Cloud Security Posture Management Guide

Cloud Security Posture Management (CSPM) is a process of checking on the configurations of cloud resources to ensure risk reduction and data privacy standards compliance

There are levels of common-sense manual practices that can be implemented to enforce security with cloud assets, but more thorough CSPM can only be achieved through automation. Thus, Cloud Security Posture Management is closely-tied to the acquisition of CSPM tools.

What does CSPM do?

It can be expected that the providers of cloud platform infrastructure keep all of their software up-to-date and track the discovery of exploits, which they shut down. However, the account settings and the access controls that customers implement are not the responsibility of cloud platform providers.

The users of cloud systems, such as storage space, virtual servers, and applications, need to ensure that they have implemented their systems in as secure a manner as possible. CSPM tools scan those accounts and identify where controls have been left too lax.

Cloud Security Posture Management can be seen as the Cloud equivalent of vulnerability management. A vulnerability scanner looks through networks, servers, and software searching for security loopholes that could be used by hackers. This is an automated form of penetration testing. CSPM does the same thing, but specifically for cloud assets.

While a vulnerability scanner works through a list of known exploits and tests the system under examination for that condition’s presence, a CSPM tool runs through a list of cloud service configuration best practices. If the CSPM checks a resource and sees that its configuration isn’t the same as the pattern it has logged in its database, it will raise an alert.

Dealing with misconfigurations

There are many CSPM tools available on the market and one of the main ways they create a diversity of service is how they respond to the discovery of a weakness.

All CSPM tools will raise an alert when they discover a deviation from best practices. This is an important step because it lists the asset and its current settings alongside the settings that it should have. As one of the main purposes of running a CSPM tool is to prove data privacy standards compliance, that difference between existing and ideal configurations gets written to a log.

A major part of standards compliance lies in documenting everything and making logs available for inspection during an external compliance audit.

Where tools differ is whether they also implement further action to help remediate the security weakness. In some cases, the tool will just issue an alert and an explanation and nothing else. In other cases, the tool will produce a guide on how the administrator should manually adjust the configuration and some other tools will make the changes.

The system that implements fixes is known as robotic process automation (RPA). This is like a macro and it is a workflow that implements platform-specific changes. If the RPA is set up through a triggering rule and launched automatically, the system would require dashboard credentials to be present in the configuration screens of the CSPM system. An alternative approach is the presentation of a script from a library that will be linked to in the alert report. The administrator will then need to run the script, which will include interactive prompts for username and password.

Cloud Security Posture Management key features

To summarize the features you can expect from a typical CSPM tool:

  • Scanning of cloud services, including PaaS, IaaS, and SaaS offerings
  • A database of best practices for configurations
  • Comparison of existing configurations to the ideal
  • Risk scoring
  • A live readout of asset statuses
  • Logged results from scans
  • Records of action taken for remediation
  • Tuning for specific standards compliance
  • Cross-platform tracking
  • Continuous, repeated execution
  • A library of remediation playbooks

Several other functions can be categorized as “nice to have” and in some platforms are offered as parallel modules.

Related security services

The issue of identity and access management (IAM) is a gray area. Some would include this in the remit of CSPM, while others prefer to keep it as a separate strategy. User accounts and their security settings are a potential source of security weaknesses in a cloud service.

In general, cloud security platforms keep Cloud IAM separate, mainly because this is a high-value service that they would like to garner extra income from. Certainly, a business wishing to keep its cloud assets secure also needs to keep its access rights management strategy tight. Some platforms offer Cloud Identity Security and Cloud Security Posture Management as two linked modules in a package – Palo Alto Prisma Cloud is an example of such a bundle.

A third element that should also be considered is Cloud Workload Protection. This type of system is a threat detection service and if you operate cloud assets, you will need that constant protection alongside the system hardening value of CSPM.

Recommended Cloud Security Posture Management tools

We have prepared a separate report that reviews the The best CSPM tools. However, if you don’t have time to read through another guide on Cloud Security Posture Management, the recommendations in that review are summarized here below.

1. Datadog Cloud Security Posture Management 

Datadog offers a range of cloud-based system monitoring and management tools and its Cloud Security Posture Management service is a new addition to its stability. This tool can be tuned to enforce compliance with CIS, PCI DSS, HIPAA, and GDPR.

The package is designed to be used by security analysts who might not have the programming or scripting skills that could be expected from system administration technicians. Alongside the CSPM, Datadog offers a cloud workload protection platform, called Cloud Workload Security. The company also offers a cloud-based SIEM for extra security protection and a Log Manager which would assist your management and analysis of logs for compliance auditing.

2. CrowdStrike Falcon Horizon CSPM

The unique selling point of the CrowdStrike Falcon Horizon CSPM is that CrowdStrike funnels in its Threat Intelligence services. Thus, not only does the scanner compare configurations against best practices, but it focuses attention on system ingress points that are currently under attack around the world by hacker groups.

CrowdStrike includes access rights auditing in with its CSPM with particular attention to Azure AD implementations. The tool alerts administrators to security risks and generates guides on how to fix them but it doesn’t offer automated remediation. Security analysts from CrowdStrike are on-call for advice that is included in the price.

3. Palo Alto Prisma Cloud

Palo Alto Prisma Cloud gives you a five-module platform that bundles together Cloud Security Posture Management, Cloud Workload Protection, Cloud Network Security, Cloud Identity Security, and Cloud Code Security. This packages in an IAM analysis service to strengthen the access control to your cloud access and harden preparedness to attack.

Prisma Cloud runs all of its scanners simultaneously and continuously, alerting for newly spotted security weaknesses and threats. This service thoroughly documents your Cloud assets, providing material for compliance reporting and it also offers recommendations on actions to tighten security – remediation isn’t automatic.

4. Check Point CloudGuard

The Check Point CloudGuard platform presents five modules: Cloud Security Posture Management, Cloud Application Security, Cloud Workload Protection, Cloud Intelligence, and Threat Hunting, and Cloud Network Security and Threat Prevention.

This service includes access rights auditing and ongoing account activity monitoring. While the CSPM provides system hardening, the threat prevention services continuously look for anomalous behavior. This service offers a high degree of remediation automation and it is very strong on compliance enforcement and reporting.

5. BMC Helix Cloud Security

BMC Helix Cloud Security is a good package for compliance reporting because it thoroughly documents all of its findings and all remediation actions. It can be configured for PCI DSS, CIS, and GDPR by applying a pre-written template.

This is an alert-based system that produces guides for action when a weakness is detected. Alerts can be channeled through an ITSM system as tickets and you can also trigger prewritten remediation playbooks either manually or automatically.

The Helix Cloud Security platform also implements cloud workload protection for processes on Azure and AWS.

6. Zscaler Workload Posture

Zscaler Workload Posture includes access rights auditing and management in with its CSPM service. Zscaler is a leader in Zero Trust Access, SASE, and secure software-defined WANs, so you might find a combination of other services from this provider that brings all of your resources together into one virtual network. If your system is very heavily cloud-based then the Workload Posture will be your first choice.

The dashboard for this service gives you live, constantly adjusted risk assessments and sensitive data identification. The tool slots into your cloud account via an API and needs very little tuning. Remediation workloads are available for automated responses or manual activation.

7. Rapid7 InsightCloudSec

Rapid7 InsightCloudSec is a bundle of CSPM, Cloud Workload Protection, and Identity and Access Management. This service can be set up as a CI/CD pipeline tester as well as for use with live systems. The package is not as strong as the other options on this list for compliance reporting.

Rapid7 is one of the leaders in cloud-based security systems and it is suitable for hybrid environments. Other tools available on the Insight platform include a combined XDR and SIEM service, called InsightIDR. This tool is stronger for compliance reporting than the InsightCloudSec system, so the combination of these two packages would work well.

8. Sophos Cloud Optix

Sophos Cloud Optix is a good package for compliance monitoring and reporting as well as for system hardening. The system can scan all registered accounts for underlying services.

Cloud Optix generates alerts when it discovers system weaknesses and produces guides for remediation but it won’t implement the fixes for you. An interesting feature of this package that the others on this list don’t offer is a Cloud Cost Optimizer. This tracks the money you are spending on each platform and identifies alternative packages that would cost you less for the same service.