Originally Posted on Medium on Apr 14, 2021

💣 The Problem

Cloud security is not datacenter security

The transition from traditional networking and infrastructure to cloud introduced a new dimension of potential issues and challenges for cybersecurity teams requiring a different talent pool or an overhaul to existing talent.

The cloud is almost limitless

The top providers offer hundreds of services; From servers to serverless, databases to data analytics services, creating the right security suite for every service can be challenging.

Defense in depth is not as effective in the cloud

The layers over layers of security controls worked great when the blast radius of a single change was highly confined. Today, terabytes of highly sensitive data can get exposed to the internet with a flick of a button.

“Hyper Productivity” causes uniformity challenges

Traditionally, security practices were aligned to the IT, enforced by the IT, and governed by the cybersecurity teams. Due to detachment from the IT, security teams must find a way to control environments and their security posture regardless of ownership.

Infrastructure is automated; security changes are not

Security teams commonly use static change management processes. With infrastructure being dynamically changed and declared in code, the security processes do not align with the required agility.

Same controls, different clouds

Many enterprises choose to adopt a multi-cloud strategy, creating a headache for security teams attempting to maintain compliance posture and security controls across different cloud vendors.

💡 The Opportunity

Understand the cloud infrastructure’s security posture

Cloud providers have invested vast resources in making configuration and event data available to their customers. CSPM technologies leverage that data to create an end-to-end security posture for the environment.

Create an enforceable security policy across clouds

Instead of developing governance policies per cloud vendor, CSPM solutions create a common denominator between the major cloud providers, enabling single policy enforcement across the board.

Monitor and govern environmental changes

Cloud providers log all resources and usage patterns, removing unknowns from the customer’s cloud environment. CSPM solutions leverage that knowledge to govern for changes, alert or automate based on predefined playbooks.

Reduce the attack surface and save costs at the same time

Stale services are costly and become increasingly vulnerable over time. Most CSPM solutions identify unused services to save cloud costs and reduce the security burden of managing those services and keeping them secure.

CSPM pushes security posture and enforcement into the cloud, helping security teams enforce a coherent and consistent policy across multiple services and clouds.

🔮 The Predictions

CSPM will be a must-have for all organizations

Cloud infrastructure is here to stay, and CSPM will be the de-facto tool to protect it. While large organizations already have a CSPM solution, it will be commoditized for smaller organizations as well.

Cloud vendors will offer CSPM by default

For organizations that will opt-in for a single cloud vendor (i.e., aws / azure / GCP and others), CSPM will be an integrated solution (for an extra cost).

CSPM will transform into CMDR (Cloud Managed Detection & Response)

Due to the amount of knowledge and research required to detect advanced attacks on cloud environments, CSPM companies will become the de-facto knowledge hub for attack methods, detection of attacks, and dynamic response where needed.

CSPM will complement Infrastructure-As-Code

As infrastructure-as-code becomes a standard way of describing infrastructure within configuration files, CSPM tools will leverage those configurations to enforce a whitelist approach to the runtime environment.

🕵️ The CISO View

Identify the cloud usage patterns (providers and services)

Solutions differ by the support broadness (for example, support for aws Cognito) and some by the depth of security know-how (for example, providing best practice ruleset). Choose the right vendor by analyzing the usage patterns and broadness of service usage patterns across the different cloud vendors

Check the permissions and implementation method

Most CSPM tools are cloud solutions, requiring rights to the organization’s cloud environments to function. Validate that the permissions granted align with the tool’s expectations (for example, if data classification is not a needed feature, do not allow S3 bucket read access).

Check the vendor’s compliance with laws, regulations, and overall security posture

Given that third-party supplier attacks are on the rise and CSPM vendors hold the keys to the kingdom, organizations should ensure the vendor is securing their cloud. Validate compliance with standards, ask for evidence, and continuously monitor the vendor’s access keys usage.

Examine the vendor’s strategy towards infrastructure-as-code

Infrastructure-as-code is taking the IT world by storm. CSPM solutions should account for infrastructure manifests (for example, terraform, cloudformation, k8’s deployment manifests) and translate them into actionable insights and viewpoints to the organization’s security posture.

🏁 The Bottom Line

Cloud attacks and data exposure are a daily thing

Exposure at a click of a button is the challenge with the cloud. Security teams must equip themselves to mitigate the threat and continuously monitor their environments

Get a CSPM

There are currently no better options for monitoring the organization’s cloud environments, and the risks are too significant to overlook. In case the budget is the issue, start with an opensource tool; they have best practices and are not hard to deploy for a point-in-time inspection of the cloud posture.

Create a single strategy for CSPM and Infrastructure as code

With the CI/CD transformation and infrastructure automation, CSPM tools are the runtime security portion of a bigger story. The combination of design time and runtime will enable better anomaly detection and understanding of the nature of changes within the cloud environments.

Choose a CSPM by defining the depth and breadth

Most of the features will be similar across the CSPM solutions and hard to differentiate to the naked eye. Therefore, choosing the right CSPM for the organization should focus on its usage patterns for the cloud.