Cloud security10 min read

Cloud security posture management (CSPM) explained

CSPM safeguards cloud infrastructure by tracking configurations, ensuring compliance, and remediating security issues.

Cloud security posture management (CSPM) tools protect cloud infrastructure from security threats and risks with three major job-to-be-done capabilities:

  1. Track all cloud resources and their configurations.

  2. Ensure compliance with security policies and regulatory requirements.

  3. Document, report and fix identified issues and misconfigurations (“remediation”).

Just like a building inspector ensures that a structure is built according to code and in compliance with local, state and federal regulations, CSPM ensures that a cloud follows security best practices and is in compliance with major industry and government regulatory frameworks.

That’s the short version.

In this post, I’ll explain more in detail what CSPM is, how it works, its major capabilities, and how CSPM is different from other security categories with acronyms such as CNAPP, CWPP, CIEM, and SIEM.

What is CSPM?

CSPM is a set of practices and tools to help organizations assess and improve the security of their cloud infrastructure.

According to Gartner, “the core of CSPM applies common frameworks, regulatory requirements and enterprise policies to proactively and reactively discover and assess risk/trust of cloud services configuration and security settings. If an issue is identified, remediation options (automated or human-driven) are provided.”

“Posture” summarizes configurations, security settings, compliance, regulation and policies into a single word.

Using CSPM to obtain good security posture is an important capability for the business for two reasons:

  1. Misconfigurations and bad security settings expose your cloud infrastructure to malicious attackers who may steal data or hijack your environment.

  2. Companies are subject to industry and government regulations, with regular audits to ensure compliance with these regulations or otherwise face penalties.

In short, CSPM is really about avoiding business disruption and not paying a stiff penalty for bad security - through a government-imposed fine or a ransom paid to a malicious actor. Sometimes both. There’s a hard cost for bad security, and CSPM helps avoid incurring that cost.

Who uses CSPM?

The primary user or “persona” of CSPM tools is the “cloud security engineer,” sometimes also “infrastructure security engineer,” or simply “security engineer.”

David White, Senior Security Engineer at Nextdoor, recommends starting with a user story and a job-to-be-done description. In his presentation “Success Criteria for your CSPM,” he provides an example:

Nextdoor Configuration Management User Story

The core use case for CSPM is detecting misconfigurations. For example, in the context of AWS, examples of misconfigurations are public S3 buckets, unencrypted SNS topics, or trust relationships with unknown accounts.

Why CSPM?

The term “CSPM” emerged in the mid-2010s to describe the practices and tools aimed at addressing new types of cloud security challenges.

In the “old world” of on-premise infrastructure, IT teams had complete control over the assets and their configuration. For developers, adding resources was impossible without going through a procurement process. In these legacy environments, IT enforced security within this “perimeter” of assets, by securing access to the network and looking at data flows between assets to detect any risks.

In the cloud, that perimeter is gone, and the old security model breaks apart:

  • Ownership. IT no longer owns the assets - cloud providers do.

  • Procurement. Developers have permissive access to deploy new resources.

  • Technology. Deployments are automated through infrastructure-as-code.

  • Culture. Frequent changes to infrastructure due to updates and experiments.

As a result, the cloud footprint of companies constantly expands and changes, at a rapid speed. To stay compliant and secure, the scale of detection of risks has to increase at the same rapid speed. That’s what CSPM delivers - a way to detect risks and misconfigurations in a changing cloud-native environment.

There are five general reasons why security engineers need CSPM:

  1. Visibility

    In a cloud-native world, keeping track of all resources and how they talk to each other is an enormous challenge. It’s not just compute instances anymore, but also serverless functions, containers and “smaller” services like IP addresses and encryption keys. In expanding and changing cloud environments, misconfigurations of resources happen all the time, sometimes by even just using default configurations.

    Without visibility into the full inventory of all resources, the likelihood of breaches, and compliance failures increases. Security engineers may not find weak points, unseen risks, or wrong settings if they don’t have a full understanding of the asset inventory. A CSPM tool should provide sufficient coverage for the deployed resources.

  2. Context

    Security engineers are notoriously under-resourced and overworked - they simply don’t have the time to address every misconfiguration. They just don’t.

    There is no shortage of CSPM products that can detect misconfigurations. However, a long list of misconfigurations is not very helpful and overwhelming. What’s essential is context, such as exploitability (e.g. a public-facing resource) and impact (access to sensitive data). Equally important is the understanding of relationships between resources, as they may allow for lateral movement across the infrastructure.

    With context, security engineers can prioritize their work and remediate the misconfigurations with the highest risk.

  3. Compliance

    In a static environment, security and compliance audits would take place on an annual recurring basis, sometimes even less frequently. With cloud, continuous compliance has become a regulatory requirement, to avoid penalties and fines.

    There are usually two flavors of compliance frameworks:

    1. Industry frameworks such as CIS Benchmarks, HIPAA, NIST, PCI and SOC-2.

    2. Company-internal policies, such as tagging policies or the level of permissions.

    A CSPM tool should run checks for both against the inventory, assess compliance posture by framework and policy, report any violations, and generate reports to demonstrate compliance to auditors.

  4. Workflows

    What’s the point of fast detection of misconfigurations, when the remediation can days, weeks or even months. When we interviewed security engineers, we found that SLAs for fixing critical risks could be as long as 90 days. The reason was usually a disconnect between the security and the DevOps team.

    Some security engineers we interviewed would go to great lengths and update the underlying infrastructure-as-code templates with the fix to prevent misconfigurations from happening again. Their goal was to ensure good security by making the lives of developers easy.

    CSPM tools should integrate with developer workflows, meaning they should offer automation capabilities for remediation and policy enforcement. With automation, security teams can concentrate on higher-value activities, and move at the same speed as developers.

  5. Usage

    When talking to security engineers, they will tell you that “a lot of times” a misconfigured resource is unused, a.k.a. “drift.” In that case, the remediation is to simply delete the resource.

    When we probed for what “a lot of times” means, estimates were in the 30-40% range; i.e., in 30-40% of cases, a misconfigured resource was already unused and could simply be deleted. A side benefit of deleting unused resources is a reduction in cloud cost.

    What exactly defines “unused” is, of course, a matter of definition, and also depends on the cloud and the resource. But if it’s measurable, it can be reflected in a policy, and therefore also enforced by a CSPM tool that captures the right metrics. For example, a policy could be that a compute instance is considered “unused” if it hasn’t gone above a threshold of CPU and memory usage for a certain amount of time.

In summary, a CSPM tool is a foundational part of cloud security. With changing infrastructure, misconfigurations are bound to happen, and CSPM helps discover and remediate them.

How does CSPM work?

A CSPM tool performs three main jobs:

  1. Create an asset inventory that tracks all cloud resources and their configurations and relationships.

  2. Run compliance checks against the inventory to identify and assess risks, and ensure continuous compliance with policies and regulatory requirements.

  3. Remediate misconfigurations by documenting, reporting, prioritizing, and fixing them.

First, modern CSPMs perform regular scans of the infrastructure to create the asset inventory by calling the cloud APIs and extracting resource metadata. Each scan creates a complete snapshot. The API-based approach is called “agentless,” the scanning frequency can range from hourly to daily. Each scan creates a complete copy of the infrastructure.

Second, with the most recent snapshot available, the CSPM can then run compliance and policy checks against that snapshot. Checks are queries that test the configuration of resources according to the policy, and give a “pass” or “fail.”

For example, the CIS Amazon Web Services Benchmark includes a set of storage-related policies.

A compliance check for 2.2.1 to ensure that “EBS Volume Encryption is Enabled in all Regions” would first search the inventory for all EBS volumes, then check the configuration data for each volume to see if encryption is enabled, and flag the ones without it.

Some CSPMs also use an agent to acquire data. One benefit of the agentless approach over the agent-based approach is that it provides wider and more complete coverage, without the overhead of an agent. An agent also interferes directly with workloads. The agentless approach is comparable to an MRI scan that performs a 3D scan of a human body, without affecting the body itself.

Third, now that the CSPM has flagged any misconfigurations, it provides details on the resources that failed a check. A common challenge is that engineers are either experts in security or infrastructure, but not both. That’s why a CSPM tool should also propose a recommended action to remediate the problem and fix the failed check. The security team can then create a ticket from within the CSPM, and send the misconfiguration along with the fix to their colleagues in infrastructure.

CSPM vs. other cloud security solutions

If the security industry has one thing in abundance, then it’s acronyms. Each acronym describes a different category of security tooling, and that can create a lot of confusion among buyers.

The major difference between these categories and CSPM is that a CSPM tool will always focus on cloud resources and misconfigurations, whereas other categories protect different layers of the stack, such as users, applications, workloads or entitlements.

Here’s a quick comparison of CSPM vs. other categories:

  • CSPM vs. SIEM

    Security Information and Event Management (SIEM) technology collects logs continuously as a source for analysis, in near-real time, whereas CSPM collects metadata from cloud APIs with regular scans.

  • CSPM vs. CIEM

    Cloud Infrastructure Entitlement Management (CIEM) prevents excessive entitlements by monitoring and analyzing individual user access permissions. CSPM focuses more on cloud resources and misconfigurations.

  • CSPM vs. CIEM

    CIEM monitors and analyzes user access permissions to prevent excessive entitlements. CSPM collects asset inventory data and identifies misconfigurations.

  • CSPM vs. CASB

    Cloud Access Security Brokers (CASB) enforce security policies and controls between users and a cloud environment. While CSPM can capture user information associated with a cloud resource, it does not enforce any access controls.

  • CSPM vs. CWPP

    Cloud Workload Protection Platforms (CWPP) scan workloads and applications to identify any vulnerabilities and exploitable security issues. CSPM analyzes infrastructure and resource misconfigurations.

  • CSPM vs CNAPP

    Cloud-native Application Protection Platforms unify otherwise separate cloud security solutions into a single platform. A modern CSPM solution is often part of a more comprehensive CNAPP platform.

  • CSPM vs. CAASM

    Cyber Asset Attack Surface Management (CAASM) also aggregates data from other tools and endpoints such as code repositories, SaaS applications or laptops. CSPM focuses purely on cloud infrastructure.

Does my organization need CSPM?

The answer is a solid “depends,” but more than likely “yes” if you’re working with cloud infrastructure.

A lot of it depends on the size and maturity of a company. For smaller companies with less than 20 developers, a simple automated compliance platform is sufficient. Usually that coincides with tasking a software engineer to “also look after security.”

As your organization grows, the built-in, cloud-native CSPM products such as AWS Security Hub are a good step up. But usually beyond 30-40 developers, and with the first dedicated security hire, it starts to make sense to look for a dedicated CSPM solution.

But every cloud environment is different. It’s best to start with your user story and document your organization’s needs, such as in the below CSPM evaluation matrix from Nextdoor:

With our Fix CSPM solution, we offer to talk to one of our security experts who can help you evaluate your options. Schedule a demo and we’ll help you decide what CSPM solution is a good fit for you.