What is cloud security posture management?
Cloud security posture management, also known as CSPM, is a key component of cloud data security, as it scours cloud environments and alerts staff to configuration vulnerabilities in the cloud services as well as compliance risks, most of which stem from human error.
In its Innovation Insight for Cloud Security Posture Management report, Gartner defined a new category of products that automate security and compliance assurance and address the need for proper control over cloud infrastructure configurations, calling this category Cloud Security Posture Management (CSPM). In 2020, the adoption of CSPM solutions was strong, and it's projected to reach 25 percent in the next few years. Organizations are realizing that this is a “must have” cloud security tool.
Why do we need it?
The adoption of cloud services and cloud-based applications has been a boon to businesses and employees, providing new levels of productivity and flexibility. As these tools are open to the internet and readily available to anyone, they can expose businesses to greater risk of cybersecurity threats, including data breaches. Despite training and everyone’s best efforts, vulnerabilities remain and security issues arise, putting sensitive data at risk. IT security, risk, and business leaders continue to encounter:
- Data breaches resulting from misconfigurations of cloud infrastructure, which continue to expose enormous amounts of sensitive data, leading to legal liability and financial losses.
- Continuous compliance for cloud apps and workloads, which is impossible to achieve using traditional on-premises tools and processes.
- Challenges implementing cloud governance (visibility, policy enforcement across business units, lack of knowledge about cloud security controls), which continue to increase as cloud adoption grows within the organization.
Among these, data breaches receive the most attention and account for the greatest damage to an organization. For example:
- The IBM Cost of a Data Breach 2019 report estimated the average cost of a data breach at $3.9 million globally and $8.2 million nationally. The loss of customer trust and the resulting loss of business is the largest component of this average cost calculation.
- A recent data breach report from Risk Based Security shows 15 billion records exposed in 2019, a significant jump from recent years. Four breaches caused by misconfigured databases exposed 6.7 billion records in Q4 2019
- The IBM X-Force Threat Intelligence Index 2020 report has shown a nearly tenfold year-over-year increase in records exposed due to misconfigurations, accounting for 86 percent of the total records compromised in 2019.
What do CSPM solutions do?
CSPM services conduct continuous monitoring of the following activities and can include automation capabilities to correct issues without human intervention or delay.
- Identify your cloud environment footprint and monitor for the creation of new instances or buckets, such as S3 buckets.
- Provide policy visibility and ensure consistent enforcement across all providers in multi-cloud environments.
- Scan your compute instances for misconfigurations and improper settings that could leave them vulnerable to exploitation.
- Scan your storage buckets for misconfigurations that could make data accessible to the public.
- Audit for adherence to regulatory compliance mandates, such as HIPAA, PCI-DSS, and GDPR, among others.
- Perform risk assessments vs. frameworks and external standards, such as the International Organization for Standardization (ISO) and the National Institute of Standards and Technology (NIST).
- Verify that operational activities are being performed as expected (e.g., key rotations).
- Automate remediation or remediate at the click of a button.
How does Zscaler help with Cloud Security Posture Management
The challenge that many CSPM solutions face is that, as point products, they can’t integrate into an organization's security and data protection tools. This provides siloed visibility, which raises security risks.
Zscaler CSPM uniquely solves siloed visibility by automatically identifying and remediating application misconfigurations as part of the comprehensive, 100 percent cloud-delivered data protection capabilities in the Zscaler Zero Trust Exchange, the global cloud platform that powers all Zscaler services.
Zscaler CSPM automates security and compliance for cloud assets and cloud applications, delivering continuous visibility and enforcing adherence to the most comprehensive set of security policies and compliance frameworks. Offered as a multitenant SaaS, Zscaler CSPM enables seamless integration with customer cloud infrastructure, quick data collection, comprehensive dashboards, and reports. Zscaler CSPM supports integrations with multiple cloud providers, providing continuous integration and continuous delivery (CI/CD) pipelines and ticketing systems, and enables auto-remediation. Customers can easily enforce their corporate information security standards across their IaaS providers, including Amazon Web Services (AWS), Microsoft Azure, and Google Cloud Platform, and their SaaS providers including Microsoft 365 to prevent misconfiguration-related data breaches.
Zscaler CSPM automates visibility into the status of more than 1,500 security policies and 14 compliance frameworks across AWS, Azure, and Microsoft 365. The product also allows organizations to create their own private benchmarks, supports large-scale application environments, and allows rapid adoption of DevSecOps.
The Zscaler CSPM:
- Collects real-time configurations: The application is granted access to customer cloud environments (AWS, Azure, Microsoft 365, Google Cloud Platform, or any other cloud service). It then collects actual configurations of cloud infrastructure over APIs. A small subset of policies may require the installation of an agent.
- Identifies cloud misconfigurations: It compares discovered configurations against built-in security policies and identifies misconfigurations at the security policy and resource level. It also provides a complete mapping of security policies within various compliance frameworks. Intuitive dashboards and reports help review this information.
- Governs security and compliance: It enables various cloud governance features, including compliance monitoring, risk-based prioritization of the security posture, policy management (e.g. overrides, exceptions, third-party compensations), and the configuration of private benchmarks for organizations that have multiple compliance standards or information security teams that need to customize the policy set for a specific architecture.
- Fixes misconfigurations: Provides remediation steps for each and every security policy and auto-remediation for a subset of the most critical security policies can be applied.