CSPM: A new class of security tools

From account hijackings to distributed denial-of-service (DDOS) attacks to unsecure APIs and interfaces, the threat landscape for cloud applications and services remains a busy place. A place where even small mistakes can lead to serious security breaches and data leaks.

An organization’s need to reduce risk and a lack of experience for what part of the environment presents that risk has given birth to a class of security tools known as Cloud Security Posture Management (CSPM)—a rebranding of sorts for a collection of tools that once fell under a category known as Cloud Infrastructure Security Posture Assessment (CISPA). The difference, however, is not just in the name. The management component of these tools allows for more than just reporting—it enables enterprises to address configuration issues affecting their cloud environments.

Given Gartner’s prediction that virtually all cloud security mishaps by 2022 will be due to customer configuration and setup errors in cloud environments, these tools play a crucial role for cloud adoption and security.

Race to the cloud

The clear business need to protect against misconfigurations in cloud environments has driven a consolidation in the market for cloud security tools. Palo Alto Networks purchased Evident.io and RedLock earlier this year to provide cloud security analytics, compliance monitoring, and other security benefits to their customers. In April, Oracle and advisory firm KPMG released research that found that 57% of those surveyed were either concerned or very concerned that in the next 12 months, misconfigured systems, such as server workloads and cloud services, could lead to a successful attack that threatened their infrastructure, data assets, and business operations. Another 31% said they were somewhat concerned.

DevOps teams looking to cloud environments for their future applications are not equipped to understand the risks their configurations and settings are bringing into a previously secured on-premise environment. Having CSPM tools that can monitor and alert on configuration risks and compliance issues gives organizations a solid understanding of the real risks present in their environments and more importantly, how to fix them.

Making matters worse, ignorance to these issues causes breaches. A quick look in the headlines proves this. Earlier this year for example, a Walmart partner mistakenly leaked customer details of 1.3 million people by leaving an AWS S3 bucket openly accessible over the internet. GoDaddy, the popular domain and hosting service was similarly exposed this year due to an S3 bucket misconfiguration, as were the NSA, FedEx, and Verizon.

Commonly made mistakes

Those are only a few examples, but the problem is a common one. Three of the most common misconfigurations of cloud environments include:

  • cloud storage folders openly accessible via the internet
  • SSH/RDP open to the internet
  • cloud user/service accounts with excessive access rights

These misconfigurations happen because organizations are moving quickly, because there is a lack of knowledge around cloud configuration best practices, and because risks can be difficult to see when deadlines are fast approaching. Add too all of this a general misunderstanding of the shared responsibility model and you have yourself a recipe for compromise.

One of the surprising takeaways from our recent #ArmorU poll series was how many organizations still do not consider shared responsibility a core driver of their cloud strategy. Shared responsibility defines the role the customer, not just the cloud provider, has to play in securing their cloud environment. The extend of that role depends on the cloud delivery model. Failing to fully appreciate your organization’s responsibilities can result in mistakes like the ones mentioned above, as organizations may rely too much on the cloud provider’s security mechanisms or default configurations to protect their data and workloads.

CSPM to the rescue

There is no magic bullet for cloud security that applies across all situations; but there are steps your organization can take to increase or lower the risk to your environment. Making the right decisions requires knowing what those risks are and taking the appropriate measures to leverage cloud applications and services securely.

This is where CSPM tools can help you. They automatically check your environment against compliance and security violations and provide the steps necessary to remediate them–often automated with the click of a button. Determining what to look for, building automated scripts to check for them, or preforming checks manually across an organization’s cloud environment is simply impossible for most organizations and not worth the effort and costs required to do it right.

The elasticity of the cloud is a double-edged sword when it comes to security. If anyone in a company can spin up a cloud instance, the controls that use to be in place to protect data leaks disappear. With CSPM tools, companies can be aware of these new risks to their environments and protect themselves against breaches and build a standard set of uniform configurations for their cloud environments.

Resource Center

More security resources at your fingertips.

Practical Content for Security, DevOps, & IT Professionals