Discovering your Cloud Security Posture Management (CSPM) Maturity Level
Jan 26, 2022
Introduction
Cloud Security Posture Management (#cspm) is one of the fastest growing areas within the field of cloud security; most security vendors are working on or offering CSPM capabilities. However, enterprises are still trying to build the most effective CSPM program to fit their environment. In many cases, it's unclear where to start and what the end goal is for the CSPM effort.?
To help simplify this process, this post will share guiding principles for implementing a CSPM maturity model, allowing you to assess your CSPM readiness and plan your own implementation journey.
Background
It may be useful to place CSPM in the larger context of the overall cloud security discipline.
Cloud security consists of? the processes, technologies and best practices that are applied to protect cloud computing environments, applications running in the cloud, their accompanying infrastructure, and the data held in the cloud. Securing cloud services requires an understanding of what is being secured, how the cloud infrastructure is managed, and who is responsible for every asset in this complex environment.
One of the basic and most important components of any cloud security program is ensuring that cloud infrastructure is well protected -? that is the component that requires a well defined CSPM program and toolset. The other layers of cloud security discipline include application security, workload protection, threat detection and response, data protection and others. All of these components contribute to the overall security posture of the organization.
Implementation of a CSPM program can include all or some of the steps in the application development lifecycle. Some companies will only monitor their runtime environment while others will incorporate posture management assessments in their pre-deployment environment as part of their CICD processes.
Historical Perspective?
The big hype around IT compliance and security-related regulations started back in early 2000 with SOX (the Sarbanes-Oxley Act), then continued with PCI DSS (the Payment Card Industry Data Security Standard), around 2006, and 10 years later with SOC2 regulations (a voluntary compliance standard developed by the American Institute of CPAs) — all these regulatory frameworks seeking to assess IT systems and how their use can contribute to misrepresentations of financial statements, data inaccuracies, and fraudulent activities.?
Back then, companies were running their IT environments on-premises, and regulatory practices were focused on manual assessments of IT systems using screenshots, spreadsheets, data center visits, and reviews of policies and logs.?
As you can imagine, this kind of manual audit and risk assessment work, focused on physical and software produced? artifacts, was inefficient and not robust. In addition, much of the? time, compliance work was done to “check the box” from an audit perspective, without contributing to the overall company security posture.
Fast forward many years, and we are now discussing continuous cloud security and compliance processes focused on the compliance of virtual assets. Advanced levels of APIs and standardization allowed this new discipline and a Gartner category to be born: CSPM (Cloud Security Posture Management). Accordingly, it looks like we finally have an opportunity to recreate these processes from scratch — to use automation, continuous validation, and remediation, and to embed security and compliance as early as possible in the development lifecycle. We are now able to automate and connect the dots between the compliance and security posture of a company.?
CSPM overview
CSPM is an area of security that focuses on the security posture of cloud assets. IT security tools that fall under the CSPM category are designed to detect and remediate misconfigurations, ultimately assisting companies in their compliance and regulatory assessments. CSPM tools continuously monitor cloud infrastructure, identify gaps, and provide remediation solutions to fix misconfigurations.
CSPM Adoption
Current-generation CSPM tools have existed for about four or five years. As companies move to the cloud and as new companies are born into the cloud – and we all know that misconfigurations are the primary? cause of security breaches – the vulnerabilities created in the cloud become the customers’ responsibility to take care of and prevent.?
There are a lot of ways to implement CSPM processes and solutions:
CSPM Maturity Model
The pillars of the CSPM maturity model are defined based on past CSPM tool implementations and may evolve over time as we test and apply this model to more CSPM implementations. But the idea here is to identify what stage you are at now, where you want to be, and outline the steps on how to get there.
Here is a quick definition of the main pillars:
How to drive your CSPM Program Implementation?
As you begin to assess your CSPM readiness and plan to make the changes needed to improve protection of cloud assets, consider these key investments to help drive your CSPM implementation more effectively.?
Through years of experience in the CSPM domain, I’ve found each of the following to be critical to closing important capability and resource gaps:?
1. Continuously manage CSPM baseline policies: Define your key security controls. These can vary across different environments based on regulatory requirements, data classification, mapping to security attack vectors, etc. Ensure ongoing evaluation, watch out for regulatory changes, new cloud services your company is using, new features, and updates of policies or rules that your selected CSPM tool vendor is managing.
2. Automation: First and foremost, automation should be properly implemented to ensure it is not causing production issues. Invest in automated triage and remediation to reduce your mean time to respond to misconfigurations. Start with the low hanging fruit first, making sure you understand which remediation activities are repetitive and can be automated. Gradually implement automation with human choke points that are advised at first phases, until one can fully trust the robots.
3. Enrichment and Intelligence: Utilize cloud intelligence and all available signals to enrich and understand your assets and misconfigurations better. (You need to know when an open bucket in not an issue - for example its ok for your public website to be hosted in a public-facing S3 bucket)
4. Data classification and ownership: Discover, classify, tag and monitor your sensitive systems, assets, key data repositories and crown jewels. It's also important to define who will take care of remediation in order to better prioritize and respond to misconfigurations.
Closing Thoughts
While a CSPM maturity model is most effective when integrated across all cloud environments, most organizations will need to take a phased approach that targets specific areas of their cloud based on their CSPM maturity, available resources, and priorities. It will be important to consider each phase carefully and align them with current business needs.?
The first step of your journey does not have to be a large change of your CSPM process or toolset. Fortunately, each step forward will make a difference in reducing cloud risk and making your cloud journey more secure.?
For more information about how your organization can improve its cloud security posture contact Tamnoon at [email protected] or visit www.tamnoon.io