What is Cloud Security Posture Management?

Cloud Security Posture Management (CSPM for short) is a term most likely coined, by research firm Gartner, in a 2019 innovation paper.

In that paper, Gartner noted that “nearly all successful attacks on cloud services are the result of customer misconfiguration, mismanagement and mistakes.

Cloud Security Posture Management (CSPM) is a set of tools/systems and processes/policies that are designed to reduce the risk of a public cloud data or compliance breach.

In their paper, Gartner specifically referred to CSPM as a new market sector for vendors. The tools that followed were initially designed to explore and monitor PaaS & IaaS environments. The best tools now automatically fix problems, saving Ops teams valuable time as well as risk.

Who is Responsible For CSPM?

In a 2020 CISO MAG survey, 76% of respondents believed that their Cloud Service Provider (CSP) was entirely responsible for cloud security.

AWS and Azure, however, have other ideas.

AWS’ shared responsibility model is clear that the responsibility is split between them and the consumer of their service. They (AWS) are responsible for the security of the cloud, but we (AWS' consumers) are responsible for the security in the cloud.

"AWS is responsible for protecting the infrastructure that runs all of the services offered in the AWS Cloud. This infrastructure is composed of the hardware, software, networking, and facilities that run AWS Cloud services."

AWS shared responsibility

When it comes to Azure, Microsoft holds the same view as Amazon.

"In an on-premises datacenter, you own the whole stack. As you move to the cloud some responsibilities transfer to Microsoft."

The Azure shared responsibility model states that the customer is always responsible for “data, endpoints, accounts, & access management”. The further away you move from on-prem (IaaS, PaaS, then SaaS), the more responsibilities transfer to Microsoft.

microsoft shared responsibility model

Why is CSPM Important?

As cloud and micro-service usage grows, so do the number of unmanaged risks and, sadly, headline-making data breaches. Combine bad headlines with more regulatory standards and policies, and you have a recipe for cloud security that is more complex and higher risk than ever before.

Gartner’s view is that by 2025 “90% of the organizations that fail to control their public cloud use will inappropriately share sensitive data”.

Breaches seem to grow in profile year on year. Regulators are becoming less generous in the amount they fine companies that break the rules, whether they meant to or not. Class actions are more frequent, larger, and becoming commonplace in new parts of the globe.

But, the cost of fines and legal cases can still be dwarfed by the overnight reputational damage a breach can cause.

Now more than ever is the time to take control of your cloud security. Compliance isn't a fire drill, it's a 24/7 requirement.

Statistic: Average organizational cost to a business in the United States after a data breach from 2006 to 2020 (in million U.S. dollars) | Statista
Source: Statista

How To Choose a CSPM Vendor

Since Gartner initially coined the term, CSPM tools have come a long way.

High profile data breaches regularly reinforce the need for effective CSPM, growing the market size to $9 billion by 2026.

Initially, CSPM tools helped you discover and visualize your IaaS and PaaS asset inventory. The best CSPM tools now help you save time and minimize risk across your entire stack.

When you're looking for a tool, you should be making sure that its capabilities include:

  • Real-time, continuous visualization of your infrastructure
  • Multi-cloud asset discovery, classification, and risk assessment
  • Protection against common misconfiguration (e.g. expired keys, disabled logging, incorrect permissions, lack of encryption, updates not being run)
  • Codeless customizable automation to remediate common issues in real-time
  • Out of the box compliance with security frameworks such as PCI DSS, HIPAA, SOC 2, GDPR, etc.
  • Continuous delivery whilst enforcing DevOps and DevSecOps policies

CSPM Using Hyperglance

If you're looking to improve your cloud security posture, Hyperglance is the perfect place to start:

  • Hyperglance includes hundreds of out-of-the-box fully customizable checks, all designed to help you enforce policy and reduce your cloud bill
  • The checks run continuously, can trigger notifications, and are based on best practices and industry frameworks (CIS, NIST, NIST 800-53, NIST 800-171, AWS Well-Architected, HIPAA, PCI DSS, & FedRAMP)
  • Hyperglance also ships with an ever-growing library of automations designed to help you keep your cloud in check, and remediate in real-time
  • Hyperglance is self-hosted, deployed  through the AWS & Azure Marketplaces, in Kubernetes, or installed on your own instance/VM