Every week brings another report of someone leaving an unsecured online storage container filled with sensitive customer data. Some are astounding in terms of severity, such as what happened in November 2020, when more than\u00a010 million files\u00a0containing travel-related data was exposed from an improperly configured AWS S3 bucket.\u00a0And it can happen to anyone: A\u00a0misconfigured storage container on Azure was found to be Microsoft\u2019s own responsibility in early May.In a recent global survey of 1,400 CSOs by Proofpoint, the second-most popular cyber threat was cloud account compromises, called out by a third of the respondents. An older Gartner report is often cited saying that \u201cNearly all successful attacks on cloud services are the result of customer misconfiguration and mistakes.\u201d Check Point\u2019s research agrees: In 2020, it found that two-thirds of the threats cited by respondents are cloud platform configuration errors.Gartner also predicts that through 2023, at least 99% of cloud security failures will be the customer\u2019s fault. Nearly half the organizations it surveyed made mistakes that have exposed data, APIs, or network segments to the internet. As an example, check out this list of open storage containers that have been compromised in the past. That three-year old list quickly has gone out of date.These unintentional configuration mistakes have taken on new importance. In the past, many security products focused on keeping the bad guys out, blocking outsiders and malicious insiders. That was fine when cloud infrastructure was a small part of a typical enterprise operations, but nowadays things we need tools that can find and fix these unintentional errors.What is CSPM?Cloud security posture management (CSPM) combines threat intelligence, detection, and remediation that works across complex collections of cloud-based applications.CSPMs complement cloud access security brokers (CASBs) and cloud workload protection products and fills in the gap between them. Some CASB and cloud workload protection vendors now offer CSPM add-on modules to their existing product lines.Cloud technologies have been classified as infrastructure as a service (IaaS), platform as a service (PaaS) and software as a service (SaaS). The differences among these three designations are becoming blurred to the point where the labels don\u2019t have much meaning anymore. As enterprises purchase more diverse cloud offerings, the notion of having a single tool such as CSPM that covers all these bases becomes appealing. One market analysis predicts that the CSPM global market size will grow from $4B in 2020 to $9B in 2026, so clearly this is a category to pay closer attention.The CSPM vendors have been on an acquisition spree for the past few years, including:Checkpoint\u2019s Cloudguard, which has folded in features from its Dome9 acquisition several years agoZscaler, which purchased Cloudneeti\u2019s CSPM tool in 2020Trend Micro, which purchased Cloud Conformity\u2019s Cloud OnePalo Alto Networks, which acquired what is now Prisma Cloud from Redlock and a workload protection model from TwistlockAqua Security, which acquired CloudSploitSophos, which acquired Avid SecureOther vendors include Accurics, CrowdStrike\u2019s Falcon Horizon, Rapid7\u2019s DivvyCloud, startup Orca Security, Sysdig Secure and SecureSky Active Protection Platform. (See the summary chart and descriptions below for more details on some of these vendors.)Why are CSPMs needed?The issue for all cloud-based technologies is that they inherently lack a perimeter. This means that while you can have some protection (like with a CASB), no simple method can determine which processes or persons are supposed to have access and keep out those who don\u2019t have access rights.\u00a0 You need a combination of protective measures to ensure this.The other challenge is that manual processes can\u2019t keep up with scaling, containers, and APIs. This is the whole point why what is now called infrastructure as code has caught on, in which infrastructure is managed and provisioned by machine-readable definition files. These files depend on an API-driven approach. This approach is integral to cloud-first environments because it makes it easy to change the infrastructure on the fly, but also makes it easy to create misconfigurations that leave the environment open to vulnerabilities.Speaking of containers, it is also hard to track them across the numerous cloud offerings that are available. Amazon Web services (AWS) alone has its Elastic Container Service, its serverless compute engine Fargate, and its Elastic Kubernetes Service. Public container services such as Docker and Terraform may or may not be supported by each CSPM.Visibility is also tough without a lot of integration. You need a single source of truth about your cloud security posture. This means that a CSPM dashboard will have to find its way into your security operations center (SOC)\u2014an already crowded space\u2014and that SOC staff will have to get used to how to incorporate its data into its existing playbooks. It also means that the CSPM should be able to tie into these existing tools and share indicators of potential compromise or notification of an active attack on your infrastructure.Some tools, such as CrowdStrike\u2019s Falcon and Orca\u2019s, take integration a step further. Both can do things such as push alerts to Slack channels, kick off Jira workflows, and send help desk tickets to ServiceNow for further resolution.Gartner says that \u201cArchitects use CSPM to validate and enforce cloud-native data and application controls.\u201d They identified five different features common to CSPMs:Compliance assessmentOperational log and alert feed monitoring and threat detectionDevOps integration and continuous deployment remediationNear real-time incident responseUniform risk assessment and visualizationQuestions to ask your CSPM providerHow can you calculate your baseline so you can track changes to your cloud-based assets?Does it work for all three of the major public clouds (AWS, Azure, and Google Cloud Platform) as well as various Kubernetes and other container-based implementations? What about support for common SaaS apps such as Box, Salesforce, Workday, and ServiceNow? Each product\u2019s coverage varies, as shown in the chart below. Some products place agents in your cloud, some use read-only access to scan your environment and resources, and some have write access to enable changes to remediate issues in your accounts.How real-time is it for notifications about these changes, policy violations, and other unusual events? Does it track misconfigured weak security groups, remote access, app control mistakes, and network changes? All cloud providers offer built-in activity monitoring, but if you use multiple clouds, you want your CSPM to parse this rich supply of data and make actionable sense of it.How real-time is it to automate remediation? The best CSPMs will continuously scan for vulnerable systems and some offer ways that they can detect when a new virtual machine has created an insecure situation for example.What other security and notification tools does it integrate with, such as SIEMs and SOARs?How many compliance\/auditing reporting frameworks are supported on each cloud provider? Each tool supports a different framework collection, which isn\u2019t necessarily the same across all the clouds either to make things harder for you, too.What is the cost? Some vendors offer a limited free trial or tier; others charge per host or in more complex ways that might mean a surprise when the bill comes due. Few are like Sysdig that offer a public and transparent pricing webpage.5 CSPM products and their notable features CSO \/ IDGCrowdStrike Falcon HorizonCrowdStrike Falcon Horizon supports a different collection of services between AWS and Azure. It has a single console that allows you to manage security groups across both clouds and can report on risks of managed Kubernetes clusters on both services. It can be used to proactively identify threats as part of the software development lifecycle using agents to monitor activity.Orca SecurityOrca is a startup CSPM vendor that has an agentless offering supporting all three of the major public cloud platforms. Its tool includes some workload protection features and offers deep inspection of containers found in each of the cloud services.SecureSky Active Protection PlatformSecureSky Active Protection Platform\u00a0supports all three of the major public cloud vendors and includes support for a variety of SaaS applications, including Office 365, Workday, Salesforce, ServiceNow and Box. It integrates with SIEM and various compliance tools and includes an integrated managed threat response.Sysdig SecureSysdig began by offering support for AWS and are currently in beta for Google\u2019s cloud and will add Azure later this year. They will scan up to 250 of container images managed in both AWS Fargate and ECR. They have a single account that is free, and paid accounts, which add features such as container monitoring, start at $24 per host per month, with annual purchase discounts.\u00a0ZscalerZscaler\u2019s CSPM product was acquired from Cloudneeti last year. It offers a 30-day free trial. Since then, they have added asset inventories, lots of predefined policies, and a query language to construct them, along with adding Google Cloud Platform support to AWS and Azure. They also have 13 compliance frameworks, although each cloud supports a somewhat different set.