How to make sense of CSPM, CAASM, CIEM, CNAPP
Did you come here because you typed “What is CSPM” or “Do I need a CIEM?” into the search engine? Maybe even “Do I really need 20 different security products?”.
You’re not alone. These are questions we have been hearing from many people over the last 2 years.
Because the last few years were not great for the majority of organisations worldwide.
During the COVID-19 pandemic, cybercrime increased by 600%. The total cost of all cybercrime damages in 2021 alone, is expected to amount to almost $6 trillion worldwide.
The worst bit is that according to IBM research it takes on average up to 280 days to find and contain a cyberattack. In a lot of cases where this number is lower it is actually the attackers disclosing the event to the victim.
At the same time in 2021 the worldwide public cloud revenue grew by over 20% from $270 billion USD in 2020 to over $330 billion USD.
The question a lot of organisations and security professionals specifically ask themselves is “what can we do?”.
This article aims to explain what tools are available to cloud security professionals and what they mean.
We will look at some of the Gartner acronyms many people talk about in relations to public cloud security.
Cloud Security Posture Management is probably the most commonly known and used acronym.
CSPMs originally tested cloud infrastructure to adherence to compliance frameworks like CIS (Center for Internet Security), PCI-DSS, NIST, ISO etc.
When cloud environments were smaller scale and maybe even only focused on a single cloud service provider this might have been helpful to some extent, but organisations quickly realised that CSPMs created a lot of alerts.
Upon time-consuming, manual investigation of those alerts to add required context to get the full picture, teams often understood that alerts were more best practice issues than security issues.
In a world where we have barely time to do anything CSPMs quickly became a waste of time, often disappointing the teams they were supposed to assist in improving the overall security posture.
Cloud Attack Surface Management is the continuous discovery of attack vectors in an organisation’s cloud environment. This includes the discovery of assets in the cloud and the prioritisation, and remediation of those attack vectors.
This type of product presents the environment to a team from the attacker’s point of view.
Knowing about an attacker’s “way in” is a great start, but typically these alerts still need more context.
- what application is running on this instance?
- what database is this that is also on this attack path?
- what permissions are applied to vulnerable assets?
This again requires manual investigation or correlation of data across multiple tools.
Cloud Infrastructure Entitlement Management (this is very different to SIEM) is a new-ish product category that analyses the permissions / entitlements that have been applied to cloud-based systems, services or users.
With larger scale and more and more cloud sprawl understanding what can access what and how becomes difficult to the point of impossible.
An overly permissioned cloud system that is vulnerable to external attackers allows to “jump” to other cloud systems, even straight to the cloud management plane, even without any network connection between systems.
With hundreds and often thousands of entitlements applied in a cloud system it is difficult to get clear visibility into what is happening and how things hang together. This has been a problem forever, even before cloud came along, but has become even worse now with cloud environments being so easily exposed to the internet.
Cloud-Native Application Protection Platform is a fairly recent addition to the world of cloud security products as well. Organisations, realising that CSPMs and other products like CWPP (Cloud Workload Protection Platform) are too narrowly focused and have not managed to substantially improve organisation’s cloud security posture.
CNAPP is a combination, almost an evolution of CSPM and CWPP, where infrastructure and workloads are finally seen as one. Something that was clear to many organisations practicing cloud at scale for a while now, workloads and infrastructure must not be treated as separate entities, is now making its way across the broader industry.
Putting it all together
Are we telling you that you need to buy a product for each of the Gartner acronyms in order to be secure? You probably landed on this article because you were searching for a specific acronym.
Let us tell you, you don’t need one of each, you need one that covers all these areas so it gives you all the context on an alert / detection that you and your team needs, at a glance. Talk to your team and ask them what they need.
They will likely tell you how little context products give them. How one thing in one product does not correlate to something in another, or information is completely missing.
The industry going forward will have to consolidate products in order to be helpful and actually make a noticeable impact to organisations' security posture.
Don’t get hung up on acronyms. Check your requirements and find something that fits YOUR requirements.