Cloud Security Posture Management (CSPM): An Emerging Control in Cloud Security

by | Nov 18, 2021

There are two conflicting trends associated with cloud migrations that have largely defined cloud security roadmaps for organizations:

  1. Heavy Adoption: The reliance upon cloud-based resources continues to increase as more workloads are migrated to Azure and AWS or transitioned from one provider to another
  2. Low Visibility and Enforcement: Cloud environments often represent a blind spot for blue teamers for one or more of the following reasons:
    1. IT embarked on a cloud journey without fully engaging security early in the process,
    2. Azure and AWS environments are managed in a decentralized manner without a mechanism to enforce standards,
    3. The migration to an Azure or AWS environment occurred at such a rapid pace it was difficult for security to keep up given other priorities; or my personal favorite,
    4. There was an overarching assumption that the cloud is inherently more secure and additional investments in security were not required.

Regardless of the contributing factors, security teams often find themselves in a position of playing catchup by developing cloud security standards, extending existing controls, creating new detection content, and evaluating new controls while production workloads are already supporting business critical applications. While CASB has reigned as the four-letter acronym in the world of cloud security for years, Cloud Security Posture Management (CSPM) has been increasing in popularity and importance. CSPMs represent a platform that allow organizations to manage the attack surface of resources hosted within Azure or AWS.

The following information is intended to provide clarity around what a CSPM is, where it fits into your current program, as well as some insights based upon our experience.

 

What is a CPSM and how does it differ from a CASB?

CPSM platforms are designed to provide attack surface management and detect risks within IaaS and PaaS applications hosted within Azure and AWS. CASB platforms predominately focus on SaaS by providing access governance, threat detection, and data protection for managed applications. Below is a side-by-side comparison of high-level use cases:

CSPM Use Cases for IaaS & PaaS CASB Use Cases for SaaS
  • Configuration and compliance monitoring
  • Detecting IAM risks and secrets
  • Asset inventory and discovery
  • Visibility into network reachability and exposure
  • Threat detection
  • Vulnerability assessment
  • Data protection for managed applications
  • Access governance
  • Threat detection (detect, quarantine, block)
  • Application discovery, shadow IT, and identification of high-risk applications and users

 

Do I need a separate platform to accomplish this, or can I use native capabilities within AWS and Azure consoles?

You can use native consoles to obtain similar value. However, the level of effort to create and maintain detection rules within native consoles exceeds that of third-party tools as they offer a library of out of the box detections and alerts. If you have a sizeable team with strong Azure or AWS skills, great – you’re the exception. Most teams are operating very lean and any opportunity to introduce new capabilities with a lower level of effort tends to be the simpler option.

Two additional reasons why a third-party CSPM may be a better fit for you; 1) Your organization has invested in a multi-cloud strategy, and you want a consolidated pane of glass to assess your cloud posture, and 2) Out of the box integrations with workflow and ticketing platforms, automation, and custom dashboards may be a requirement for you.

 

Who are the key players in this space and what is the architecture?

There are several vendors offering CSPM platforms, however the two most popular that we see are Wiz.io and Palo Alto Prisma. While Palo Alto offers two deployment models, API and agent-based, in order to leverage Prisma’s full capabilities deployment of the endpoint agent is required.

Wiz only offers an API integration, but with their approach to scanning you are able to achieve the same capabilities, if not more use cases compared to Prisma. While Wiz is a relatively new player in this space, they are quickly gaining traction throughout the industry based on how they contextualize alerts within their console, rapidly release new features, and do not require the installation of an agent.

 

Can I displace any other products that I own if I purchase a CSPM tool?

Not in a one-to-one fashion. However, since these products offer vulnerability scanning capabilities for your cloud-based assets you could potentially avoid the need to procure licenses or deploy yet another agent to accomplish vulnerability scanning within the cloud.

 

Where do CSPM’s fit within a security program?

We perform security assessments for Azure and AWS, conduct cloud purple teams, and have helped organizations evaluate and operationalize CSPM platforms. Obtaining visibility into and managing the attack surface of cloud environments is a common challenge. In addition to a well-defined cloud security strategy and security standards, a CSPM can help to manage risks within cloud environments.

As part of program development efforts for operationalizing CSPMs, the majority of use cases pertain to attack surface management which is generally a component within vulnerability management programs. Organizations can use existing workflows for vulnerability remediation built around usage of traditional vulnerability scanners as the process is the same with respect to detecting, escalating, and tracking remediation efforts.

There are certain use cases that should generate alerts for your CSOC to investigate, such as those tied to malware detection, changes to admin groups and accounts, publicly exposed RDP or SSH, suspicious console logins, or suspicious user behavior.

Michael Polise
Director, MSIA | Archive

Mike specializes in program strategy and execution for Blue Team controls. He has a broad focus across capabilities such as logging and monitoring, data protection, endpoint, perimeter, cloud, and data security with an emphasis on architecture and engineering.

Mike has extensive experience encompassing a wide range of technical and procedural controls, including program development. His experience allows him to focus on long-term strategic goals by identifying cross-platform synergies and developing comprehensive, effective approaches for defending against today’s security threats.