Cloud Security Posture Management (CSPM): Necessary, But Not Sufficient
Managing the risk and compliance of your cloud-based applications can be very challenging. The cloud is a great place to innovate. It offers an agile environment in which to employ new technologies like containers. It provides you the elasticity to scale your capacity up or down rapidly in concert with the demands of your business. And it offers potential cost savings over your legacy datacenter. Still, these benefits come with their own cloud-driven costs.
Take, for example, the average lifecycle of a container, which is two and a half hours. Consider also that the cloud operates on a shared responsibility model, where the cloud provider takes responsibility for the security of their infrastructure or platform services, and the organization is responsible for configuring the infrastructure and everything within that infrastructure (e.g. applications and data). Meanwhile, that boundary of responsibility shifts depending on whether Infrastructure as a Service (IaaS), Platform as a Service (PaaS), Function as a Service (FaaS) or a serverless environment is being used. The challenge of securing such an environment is daunting.
Most enterprises start managing the risk and compliance of their cloud deployments with a Cloud Security Posture Management (CSPM) solution. The function of CSPM is to identify excessive cloud infrastructure risk based on compliance with common frameworks such as ISO 27001, regulatory requirements such as the Payment Card Industry Data Security Standard (PCI-DSS), or enterprise policies. CSPM solutions should proactively identify and evaluate the risk of cloud services configurations (such as network and storage configurations) and security settings (such as account privileges and encryption). *
When evaluating a CSPM solution, it’s important to ask whether the vendor’s innovation has kept pace with the innovation cycles of the cloud services providers themselves. AWS currently offers over 100 services offerings. Does the vendor only cover the basics like Elastic Compute Cloud (EC2) and Simple Storage Service (S3)? Another consideration is how many clouds your organization is operating within. Many enterprises start in AWS but rapidly go multi-cloud – usually three to five clouds with plans for more. Meanwhile, if you’re like the typical enterprise, 80% of your workloads are still in your datacenter – which means you’re running what’s known as a hybrid cloud. Your datacenter is actually your biggest cloud, and if your CSPM can’t monitor your datacenter, it’s a 20% solution at best. You need a vendor that supports all your cloud environments.
CSPM is a great first step in securing your journey to the cloud. But, does it go far enough? If you’re in a regulated industry, the answer is no. Don’t expect to pass a compliance audit if you cannot also show the continuous compliance of the applications you’re running on your cloud infrastructure. For that, you need what we at Caveonix call full-stack compliance. In order to achieve this, you also need to incorporate a Cloud Workload Protection Platform (CWPP) into your solution. CWPP will identify known vulnerabilities and misconfigurations at the operating system and application levels in your stack.
Now, if you have CSPM and CWPP in a single platform and can continuously monitor your risk and compliance, do you have the full package? Maybe it’s time to take a step back and ask how you govern your journey to the cloud from the outset. As you move your applications to the cloud, how do you document the controls you will implement for them? Cloud governance is a necessary component of your journey to the cloud (and integral to your compliance audit). Governance drives compliance. Your ultimate goal is continuous compliance monitoring of the full stack of all your applications, regardless of where they’re running.
At Caveonix, we’re dedicated to helping you achieve that goal. Caveonix Cloud is our digital risk management platform designed to govern your digital transformation and enable continuous compliance monitoring of your hybrid cloud. The Caveonix Cloud Suite platform integrates CSPM, CWPP, and GRC in a single platform. Request a free trial of Caveonix Cloud Suite today.
* Source: Gartner Group Innovation Insight for Cloud