The Merging of CSPM and CWPP
The implementation of hybrid multicloud infrastructures has increased the attack surface and decreased visibility, creating the need for a more comprehensive approach to security posture, workload protection and overall risk management. Cloud Security Posture Management (CSPM) and Cloud Workload Protection Platforms (CWPP) are integral to a company’s proactive and reactive remediation efforts to ensure security findings are eradicated before exploitation can occur. While both solutions are important, the industry is seeing a shift in how CSPM and CWPP are perceived and deployed with the utilization of hybrid multicloud infrastructures and cloud-native development, which was the topic of the 2021 Gartner® Market Guide for Cloud Workload Protection Platforms published in July 2021.
In the 2021 Gartner® Market Guide for Cloud Workload Protection Platforms, the authors identify that “the cloud workload protection platform (CWPP) market is increasingly overlapping with the cloud security posture management (CSPM) market and ‘shifting left’ into development to address the full lifecycle of cloud-native application process requirements.” 1 Further, it is stated that “emerging approaches, such as the use of agentless CWPPs, appeal to buyers because of their ease of deployment.” 1 The report outlines recommended steps for leaders to better secure their infrastructure through a combination of CSPM and CWPP, but let’s examine how these solutions together offer a more integrated and comprehensive approach to managing your security risk posture in hybrid multicloud environments.
What is CSPM?
CSPM, or cloud security posture management, defines the tools needed to help organizations identify vulnerabilities and misconfigurations in their cloud infrastructure. Effective CSPM will offer real-time, full-stack visibility and perform vulnerability assessments to identify risks, which are essential to ensure data residing within the infrastructure is appropriately secured and managed. But ultimately, CSPM is not what triggers remediation efforts when threats are detected.
What is CWPP?
According to Gartner, “CWPPs are workload-centric security solutions that protect server workloads in hybrid, multi-cloud data center environments.” 1 However, we at Caveonix think of CWPP in broader terms. While the general definition was initially designed to be agent-based and workload-centric, our expanded definition includes other application workloads and cloud-native services. We feel this definition is more suitable due to recent shifts in the market and cloud-native services used to build applications, including agentless deployment options, which the Market Guide states vendors should be “required…to support.” 1
Hybrid multicloud approaches consist of enterprises with workloads – including virtual machines (VMs), containers and cloud-native services – in both public clouds and private clouds/data centers. Gartner notes “most enterprises are purposefully using more than one public cloud infrastructure as a service (IaaS) platform, but still have on-premises workloads to protect.” 1 The increased use of cloud-native applications calls for security to “shift left,” or begin “proactively during development.” 1 As organizations have adopted a DevOps development approach, workloads have become more granular over time – evolving from physical servers to VMs to containers to serverless. The report states that “CWPPs must protect this architecture,” “regardless of the location or granularity of the workload.” 1
Why are these functions overlapping?
The overarching theme in the latest Market report is that the line between CSPM and CWPP is now blurred. Why? Because organizations realize that simply understanding their security posture is not sufficient, and mitigation action is needed to reduce the exposure window to a minimum and eliminate detected risks and vulnerabilities in near real-time.
Reducing the exposure window is critical, as the time it takes to compromise systems has shrunk significantly. We’ve heard of instances in which an S3 bucket with default open access was compromised in eight minutes, which is more concerning given the increased number of cyberattacks in the past year targeting both public and private sector companies. Some notable examples include JBS, a major meat supplier, and Colonial Pipeline, whose systems were crippled, leading to extended fuel shortages across the South. These instances demonstrate any organizations’ vulnerability (regardless of sector or vertical), how rapidly attacks can spread, and the prolonged effects of a cyber incident.
CSPM and CWPP are the mechanisms needed to aid companies in detecting and mitigating these risks before they have the chance to escalate and adversely impact operations. CSPM identifies the problem so CWPP is engaged for action, providing the visibility, vulnerability scans and datasets to set the mechanism in motion. CWPP executes the remediation, creating steps that can be executed either by human or automated actions. These tools supplement one another, as they provide a better understanding of security and risk posture and protect hybrid multicloud applications and their cloud assets. Regarding their overlapping capabilities, CSPM and CWPP are similar in their abilities to analyze and assess risk; however, CWPP elevates these assessments by leveraging mitigation measures. As Gartner aptly points out, enterprises need to “consolidate CWPP and CSPM strategies over the next 12 to 24 months to reduce costs and complexity and identify risks better” to ensure rapid mitigation measures are implemented.1
A Better Solution
From the beginning, Caveonix delivered on its vision for an integrated, agentless CSPM/CWPP platform that spanned the hybrid and multicloud, covering the full stack of an application with features including:
- Proactive risk management
- Conducting risk analytics for prioritizing mitigation actions
- Executing automated remediation actions that are policy-driven, building Robotic Process Automation (RPA) using our DefenseBotTM technology
- Implementation of actions such as updating security groups and creating quarantine zones to reduce the spread of malware infection
To put our technology in perspective, imagine an S3 bucket has been instantiated with public open access, creating a risk of information disclosure. Caveonix Cloud can detect the instantiation of this S3 bucket, evaluate the policy (CSPM), and, based on policy failure, remove the offending policy (CWPP) to secure the S3 bucket while notifying operations via an alert. The S3 bucket is secured in an exposure window of 30 seconds or less.
Caveonix Cloud is the industry-leading hyperscale security, compliance and governance platform for the hybrid multicloud. Caveonix reduces costs, saves time and simplifies compliance and governance by combining Cloud Security Posture Management (CSPM), Cloud Workload Protection Platform (CWPP), Cloud Native Application Protection Platform (CNAPP) and automated Governance Risk and Compliance (GRC) in an integrated solution for hybrid multicloud environments. For additional guidance on enhancing your security posture, we recommend downloading our Security Posture Checklist.
As DevSecOps is evolving from deployment of cloud infrastructure to deployment of applications using cloud-native assets, let’s talk about the requirements for cloud-native application protection platform – or CNAPP – in our next blog.
1. Gartner, “Market Guide for Cloud Workload Protection Platforms”, Neil MacDonald, Tom Croll, July 12, 2021.
GARTNER is a registered trademark and service mark of Gartner, Inc. and/or its affiliates in the U.S. and internationally and is used herein with permission