What is cloud security posture management?
Cloud security posture management, also known as CSPM, scours cloud environments and alerts staff to configuration vulnerabilities in the software and compliance risks, most of which stem from human error.
In its Innovation Insight for Cloud Security Posture Management report, Gartner defined a new category of products that automate security and compliance assurance and address the need for proper control over cloud infrastructure configurations, calling this category Cloud Security Posture Management (CSPM). In 2020, adoption of CSPM solutions has been strong and growing, and is projected to reach 25 percent in the next few years. Organizations are realizing that this is a “must have” cloud security tool.
Why do we need it?
The adoption of cloud and cloud-based applications has been a boon to businesses and employees, providing new levels of productivity and flexibility. As these tools are open to the internet and readily available to anyone, they exposed the business to greater risk, including data breaches. Despite training and everyone’s best efforts, problems still arise. Security, risk, and business leaders continue to encounter:
- Data breaches resulting from misconfigurations of cloud infrastructure, which continue to expose enormous amounts of confidential customer data, leading to legal liability and financial losses.
- Continuous compliance for cloud-based workloads, which is impossible to achieve using traditional on-premises tools and processes.
- Challenges implementing cloud governance (visibility, policy enforcement across business units, lack of knowledge about cloud security controls), which continue to increase as cloud adoption grows within the organization.
Among these, data breaches receive the most attention and account for the greatest damage to an organization. For example:
- The IBM Cost of a Data Breach 2019 report estimated the average cost of a data breach at $3.9 million globally and $8.2 million nationally. The loss of customer trust and the resulting loss of business is the largest component of this average cost calculation.
- A recent data breach report from Risk Based Security shows 15 billion records exposed in 2019, a significant jump from recent years. Four breaches caused by misconfigured databases exposed 6.7 billion records in Q4 2019
- The IBM X-Force Threat Intelligence Index 2020 report has shown a nearly tenfold year-over-year increase in records exposed due to misconfigurations, accounting for 86 percent of the total records compromised in 2019.
Gartner recommends that security and risk management leaders responsible for infrastructure security deploy access management, encryption, ZTNA, CSPM and SIEM.Gartner, 2020
Cloud-native applications require different rules and techniques, leading to the development of cloud workload protection (CWPP). But as the applications grow increasingly dynamic, the security options need to shift as well. Combining CWPP with the emerging cloud security posture management (CSPM) accounts for all evolution in security needs.Gartner, 2020
What do CSPM solutions do?
CSPM services conduct the following activities on a continuous basis and can include automation capabilities to correct issues without human intervention or delay.
- Identify your cloud environment footprint and monitor for the creation of new instances or buckets.
- Provide policy visibility and ensure consistent enforcement across multiple cloud providers.
- Scan your compute instances for misconfigurations and improper settings that could leave them vulnerable to exploitation.
- Scan your storage buckets for misconfigurations that could make data accessible to the public.
- Audit for adherence to appropriate compliance mandates.
- Perform risk assessments vs. frameworks and external standards, such as the International Organization for Standardization (ISO) and the National Institute of Standards and Technology (NIST).
- Verify that operational activities are being performed as expected (e.g., key rotations).
- Automate remediation or remediate at the click of a button.
Through 2024, organizations implementing a CSPM offering and extending this into development will reduce cloud-related security incidents due to misconfiguration by 80%.Gartner, January 2019
How does Zscaler do CSPM?
The challenge that many CSPM solutions face is that, as point products, they can’t integrate into the larger organizations’ security and data protection tools. This makes it difficult to integrate them into a company’s processes and provide siloed visibility.
Zscaler CSPM uniquely solves this by automatically identifying and remediating application misconfigurations as part of the comprehensive, 100-percent cloud-delivered data protection capabilities in the Zscaler Cloud Security Platform.
Zscaler CSPM automates security and compliance in the cloud, delivering continuous visibility and enforcing adherence to the most comprehensive set of security policies and compliance frameworks. Offered as a multitenant SaaS, Zscaler CSPM enables seamless integration with customer cloud infrastructure, quick data collection, comprehensive dashboards and reports. Zscaler CSPM supports integrations with continuous integration and continuous delivery (CI/CD) pipelines and ticketing systems, and enables auto-remediation. Customers easily enforce their corporate information security standards across AWS, Azure and Office365 environments to prevent misconfiguration-related data breaches.
Zscaler CSPM automates visibility into the status of more than 1,500 security policies and 14 compliance frameworks across AWS, Azure and Office365. The product also allows organizations to create their own private benchmarks, supports large-scale application environments and allows rapid adoption of DevSecOps.
The Zscaler CSPM:
- Collects real-time configurations: The application is granted access to customer cloud environments (AWS, Azure, Office 365, Google Cloud or any other CSP). It then collects actual configurations of cloud infrastructure over APIs. A small subset of policies may require the installation of an agent.
- Identifies misconfigurations: It compares discovered configurations against built-in security policies and identifies misconfigurations at the security policy and resource level. It also provides a complete mapping of security policies within various compliance frameworks. Intuitive dashboards and reports help review this information.
- Governs security and compliance: It enables various cloud governance features, including risk-based prioritization of the security posture, policy management (e.g. overrides, exceptions, third-party compensations), and the configuration of private benchmarks for organizations that have multiple compliance standards or information security teams that need to customize the policy set for a specific architecture.
- Fixes misconfigurations: Remediation steps for each and every security policy and auto-remediation for a subset of the most critical security policies can be applied.