Cloud Security

What Are Cloud Security Posture Management Tools?

Many security product vendors are now offering CSPM (Cloud Security Posture Management) as part of their portfolio -- so what is CSPM and why might you need it?

Author: Mike Small, senior analyst, KuppingerCole
Author: Mike Small, senior analyst, KuppingerCole

In their race towards digital transformation, organizations are using cloud services to accelerate the development of new apps and improve efficiency. This provides many important business benefits but also increases the challenges of ensuring cyber-security and regulatory compliance. CSPM solutions are intended to provide a way to identify and control some of these risks.

  • They supplement CASBs (Cloud Access Security Brokers) which focus on SaaS to provide visibility into employees are accessing cloud services and controls of access to sanctioned cloud services.
  • CSPM provides visibility into potential vulnerabilities in the configuration of cloud services with a focus towards IaaS.
  • Cloud Access Security Brokers

The initial concerns over organizational use of cloud services stemmed from the use by employees of publicly available SaaS services with which they were familiar to “get the job done”. Typically, this would be to bypass organizational security controls that were perceived as obstructive or to get access to functionality lacking in organizational systems. However, this was often done without consideration of the wider risks involved. These risks include for example, the use of untrustworthy services which could expose sensitive and regulated data to leakage as well as to infection by malware. CASB solutions were developed to plug this gap. However, while CASB helps to control the use of SaaS they do not adequately cover the secure configuration of IaaS / PaaS used for DevOps.

Cloud Security Posture Management

Within organizations, the GRC (Governance, Risk and Compliance) function sets the risk posture and IT Security translates this into concrete controls around the services. When IT services are delivered on-premises the responsibility for this is clear and lies within the IT organization. When IT services are delivered through the cloud the responsibility for security and compliance is shared between the cloud customer and the cloud service provider and this can lead to gaps in the customer’s controls. CSPM tools are intended to help customers to identify and plug the gaps in the customer’s controls.

As organizations go through digital transformation, they are adopting DevOps using IaaS / PaaS cloud services to create new applications and to modernize their existing ones. This avoids the need for capital expenditure as well as the lengthy procurement delays involved when new hardware is needed.  In addition, some organizations are now using cloud services to back up their business-critical data. This increases the need to ensure that DevOps use of cloud services takes care of security and compliance.

While the major cloud service providers go to great lengths to secure the infrastructure of their environments it is up to the customer to secure their use of these services. This is often outside the skills of DevOps teams or is overlooked and this can lead to the existence of critical vulnerabilities that can be exploited by cyber-adversaries.

The hyper-scale CSPs such as AWS and Azure provide easy access to the capabilities needed by development teams to accelerate the creation of critical new business applications. For example, the recently announced Azure Arc and AWS Control Tower. However, these have typically only applied to the vendor’s own cloud services. CSPM tools claim to provide a single point from which to manage these risks across multiple clouds.

These vulnerabilities often include:

  • The customer’s administrative accounts may be poorly secured.
  • The number of resources used may not be fully understood or properly controlled by the customer.
  • Access controls on the resources may be improperly configured allowing public access.
  • Where data is stored, and workloads are run may not be properly controlled.
  • Sensitive or controlled data may be copied and even shared with third parties for testing purposes.
  • The customer’s technical stack from OS, through middleware, may be vulnerable through poor configuration and lack of patching.
  • The tools provided to secure the cloud services may not be used or incorrectly configured.

CSPM Key Capabilities

CSPM solutions should support the capabilities needed to address these challenges in a consistent way across multiple cloud services. The key focus is on identifying and protecting the in-cloud components of services delivered through IaaS / PaaS by mapping the in-cloud controls to required policies. Where there are deviations alert and remediate. Note CSPM does not in general implement the controls but rather they provide a consistent way to exploit the functionality provided by the cloud services.

Key capabilities include:

  • Ensure that authentication and access controls meet policies. Focus on the cloud administrators and DevOps (rather than the end-users of the hosted applications)
  • Ensure that the controls over access to cloud services and cloud resources in line with policies and access to on-premises. Focus on cloud administrators and DevOps users.
  • Policy-based definition and enforcement over who can access what data, while ensuring compliance standards are met. Focus on cloud administrators and DevOps users.
  • Prevent compromise by exploitation of application vulnerabilities through ensuring that patching and security controls meet policy.
  • Track and enforce in-cloud network configurations to meet policy.
  • Manage in-cloud VM operating systems, storage solutions, and related systems to comply with the policy to prevent unpatched vulnerabilities and ensure best practice.
  • Manage container-based workloads to ensure compliance with policies and best practices in the same way as for other delivery models.
  • Out of the box policies that support major compliance needs and security frameworks such as ISO/IEC 27001, NIST, PCI-DSS, GDPR, CCPA etc.

Digital transformation is driving the use of cloud services and DevOps is the engine that enables business growth. Risk and compliance management see the use of cloud services and rapid development as factors that increase the risks of compliance failure and business risks following cyber-attacks. CSPM tools help organizations to ensure the secure and compliant use of IaaS clouds for their digital transformation.


Mike Small is a senior analyst at Kuppingercole. Read more Kuppingercole blogs here.