Cloud Security Posture Management (#cspm) is one of the fastest growing areas within the field of cloud security; most security vendors are working on or offering CSPM capabilities. However, enterprises are still trying to build the most effective CSPM program to fit their environment. In many cases, it’s unclear where to start and what the end goal is for the CSPM effort.
To help simplify this process, this post will share guiding principles for implementing a CSPM maturity model, allowing you to assess your CSPM readiness and plan your own implementation journey.
It may be useful to place CSPM in the larger context of the overall cloud security discipline.
Cloud security consists of the processes, technologies and best practices that are applied to protect cloud computing environments, applications running in the cloud, their accompanying infrastructure, and the data held in the cloud. Securing cloud services requires an understanding of what is being secured, how the cloud infrastructure is managed, and who is responsible for every asset in this complex environment.
One of the basic and most important components of any cloud security program is ensuring that cloud infrastructure is well protected – that is the component that requires a well defined CSPM program and toolset. The other layers of cloud security discipline include application security, workload protection, threat detection and response, data protection and others. All of these components contribute to the overall security posture of the organization.
Implementation of a CSPM program can include all or some of the steps in the application development lifecycle. Some companies will only monitor their runtime environment while others will incorporate posture management assessments in their pre-deployment environment as part of their CICD processes.
The big hype around IT compliance and security-related regulations started back in early 2000 with SOX (the Sarbanes-Oxley Act), then continued with PCI DSS (the Payment Card Industry Data Security Standard), around 2006, and 10 years later with SOC2 regulations (a voluntary compliance standard developed by the American Institute of CPAs) — all these regulatory frameworks seeking to assess IT systems and how their use can contribute to misrepresentations of financial statements, data inaccuracies, and fraudulent activities.
Back then, companies were running their IT environments on-premises, and regulatory practices were focused on manual assessments of IT systems using screenshots, spreadsheets, data center visits, and reviews of policies and logs.
As you can imagine, this kind of manual audit and risk assessment work, focused on physical and software produced artifacts, was inefficient and not robust. In addition, much of the time, compliance work was done to “check the box” from an audit perspective, without contributing to the overall company security posture.
Fast forward many years, and we are now discussing continuous cloud security and compliance processes focused on the compliance of virtual assets. Advanced levels of APIs and standardization allowed this new discipline and a Gartner category to be born: CSPM (Cloud Security Posture Management). Accordingly, it looks like we finally have an opportunity to recreate these processes from scratch — to use automation, continuous validation, and remediation, and to embed security and compliance as early as possible in the development lifecycle. We are now able to automate and connect the dots between the compliance and security posture of a company.
CSPM is an area of security that focuses on the security posture of cloud assets. IT security tools that fall under the CSPM category are designed to detect and remediate misconfigurations, ultimately assisting companies in their compliance and regulatory assessments. CSPM tools continuously monitor cloud infrastructure, identify gaps, and provide remediation solutions to fix misconfigurations.
Current-generation CSPM tools have existed for about four or five years. As companies move to the cloud and as new companies are born into the cloud – and we all know that misconfigurations are the primary cause of security breaches – the vulnerabilities created in the cloud become the customers’ responsibility to take care of and prevent.
There are a lot of ways to implement CSPM processes and solutions:
- Cloud-Native Tools: Each cloud provider offers a wide set of security tools and solutions. Clients using these tools usually can live with very little or no customization and would like to centralize their effort down to one console that requires no integration with external tools. In many cases, customers build homegrown solutions on top of cloud provider tools using various APIs to achieve the results that they need to scale and secure complex environments. Multi-cloud clients would need to take into consideration that cloud-native tools are usually tailored to the native cloud provider (even though there is some level of multi-cloud support that some of the tools offer).
- Home Grown and Open Source: Some companies — especially those more single product-focused and born into the cloud, as well as those following DevSecOps principles—may consider building their own solutions. Often, these will utilize open source projects designed for CSPM (such as Cloud Custodian, Open CSPM, Checkov, OPA and so on). Companies decide to take this path if they have the expertise needed and because they want to customize the technology to the exact use case. Many times the challenge with homegrown tools is in the ongoing maintenance needed (more tech debt!), upgrades, and ongoing adoption to cloud provider changes, new services, and regulatory changes.
- Off the shelf: Off the shelf CSPM products became a subset of #cnapp suites that deal with misconfigurations as well as workload protection (CWPP) and Cloud Infrastructure and Entitlements Management security (CIEM). Companies that use these tools plan to scale their CSPM effort fast and to be able to benefit from customizations, automation, and out of the box best practices to help them achieve regulatory compliance and improve security posture to an acceptable level of risk.
CSPM Maturity Model
The pillars of the CSPM maturity model are defined based on past CSPM tool implementations and may evolve over time as we test and apply this model to more CSPM implementations. But the idea here is to identify what stage you are at now, where you want to be, and outline the steps on how to get there.
Here is a quick definition of the main pillars:
- CSPM configuration and customization of rules and policies: The process of setting up and changing the baseline CSPM checks and policies that will define what is considered a misconfiguration in your organization.
- Process: At which phase misconfigurations are identified — as part of the development lifecycle there are several phases at which misconfigurations can be detected. Starting with development, and continuing from deployment into production, companies can detect posture problems at any phase of the development lifecycle.
- Integration into process and other security/IT tools: CSPM tools are not implemented as a siloed technology. Having a robust level of integration into processes and IT stack of the companies is crucial for successful CSPM adoption.
- Triage of misconfigurations: Alerts and findings of CSPM tools usually flag misconfigurations and define their severity level. A triage stage is crucial to identify what company should focus on to reduce as much risk as possible. Having a rich context about the asset and any given misconfiguration will dramatically help to improve and automate the triage process.
- Remediation Process: once misconfigurations are detected and triaged, the remediation process needs to take place to fix them. This pillar defines the maturity of the remediation efforts.
- KPI and CSPM Success Measurement: how companies will measure progress of CSPM adoption, progress, and improvement over time.
How to drive your CSPM Program Implementation
As you begin to assess your CSPM readiness and plan to make the changes needed to improve protection of cloud assets, consider these key investments to help drive your CSPM implementation more effectively.
Through years of experience in the CSPM domain, I’ve found each of the following to be critical to closing important capability and resource gaps:
1. Continuously manage CSPM baseline policies: Define your key security controls. These can vary across different environments based on regulatory requirements, data classification, mapping to security attack vectors, etc. Ensure ongoing evaluation, watch out for regulatory changes, new cloud services your company is using, new features, and updates of policies or rules that your selected CSPM tool vendor is managing.
2. Automation: First and foremost, automation should be properly implemented to ensure it is not causing production issues. Invest in automated triage and remediation to reduce your mean time to respond to misconfigurations. Start with the low hanging fruit first, making sure you understand which remediation activities are repetitive and can be automated. Gradually implement automation with human choke points that are advised at first phases, until one can fully trust the robots.
3. Enrichment and Intelligence: Utilize cloud intelligence and all available signals to enrich and understand your assets and misconfigurations better. (You need to know when an open bucket in not an issue – for example its ok for your public website to be hosted in a public-facing S3 bucket)
4. Data classification and ownership: Discover, classify, tag and monitor your sensitive systems, assets, key data repositories and crown jewels. It’s also important to define who will take care of remediation in order to better prioritize and respond to misconfigurations.
While a CSPM maturity model is most effective when integrated across all cloud environments, most organizations will need to take a phased approach that targets specific areas of their cloud based on their CSPM maturity, available resources, and priorities. It will be important to consider each phase carefully and align them with current business needs.
The first step of your journey does not have to be a large change of your CSPM process or toolset. Fortunately, each step forward will make a difference in reducing cloud risk and making your cloud journey more secure.