CSPM explained: Filling the gaps in cloud security

Every week brings another report of someone leaving an unsecured online storage container filled with sensitive customer data. Some are astounding in terms of severity, such as what happened in November 2020, when more than 10 million files containing travel-related data was exposed from an improperly configured AWS S3 bucket. And it can happen to anyone: A misconfigured storage container on Azure was found to be Microsoft’s own responsibility in early May.

In a recent global survey of 1,400 CSOs by Proofpoint, the second-most popular cyber threat was cloud account compromises, called out by a third of the respondents. An older Gartner report is often cited saying that “Nearly all successful attacks on cloud services are the result of customer misconfiguration and mistakes.” Check Point’s research agrees: In 2020, it found that two-thirds of the threats cited by respondents are cloud platform configuration errors.

Gartner also predicts that through 2023, at least 99% of cloud security failures will be the customer’s fault. Nearly half the organizations it surveyed made mistakes that have exposed data, APIs, or network segments to the internet. As an example, check out this list of open storage containers that have been compromised in the past. That three-year old list quickly has gone out of date.

These unintentional configuration mistakes have taken on new importance. In the past, many security products focused on keeping the bad guys out, blocking outsiders and malicious insiders. That was fine when cloud infrastructure was a small part of a typical enterprise operations, but nowadays things we need tools that can find and fix these unintentional errors.

What is CSPM?

Cloud security posture management (CSPM) combines threat intelligence, detection, and remediation that works across complex collections of cloud-based applications.

CSPMs complement cloud access security brokers (CASBs) and cloud workload protection products and fills in the gap between them. Some CASB and cloud workload protection vendors now offer CSPM add-on modules to their existing product lines.

Cloud technologies have been classified as infrastructure as a service (IaaS), platform as a service (PaaS) and software as a service (SaaS). The differences among these three designations are becoming blurred to the point where the labels don’t have much meaning anymore. As enterprises purchase more diverse cloud offerings, the notion of having a single tool such as CSPM that covers all these bases becomes appealing. One market analysis predicts that the CSPM global market size will grow from $4B in 2020 to $9B in 2026, so clearly this is a category to pay closer attention.

The CSPM vendors have been on an acquisition spree for the past few years, including:

• Checkpoint’s Cloudguard, which has folded in features from its Dome9 acquisition several years ago
• Zscaler, which purchased Cloudneeti’s CSPM tool in 2020
• Trend Micro, which purchased Cloud Conformity’s Cloud One
• Palo Alto Networks, which acquired what is now Prisma Cloud from Redlock and a workload protection model from Twistlock
• Aqua Security, which acquired CloudSploit
• Sophos, which acquired Avid Secure

Other vendors include Accurics, CrowdStrike’s Falcon Horizon, Rapid7’s DivvyCloud, startup Orca Security, Sysdig Secure and SecureSky Active Protection Platform. (See the summary chart and descriptions below for more details on some of these vendors.)

Why are CSPMs needed?

The issue for all cloud-based technologies is that they inherently lack a perimeter. This means that while you can have some protection (like with a CASB), no simple method can determine which processes or persons are supposed to have access and keep out those who don’t have access rights.  You need a combination of protective measures to ensure this.

The other challenge is that manual processes can’t keep up with scaling, containers, and APIs. This is the whole point why what is now called infrastructure as code has caught on, in which infrastructure is managed and provisioned by machine-readable definition files. These files depend on an API-driven approach. This approach is integral to cloud-first environments because it makes it easy to change the infrastructure on the fly, but also makes it easy to create misconfigurations that leave the environment open to vulnerabilities.

Speaking of containers, it is also hard to track them across the numerous cloud offerings that are available. Amazon Web services (AWS) alone has its Elastic Container Service, its serverless compute engine Fargate, and its Elastic Kubernetes Service. Public container services such as Docker and Terraform may or may not be supported by each CSPM.

Visibility is also tough without a lot of integration. You need a single source of truth about your cloud security posture. This means that a CSPM dashboard will have to find its way into your security operations center (SOC)—an already crowded space—and that SOC staff will have to get used to how to incorporate its data into its existing playbooks. It also means that the CSPM should be able to tie into these existing tools and share indicators of potential compromise or notification of an active attack on your infrastructure.

Some tools, such as CrowdStrike’s Falcon and Orca’s, take integration a step further. Both can do things such as push alerts to Slack channels, kick off Jira workflows, and send help desk tickets to ServiceNow for further resolution.

Gartner says that “Architects use CSPM to validate and enforce cloud-native data and application controls.” They identified five different features common to CSPMs:

• Compliance assessment
• Operational log and alert feed monitoring and threat detection
• DevOps integration and continuous deployment remediation
• Near real-time incident response
• Uniform risk assessment and visualization

Questions to ask your CSPM provider

• How can you calculate your baseline so you can track changes to your cloud-based assets?
• Does it work for all three of the major public clouds (AWS, Azure, and Google Cloud Platform) as well as various Kubernetes and other container-based implementations? What about support for common SaaS apps such as Box, Salesforce, Workday, and ServiceNow? Each product’s coverage varies, as shown in the chart below. Some products place agents in your cloud, some use read-only access to scan your environment and resources, and some have write access to enable changes to remediate issues in your accounts.
• How real-time is it for notifications about these changes, policy violations, and other unusual events? Does it track misconfigured weak security groups, remote access, app control mistakes, and network changes? All cloud providers offer built-in activity monitoring, but if you use multiple clouds, you want your CSPM to parse this rich supply of data and make actionable sense of it.
• How real-time is it to automate remediation? The best CSPMs will continuously scan for vulnerable systems and some offer ways that they can detect when a new virtual machine has created an insecure situation for example.
• What other security and notification tools does it integrate with, such as SIEMs and SOARs?
• How many compliance/auditing reporting frameworks are supported on each cloud provider? Each tool supports a different framework collection, which isn’t necessarily the same across all the clouds either to make things harder for you, too.
• What is the cost? Some vendors offer a limited free trial or tier; others charge per host or in more complex ways that might mean a surprise when the bill comes due. Few are like Sysdig that offer a public and transparent pricing webpage.

5 CSPM products and their notable features

CSO / IDG

CrowdStrike Falcon Horizon CrowdStrike Falcon Horizon supports a different collection of services between AWS and Azure. It has a single console that allows you to manage security groups across both clouds and can report on risks of managed Kubernetes clusters on both services. It can be used to proactively identify threats as part of the software development lifecycle using agents to monitor activity.

Orca Security Orca is a startup CSPM vendor that has an agentless offering supporting all three of the major public cloud platforms. Its tool includes some workload protection features and offers deep inspection of containers found in each of the cloud services.

SecureSky Active Protection Platform SecureSky Active Protection Platform supports all three of the major public cloud vendors and includes support for a variety of SaaS applications, including Office 365, Workday, Salesforce, ServiceNow and Box. It integrates with SIEM and various compliance tools and includes an integrated managed threat response.

Sysdig Secure Sysdig began by offering support for AWS and are currently in beta for Google’s cloud and will add Azure later this year. They will scan up to 250 of container images managed in both AWS Fargate and ECR. They have a single account that is free, and paid accounts, which add features such as container monitoring, start at $24 per host per month, with annual purchase discounts. 

Zscaler Zscaler’s CSPM product was acquired from Cloudneeti last year. It offers a 30-day free trial. Since then, they have added asset inventories, lots of predefined policies, and a query language to construct them, along with adding Google Cloud Platform support to AWS and Azure. They also have 13 compliance frameworks, although each cloud supports a somewhat different set.