What is cloud security posture management (CSPM)?

Organizations are increasingly adopting and combining multicloud (services from multiple different cloud service providers) and hybrid cloud (cloud combining public cloud and private cloud infrastructure).

Multicloud and hybrid cloud give organizations of all sizes the flexibility to deploy best-of-breed apps and development tools, rapidly scale operations, and accelerate digital transformation. By one recent estimate, 87 percent of organizations use multi-cloud environments, and 72 percent use hybrid-cloud environments.

But along with these benefits, multicloud and hybrid cloud also bring security challenges.

Security staff and DevOps/DevSecOps teams have to manage security and compliance for all the components of the cloud-native applications they deploy across multiple providers’ clouds—hundreds or thousands of microservices, serverless functions, containers and Kubernetes clusters.

In particular, Infrastructure as code (IaC), which enables API-driven, on-the-fly provisioning with every continuous integration/continuous delivery (CI/CD) cycle, makes it all too easy to program, distribute and perpetuate misconfigurations that leave data and applications vulnerable to security incidents and cyberthreats.

CSPM solutions work by discovering and cataloging an organization's cloud assets, continuously monitoring them against established security and compliance frameworks, and providing tools and automation for quickly identifying and remediating vulnerabilities and threats.

With multiple cloud providers and distributed cloud components, lack of visibility can be a problem for security teams. CPSM addresses this issue by automatically discovering all cloud services and applications components—and their associated configurations, metadata, security settings and more—across all public and private cloud services and all cloud providers (e.g., Amazon Web Services, Google Cloud Platform, IBM Cloud, Microsoft Azure) in the organization’s hybrid multicloud environment.

CSPM’s continuous monitoring discovers all cloud resources and assets in real time, as the are deployed. Security teams can monitor and manage everything from a single dashboard.

CSPM tools monitor for misconfigurations by constantly assessing configurations against industry and organizational benchmarks—like those from the International Organization for Standardization (ISO), National Institute for Standards and Technology (NIST), and the Center for Internet Security (CIS)—as well as the organization’s own benchmarks and security policies. CSPM solutions typically provide guided cloud configuration remediation, as well as automation capabilities for resolving some misconfigurations without human intervention.

CSPM also monitors and remediates other vulnerabilities, such as gaps in data access permissions that hackers can exploit to access sensitive data. And most CSPM solutions integrate with DevOps/DevSecOps tools to speed remediation and prevent misconfigurations in future deployments.

CSPM tools also provide continuous compliance monitoring to help organizations adhere to compliance standards—such as the General Data Protection Regulation (GDPR), the Health Insurance Portability and Accountability Act (HIPAA), and the Payment Card Industry Data Security Standard (PCI DSS)—and to identify potential compliance violations.

In addition to identifying cloud security and compliance risks, CSPM solutions monitor the entire environment for malicious or suspicious activity, and incorporate threat intelligence to identify threats and prioritize alerts. Most CSPM solutions integrate with security tools—such as security information and event management (SIEM)—to capture context and insights for improved threat detection and incident response.

CISPA, the first generation of CSPM, was primarily designed to report misconfigurations and security issues. CSPM goes beyond simple reporting and automates the detection and remediation process. CSPM solutions continuously monitor security issues using advanced artificial intelligence and benchmark against established security best practices.

CWPPs secure specific workloads across cloud providers and allow organizations to perform security functions across multiple cloud environments, focusing on vulnerability management, anti-malware, and application security. By contrast, CSPMs protect the entire cloud environment, not just specific workloads. CSPMs also incorporate more advanced automation and guided remediation to help security teams fix problems once they’re identified.

CASBs, or cloud access security brokers, act as security checkpoints between cloud service providers and their customers. They help enforce policies that regulate network traffic before granting access and provide essential tools like firewalls, authentication mechanisms, and malware detection. CSPM tools perform these same monitoring tasks but take them further, delivering continuous compliance monitoring and establishing a policy that outlines the desired infrastructure state. CSPM solutions then check all network activity against this policy, ensuring the network complies with established standards and maintains a secure cloud environment.

A cloud-native application protection platform, or CNAPP, consolidates several cloud security and CI/CD security technologies into a single platform that helps security, development and DevOps/DevSecOps teams collaborate on developing, delivering and running more secure and compliant cloud-native applications.

CNAPP was originally defined as a combination of CSPM, CWPP, and cloud service network security (CSNS), a technology for protecting network traffic. But depending on whom you ask, CNAPP can include several other technologies such as cloud infrastructure entitlement management (CIEM), for continuously monitoring and managing cloud permissions, and infrastructure as code scanning, for catching misconfigurations during the CI/CD cycle. You can read industry analyst Gartner’s definition of CNAPP here.