission-critical modern applications, our Panoptica solution simplifies cloud-native application security, making it easy to embed into the software development lifecycle. Panoptica protects the full application stack from code to runtime by scanning for security vulnerabilities in the cloud infrastructure, microservices (Containers or Serverless), the software bill of materials, and the interconnecting APIs. And best of all, it integrates with the tools that your application development and SecOps teams are already using.