Cloud Security Posture Management (CSPM) is currently one of the fastest growing areas within the field of cloud security; most security vendors are now offering or developing CSPM capabilities. However, enterprises are still trying to build the most effective CSPM program to fit their environment. In many cases, it’s unclear where to start and what the end goal is for the CSPM effort.
To help simplify this process, this post will share guiding principles for implementing a CSPM maturity model, allowing you to assess your CSPM readiness and plan your own implementation journey.
It may be useful to place CSPM in the larger context of the overall cloud security discipline.
Cloud security consists of the processes, technologies and best practices that are applied to protect cloud computing environments, applications running in the cloud, their accompanying infrastructure, and the data held in the cloud. Securing cloud services requires an understanding of what is being secured, how the cloud infrastructure is managed, and who is responsible for every asset in this complex environment.
One of the basic and most important components of any cloud security program is ensuring that cloud infrastructure is well protected – that is the component that requires a well-defined CSPM program and toolset. The other layers of cloud security discipline include application security, workload protection, threat detection and response, data protection and others. All of these components contribute to the overall security posture of the organization.
Implementation of a CSPM program can include all or some of the steps in the application development lifecycle. Some companies will only monitor their runtime environment while others will incorporate posture management assessments in their pre-deployment environment as part of their CI/CD processes.
The big hype around IT compliance and security-related regulations started back in early 2000 with SOX (the Sarbanes-Oxley Act), then continued with PCI DSS (the Payment Card Industry Data Security Standard), around 2006, and 10 years later with SOC2 regulations (a voluntary compliance standard developed by the American Institute of CPAs) — all these regulatory frameworks seeking to assess IT systems and how their use can contribute to misrepresentations of financial statements, data inaccuracies, and fraudulent activities.
Back then, companies were running their IT environments on-premises, and regulatory practices were focused on manual assessments of IT systems using screenshots, spreadsheets, data center visits, and reviews of policies and logs.
As you can imagine, this kind of manual audit and risk assessment work, focused on physical and software produced artifacts, was inefficient and not robust. In addition, much of the time, compliance work was done to “check the box” from an audit perspective, without contributing to the overall company security posture.
Fast forward many years, and we are now discussing continuous cloud security and compliance processes focused on the compliance of virtual assets. Advanced levels of APIs and standardization allowed this new discipline and a Gartner category to be born: CSPM (Cloud Security Posture Management). Accordingly, it looks like we finally have an opportunity to recreate these processes from scratch — to use automation, continuous validation, and remediation, and to embed security and compliance as early as possible in the development lifecycle. We are now able to automate and connect the dots between the compliance and security posture of a company.
CSPM is an area of security that focuses on the security posture of cloud assets. IT security tools that fall under the CSPM category are designed to detect and remediate misconfigurations, ultimately assisting companies in their compliance and regulatory assessments. CSPM tools continuously monitor cloud infrastructure, identify gaps, and provide remediation solutions to fix misconfigurations.
Current-generation CSPM tools have existed for about four or five years. As companies move to the cloud and as new companies are born into the cloud – and we all know that misconfigurations are the primary cause of security breaches – the vulnerabilities created in the cloud become the customers’ responsibility to take care of and prevent.
There are a lot of ways to implement CSPM processes and solutions:
The pillars of the CSPM maturity model are defined based on past CSPM tool implementations and may evolve over time as we test and apply this model to more CSPM implementations. But the idea here is to identify what stage you are at now, where you want to be, and outline the steps on how to get there.
Here is a quick definition of the main pillars:
As you begin to assess your CSPM readiness and plan to make the changes needed to improve protection of cloud assets, consider these key investments to help drive your CSPM implementation more effectively.
Through years of experience in the CSPM domain, I’ve found each of the following to be critical to closing important capability and resource gaps:
While a CSPM maturity model is most effective when integrated across all cloud environments, most organizations will need to take a phased approach that targets specific areas of their cloud based on their CSPM maturity, available resources, and priorities. It will be important to consider each phase carefully and align them with current business needs.
The first step of your journey does not have to be a large change of your CSPM process or toolset. Fortunately, each step forward will make a difference in reducing cloud risk and making your cloud journey more secure.
About the author:
Marina Segal is CEO and Co-Founder of a startup that is currently operating in Stealth mode. Prior to that, Marina enabled Dome9 Security (acquired by Check Point) and Sysdig to become leaders in the Cloud Security Market, driving several large enterprise sales and strategic M&A efforts by focusing on delivering Cloud Security and Compliance products.
Marina has over 15 years of global experience in Security, MSSP, Compliance and Governance at Deloitte/Credit Karma and other startups.
She is Founder of the Bay Area’s WoSec Chapter.
Marina holds a B.SC in Information Systems & Management and an MBA in Technology, Innovation and Entrepreneurship from Tel Aviv University.