What is CSPM?
Cloud security posture management (CSPM) is a category of automated data security solution that manages monitoring, identification, alerting, and remediation of compliance risks and misconfigurations in cloud environments. One of its most critical functions is continuous monitoring for gaps in the way security policies are enforced.
In its Innovation Insight for Cloud Security Posture Management report, analyst firm Gartner defined CSPM as a category of products that automate security and compliance assurance and address the need for proper control over cloud infrastructure configurations. In 2020, according to Gartner, the adoption of CSPM solutions was strong, projected to reach 25% in just a few years as more organizations recognize them as must-have cloud security tools.
Why do we need CSPM?
The adoption of cloud services and cloud-based applications has been a boon to businesses and employees, enabling new levels of productivity and flexibility. As these tools are open to the internet and readily available to anyone, they can expose businesses to greater risk of cybersecurity threats, including data breaches. Despite training and everyone’s best efforts, vulnerabilities remain and security issues arise, putting sensitive data at risk. IT security, risk, and business leaders constantly work to address:
- Data breaches resulting from misconfigurations of cloud infrastructure, which can expose enormous amounts of sensitive data, leading to legal liability and financial losses.
- Continuous compliance for cloud apps and workloads, which is impossible to achieve using traditional on-premises tools and processes.
- Challenges implementing cloud governance (visibility, permissions, policy enforcement across business units, lack of knowledge about cloud security controls), which grow alongside cloud adoption within the organization.
Among these, data breaches receive the most attention and account for the greatest damage. For example:
- The IBM Cost of a Data Breach 2019 report estimated the average cost of a breach at US$8.2 million in the US and $3.9 million globally. The loss of customer trust and the resulting loss of business is the largest component of this average cost calculation.
- A 2020 report from Risk Based Security shows 15 billion records exposed in 2019, a significant jump from previous years. Four breaches caused by misconfigured databases exposed 6.7 billion records in Q4 2019.
- The IBM X-Force Threat Intelligence Index 2020 report showed a nearly tenfold year-over-year increase in records exposed due to misconfigurations, accounting for 86% of the total records compromised in 2019.
Cloud native applications require different rules and techniques, leading to the development of cloud workload protection platforms (CWPP). But as the applications grow increasingly dynamic, the security options need to shift as well. Combining CWPP with CSPM tools accounts for all evolution in security needs.
How does CSPM work?
Broadly speaking, CSPM protects you in three ways:
- Provides visibility into your cloud assets and configurations. Enterprise CSPM discovers misconfigurations, changes in policy or metadata, and more, and helps you manage all these policies through a centralized console.
- Manages and remediates misconfigurations. By comparing your cloud configurations against industry standards and other pre-built rules, CSPM reduces human error that can increase your risk of costly breaches.
- Discovers new potential threats. CSPM monitors your cloud environments in real time for inappropriate access and anomalies that may indicate malicious activity.
What are the key capabilities of CSPM?
Let's look at what CSPM can do in more detail. CSPM services can take advantage of automation capabilities to correct issues without human intervention or delay, conducting continuous monitoring as they:
- Identify your cloud environment footprint and monitor for the creation of new instances or storage resources, such as S3 buckets.
- Provide policy visibility and ensure consistent enforcement across all providers in multicloud environments.
- Scan your compute instances for misconfigurations and improper settings that could leave them vulnerable to exploitation.
- Scan your storage buckets for misconfigurations that could make data accessible to the public.
- Audit for adherence to regulatory compliance mandates such as HIPAA, PCI DSS, and GDPR.
- Perform risk assessments against frameworks and external standards such as those put forth by the International Organization for Standardization (ISO) and the National Institute of Standards and Technology (NIST).
- Verify that operational activities (e.g., key rotations) are being performed as expected.
- Automate remediation or remediate at the click of a button.
Through 2024, organizations implementing a CSPM offering and extending this into development will reduce cloud-related security incidents due to misconfiguration by 80%.
How does Zscaler do CSPM?
The challenge many CSPM solutions face is that, as point products, they can’t adequately integrate with an organization's security and data protection tools. This provides siloed visibility, which raises security risks and prolongs incident response.
Zscaler CSPM uniquely solves siloed visibility by automatically identifying and remediating application misconfigurations as part of the comprehensive, 100% cloud-delivered data protection capabilities of the Zscaler Zero Trust Exchange™, the global cloud platform that powers all Zscaler services.
Zscaler CSPM automates security and compliance for cloud assets and cloud applications, delivering continuous visibility and enforcing adherence to the most comprehensive set of security policies and compliance frameworks. As a multitenant SaaS offering, Zscaler CSPM enables seamless integration with customer cloud infrastructure, quick data collection, comprehensive dashboards, and reports. Zscaler CSPM supports integrations with multiple cloud providers—providing continuous integration and continuous delivery (CI/CD) pipelines and ticketing systems—and enables auto-remediation. Customers can easily enforce their corporate information security standards across their IaaS providers (e.g., Amazon Web Services (AWS), Microsoft Azure, Google Cloud Platform) and SaaS applications to prevent misconfiguration-related data breaches.
Zscaler CSPM supports security and compliance efforts with the broadest coverage of 2,700+ pre-built policies mapped across 16 standards—including NIST, CIS Benchmarks, PCI DSS, SOC 2, and AWS security best practices—and enforces guardrails for secure, compliant deployments that improve DevOps efficiency. It also allows organizations to create custom, private benchmarks and supports large-scale application environments.
Zscaler CSPM is part of the comprehensive Zscaler Data Protection suite, which also includes Zscaler Cloud DLP, Zscaler Cloud Browser Isolation, and cloud access security broker (CASB).
- Collects real-time configuration data from the cloud infrastructure via APIs, once granted access to customer cloud environments. A small subset of policies may require the installation of an agent.
- Identifies cloud misconfigurations at the security policy and cloud resource levels by comparing discovered configurations against built-in policies. It also provides a complete mapping of policies within various compliance frameworks, with easy visualization through intuitive dashboards and reports.
- Governs security and compliance with various cloud governance features, including compliance monitoring, risk-based triage of security posture, policy management, and configuration of private benchmarks for organizations that have multiple compliance standards or information security teams with specific architecture needs.
- Fixes misconfigurations by providing remediation steps for each and every security policy violation as well as auto-remediation for a subset of the most critical policies.