CSPM, CASB, CNAPP, CIEM: What does the "C" stand for?
Cloud solutions are constantly evolving and becoming essential in business activities, especially since the pandemic. Nevertheless, cloud security remains a major concern and is often difficult to manage for companies with limited resources. To solve this issue, solutions exist to manage security and control your cloud environments at different levels (CSPM, CWPP, CIEM, CNAPP, CASB).
Cloud Security Posture Management
Cloud Security Posture Management (CSPM) is the solution for the growing requests coming from many companies regarding security risks and vulnerabilities in public cloud services. The most known issues with cloud tenants are:
- complex cloud architectures;
- tons of configurations in different admin panels;
- lack of global visibility and;
- difficulty to apply the same security practices that are applied on-premises.
With a CSPM, companies can manage more easily hybrid & multi-cloud environments, identify & correct misconfigured cloud and ensure compliance with standards in the cloud. The tool shows misconfiguration by raising alerts to the security officers and can automatically take actions to change configuration. There usually is an admin panel with a complete view presenting analysis on configuration and usage for general compliance and « hand-defined » policies. With this simple and global visibility, security officers have a view on the entire cloud configuration and alerts are presented by using risk priority.
In summary, CSPM is a security tool that provides control in the cloud environment through:
- Risk assessments;
- Unified and comprehensive view of the risk posture for the complete cloud architecture;
- Incident response and improved SOC productivity;
- Compliance management;
- Monitoring and automation of security problems remediation;
- DevSecOps integration.
According to a Gartner survey, cloud misconfiguration causes 80% of all data security breaches in a cloud environment. This shows the importance of CSPM in reducing the risk of exposure of your data. Between 2018 and 2019, misconfiguration breaches have cost at least 5 trillion for multiple companies.
Cloud Workload Protection Platform
A cloud workload protection platform (CWPP) is a software helping to secure and manage the workloads (applications and data) that run on a cloud.
In order to understand what a CWPP is, it is required to understand what is a cloud workload. A cloud workload refers to the tasks, processes, and applications that are run on a cloud computing environment. Such as web servers, databases and other types of software that are used to support an organisation’s operations and services.
- Security: Workloads differ from traditional on-premise applications, meaning that they also have unique security requirements and concerns. CWPP solutions enable an organisation to easily deploy tailored security controls that provide the level of visibility these cloud workloads require and protect them against common security threats.
- Visibility: Multi-cloud deployments can be complex and difficult to monitor and manage due to the variety of vendor-specific environments they contain. With CWPP, an organisation can implement a single solution across all environments and use network segmentation to achieve deeper visibility into traffic flows across its cloud-based and on-prem infrastructure.
- Compliance: Data protection regulations mandate that organisations implement certain security controls to properly protect the sensitive data in their possession. CWPP solutions will automatically scan for vulnerabilities and compliance violations that place this protected data at risk and implement security controls to meet compliance requirements.
There are various security controls given by CWPPs such as host-based security (monitoring and protection), vulnerability scanning, incident detection and response, network security through traffic monitoring, application security, compliance and policy management, container and Kubernetes security orchestration, runtime protection, CI/CD pipeline security, visibility and discovery, etc.
Cloud Infrastructure Entitlements Management
Cloud Infrastructure Entitlements Management (CIEM) is an important process for managing and securing access to cloud infrastructure resources.
Nowadays, many companies are implementing multi-cloud architectures to optimise choice, costs and availability. The issue is that with such diversity in your cloud environment, there is a difficulty to track access privileges and assign correctly entitlements. There is also a lack of consistency and standard across the different cloud solutions with different permission models, tools and terminology. Finally, there is often poor security hygiene with companies relying on manual and risk-prone administrative practices to manage cloud permission leading to bad credentials management and excessive privileges.
The purpose of a CIEM tool is to identify and manage the permissions, roles, and policies that govern access to these resources. It provides visibility, control over outdated and excessive permissions, enforce least-privilege access principle, continuous monitoring and automated actions. By implementing CIEM, organisations can ensure that they have:
- Improved security: By managing access to cloud infrastructure resources, organisations can help prevent unauthorised access and reduce the risk of security incidents.
- Enhanced compliance: By properly managing permissions and access to resources, organisations can help ensure compliance with various regulations and standards.
- Optimised resource use: By carefully managing entitlements, organisations can help ensure that resources are used efficiently and effectively, reducing waste and unnecessary costs.
To implement CIEM, organisations can use tools and platforms such as identity and access management (IAM) systems, governance frameworks, and compliance tools. By effectively managing entitlements, organisations can ensure that their cloud infrastructure is secure, compliant, and well managed.
As for all tools presented in this article, even though companies are reducing unnecessary costs through the optimisation of their tools and reducing data leakage, those tools are coming with a certain cost. Implementing and maintaining a CIEM system can involve cost for tools, training and personnel.
Cloud Native Application Protection Platform
Cloud Native Application Protection Platform (CNAPP) is the centralisation of many security functions inside one single user interface. CNAPP englobes Cloud Security Posture Management (CSPM), Cloud Workload Protection Platforms (CWPP), Cloud Infrastructure Entitlement Management (CIEM), and CI/CD security into one end-to-end solution to secure your cloud environment.
CNAPP is a solution to protect your cloud-native applications from cyber threats. Cloud-native applications are designed for cloud deployment and are composed of microservices that communicate through APIs. It can be deployed as either a service, a software solution or a hybrid solution. CNAPP ensures the security and availability of cloud-native applications and that they meet compliance requirements.
CNAPPs provide security features such as:
- Network segmentation;
- Runtime protection (e.g. RASP, WAF);
- Vulnerability management (e.g. scanners, patch management);
- Identity and access management (e.g. SSO, MFA);
- Compliance monitoring;
- Incident response (e.g. plans, teams, forensics);
As a unified security solution, a CNAPP offers complete security coverage to help you keep up with ephemeral, containerised, and serverless environments, providing:
- A single pane of glass, improving team collaboration and efficiency by identifying and correlating minor issues, individual events, and hidden attack vectors into intuitive visual flows with alerts, recommendations, and remediation guidance to support informed decisions.
- Reduced complexity and overhead, replacing multiple point products with a complete picture of risk via comprehensive visibility into configurations, assets, permissions, code, and workloads. A CNAPP analyses millions of attributes to prioritise the most critical risks.
- Comprehensive cloud and services coverage, with visibility and insights across your entire multicloud footprint, including IaaS and PaaS, extending across VM, container, and serverless workloads and into dev environments, to identify and remediate risks early.
- Security at the speed of DevOps, integrating with IDE platforms to identify misconfigurations or compliance issues during development and CI/CD, as well as with SecOps ecosystems to trigger alerts, tickets, and workflows on violations so teams can act immediately.
- Guardrails to distribute security responsibility, injecting security controls at each level of the DevOps cycle, with native integrations into existing development and DevOps tools. Implementing guardrails enables developers to take ownership of security in their work, reducing friction between security and the DevOps team to better support DevSecOps.
Cloud Access Security Broker
Cloud Access Security Broker (CASB) is a security tool that sits between an organisation’s on-premises infrastructure and the cloud services that the organisation uses. Its primary function is to provide visibility and control over the use of cloud services, and to protect against data leaks and security threats.
CASBs work by monitoring and analysing all traffic between the organisation’s on-premises infrastructure and the cloud services that it uses. They use this information to enforce policies that are designed to protect against data leaks and other security threats. CASBs can be configured to block certain types of traffic, such as traffic from specific countries or traffic that is associated with known security threats. It provides visibility into cloud usage and activity, by monitoring and reporting on cloud activity.
CASBs are also used to enforce compliance with various regulations, such as the General Data Protection Regulation (GDPR) or the Health Insurance Portability and Accountability Act (HIPAA). CASBs are helping organisations meet regulatory compliance requirements by automating compliance checks, providing built-in compliance templates, and reporting capabilities.
There is a data loss prevention (DLP) tool inside a CASB which monitors and protects data in the cloud by identifying and blocking sensitive data from being uploaded, downloaded, or shared.
CASBs can be deployed in several different ways, such as a hardware appliance, a virtual appliance, or a cloud service. They can be used to protect against a wide range of security threats, including malware, phishing attacks, and unauthorised access to sensitive data.
It also provides an additional layer of authentication and access control, by enforcing policies such as multi-factor authentication, device registration and access controls. CASBs can provide encryption and tokenisation services to help protect data in transit and at rest, by encrypting and tokenising sensitive data.
There exist many solutions to manage security inside a complex cloud architecture. All those tools provide better visualisation, monitoring capabilities, ensure compliance and many more security aspects but it has a certain cost to buy licences and train your team. Nevertheless, using those tools also reduces the complexity in managing your cloud environment and reducing the risk of data exposure, which will help avoiding financial losses as well.
As Gartner reported, 80% of cloud data breaches are coming from misconfigured cloud services which can be avoided by using a CSPM for example. Companies have to measure which tools are necessary depending on their cloud architecture and their activities.