The Evolution of Cloud Security Posture Management

Cloud Security Posture Management (CSPM) has become a widespread security solution for the cloud. In this post, we unravel the evolution of Cloud Security Posture Management.

Introduction to CSPM

Cloud Security Posture Management is a category of tools that address cloud security challenges and help strengthen cloud security posture. 

There are three types of cloud environments:

1. Infrastructure as a Service
2. Platform as a Service
3. Software as a Service

Different types of CSPM serve different types of cloud environments. CSPMs that help strengthen security posture in SaaS are called SSPMs.

Modern CSPMs help tackle the following cloud risks:

• Cloud misconfiguration
• Lack of security visibility
• Talent gap and skill gap
• Working overload
• Unauthorized access
• Insider threats
• Non-compliance

Today CSPMs are a powerful tool to control the cloud environment. However, they haven’t always been as efficient. Cybersecurity experts have been improving these tools for almost a decade now. It’s been a long path as they have to completely abandon the traditional perimeter security thinking and focus on identity access and cloud configuration. Let’s take a closer look at the evolution of CSPMs.

Early Cloud Security Challenges

Back in the 2010s, the newly emerged cloud offered businesses computing capabilities much greater than on-prem solutions. Businesses could cut costs on building and maintaining in-house infrastructure.

Rapid cloud adoption, however, showed that traditional approaches to organizing security architecture didn’t work as well in the cloud. For example, they couldn’t organize perimeter security in the same manner.

Legacy architecture would have a safe environment that could only be accessed from a secured spot, the company office in most cases. The system would connect with the “outer world” via one or two entry points.

The on-prem security was thus bound to the physical access checks. The company needed to make sure that outsiders did not get access to the computers that were located in the office. It also required building strong firewalls and network protection.

The transition to the cloud posed new threats to security. To access the cloud, a user doesn’t need to be physically present in the office. Cloud has many entry points and perimeter security doesn’t work there.

Another important issue that arose almost immediately was the mistakes in the configuration of the cloud that due to a greater attack surface led to a bigger number of security incidents.

The collaboration tools on the one hand enabled people to streamline their work on documents. Previously, people had to send each other a document every time they wanted to make edits. Now several people could be working on the same document at the same time, and even discuss and comment on it right there.

Unfortunately, that productivity boost came with a price. Incorrect sharing settings remain among the top reasons for massive data breaches. Gartner predicted it quite accurately back in 2016.

Cloud environment grew exponentially and new technologies brought new challenges to the table. For example, the OAuth authentication enabled the emergence of cloud Shadow IT. As many applications would access cloud environments unbeknownst to the IT team and without their approval. This created even greater attacks surface.

On the other hand, large data breaches prompted governments to adopt laws that would protect their citizens from data theft, related events, and consequences. These laws identified the responsibility of businesses to protect the data privacy of their customers.

The cloud configurations had to be compliant with the new laws. However, achieving this compliance was tricky as people could make mistakes or forget about the necessity to correct configurated.

It became clear that cloud security required different approaches, architecture, and tools.

Early Stages of CSPM: Compliance and Basic Monitoring

The understanding of the new cloud environment and its unique risks and challenges didn’t appear overnight. The cloud adoption definitely outpaced this process by a mile.

The first generation of CSPM

The first generation of CSPM came into being when only one cloud environment, AWS, was available for the companies. These CSPMs were mostly run by SecOp teams. The early understanding of the cloud and its risks was still lacking. That’s why companies were mostly concerned about compliance within their cloud environments.

It’s also important to understand that the first cloud environments were relatively small compared to the modern day. It was the early stage of cloud adoption when companies only began testing the grounds. 

The key features of the first-generation CSPMs were:

• Detection of non-compliance
• Agent-based model

Let’s uncover the term agent-based model. These were tools that were installed directly in the cloud to monitor the activities from within the cloud. Other examples of agent-based security solutions were Instruction detection systems, Intrusion prevention systems, and malware detection tools.

The key drawback of the agent-based approach is the extensive use of computing resources. Another problem was the deployment of agent-based solutions. It required good cooperation between the SecOps and DevOps which wasn’t always the case within the organization. 

The tensions were especially high during the cloud adoption as both teams had to quickly figure out the smooth transition to the cloud. For DevOps, it meant quick and seamless deployment. And for SecOps it meant proper security for the environment that required bringing new tools and putting more pressure on DevOps. 

These two drawbacks impacted the evolution of CSPMs resulting in the emergence and subsequent domination of an agentless approach. We’ll be talking about it in detail in the next section.

The Second Generation of CSPM

The second-generation Cloud Security Posture Management tools began appearing at the time of the introduction of two new cloud environments, Azure and GCP. There were three key factors that impacted the CSPM and CSPM use at the time.

The first factor of this period was the intensified cloud adoption that resulted in the rapid growth of cloud environments. If the first clouds had dozens of users, the current environments had them in hundreds.

This factor contributed to the increase in security alerts and lack of visibility. In particular, the security teams didn’t know which company department owned which cloud resources. It impeded communication and incident resolution.

The second factor was the emergence of open-source CSPM solutions. These tools were free to use and enabled companies to save large amounts of money.

The third factor was the split between the agent-based and agentless solutions. We’ve already explained the agent-based model. The agentless tools were outside solutions that didn’t require installation in the cloud environment. They connected with it via APIs. The benefit of agentless tools was that they didn’t consume your cloud computing resources. They could quickly scan your environment and create multiple security alerts.

Around this time, incorrect cloud settings became critical. The booming IT market followed the new demand coming up with tools that could detect security misconfiguration in the cloud. The second generation of CSPM tools performed three main functions:

• Misconfiguration detection
• Risk assessment
• Compliance analysis.

The Integration of Automation in CSPM

One of the next steps in CSPM development was to automate the remediation. The tools would fix the misconfigurations on their own.

The new era of CSPMs came after the first data breaches in AWS. In 2017-2018, we’ve seen over a dozen massive S3 incidents with millions of data records (sometimes per incident) exposed. Many breaches included governmental agencies and even sensitive data pertaining to national security. The incorrect AWS configurations, i.e., 7% of all S3 servers, were one of the key reasons for the data leaks.

Another reason was the above-mentioned overwhelming amount of daily alerts. At that point, security teams were overloaded with work. It was a constant uphill battle against the incidents that happened on a daily basis. In many cases, the team treated the symptoms rather than the root cause only to come across similar problems shortly afterwards. Many specialists referred to their experience of the time as an endless Groundhog Day.

CSPM developers offered a new solution to their customers – automated remediation. It was one of the main features of the third generation of CSPMs.

This approach has many benefits and was groundbreaking for the time. Automated remediation enabled teams to decrease their workload and close the talent and skill gap. At the same time, the false positives disrupted business operations.

Around this time all the CSPMs switched to the agentless approach. As mentioned earlier, the agent-based model proved to be inefficient for the cloud and became obsolete.

The Rise of Context-Aware CSPM Solutions

As cloud environments grew, the number of daily security alerts grew as well, overwhelming the IT security teams. Simultaneously, the number of false positives created by CSPM’s auto-remediation also grew. In addition to that, auto-remediation made it hard for DevOps to introduce new changes to the cloud (often last-minute, quick fixes). These fixes were automatically blocked and required teams to initiate hard dialogues around the incident.

That’s when the idea of “context” came into play. Simply put, first-generation Cloud Security Posture Management tools analyzed isolated data points, for example, access to the cloud. Context-based CSPM analyzed this piece of data in relation to other upcoming data. It enabled them not only to analyze risk better but also to prioritize the risks. It helps reduce the alerts and decrease the workload of IT security teams.

Another feature of the fourth-generation Cloud Security Posture Management is vulnerability scanning. Before this addition, companies had to go to separate vendors and acquire vulnerability monitoring. In most cases, these solutions were agent-based. Having these capabilities as part of an agentless CSPM tool helped organizations consolidate their security controls and overcome the weaknesses of agent-based approach.

Current and Future Trends: Predictions for CSPM Evolution

With the development of CSPM technologies, their capabilities grew. In addition to threat detection, risk assessment, and compliance analysis, modern CSPMs can also control access, and applications, identify vulnerabilities, and help with the response and remediation of cyber attacks.

The current trends in CSPM are:

1. Growing adoption. The number of companies adopting CSPM is constantly increasing.
2. Cloud consolidation. Organizations can now use CSPM to control all their cloud environments.
3. Integration with DevOps. CSPM can identify security issues in the development process.
4. Humanless security management. Modern CSPMs tend to be more independent and fix an increasing number of mistakes on their own.

Future Trends in CSPM

1. AI integration. In the future CSPM is anticipated to extensively use AI to analyze the large data pulls. Some are already using this technology.
2. Engagement of CSPM in managing IoT and 5 G networks.
3. The further improvement of basic features like threat detection, compliance management, and incident response.
4. Use of emerging technologies (e.g., quantum computing) to empower CSPMs.

Summing up, Cloud Security Posture Management solutions are one of the first cloud-native security tools. They have been developing alongside rapid global cloud adoption. Each new stage of their evolution marked the solution to the emerged or discovered cloud vulnerabilities  and security risks.

FAQ