Cloud security risks are shifting, and organizations require more than just baseline security procedures in place to ensure they are staying ahead of opportunistic hackers. Cloud security posture management (CSPM) tools are table stakes for all businesses operating in the cloud, and best in class organizations are pivoting to vendors who can instead offer them a unified platform, or cloud native application protection platform (CNAPP), to cover them from build to runtime.
CNAPP solutions should not only efficiently and effectively reduce cloud risks for an organization but should also provide additional benefits. Organizations should aim to find CNAPP solutions that can provide them with short time to value – with out of the box capabilities for prioritization, visualization, and remediation of cloud security risks. These capabilities will allow for teams to work more efficiently, reduce the time spent on reviewing thousands of meaningless alerts, and improve time to remediation of critical risks. Organizations should also be looking for CNAPP solutions that can reduce the number of tools they may require in their technology stack, by consolidating the tools they need most into a comprehensive solution offering - thereby also reducing costs.
CSPM Solutions and Challenges
CSPM solutions are sets of automated procedures designed to identify and remediate misconfiguration issues and other risks in the cloud. CSPM tools continuously monitor systems, essentially running “checks” against public cloud configurations that are mapped to a set of controls from different frameworks, including compliance. By having a CSPM solution in place, organizations are easily able to check the following, for example:
- Does my root account have MFA enabled?
- Do I have a password policy?
- Is my database encrypted at rest?
- Is my database publicly accessible?
Not all the items which fall under the umbrella of a CSPM solution are security related – some frameworks are related to privacy, quality of data, monitoring capabilities, availability of data, etc., which fall under the framework of compliance instead.
CSPM solutions provide the ability for organizations to achieve governance over their cloud infrastructure, better manage risk, and attain compliance certifications more easily. As the market began to evolve, vendors started to add more features to innovate and stay competitive beyond the core features of CSPM tools. Typically, these features included things like network inspection, policy enforcement, remediation, least privilege access, or anomaly detection. Most vendors believed that once they had applied the on-prem mindset (including compliance regulations) to the cloud, their work was done. However, this was not true.
CSPM Solution Pain Points
CSPM solutions on their own created several pain points for organizations:
- Difficulty in contending with new security challenges in a growing market and as cloud services expanded
- Cloud workloads were scaling and so were the number of alerts
- Container orchestration and Kubernetes were introduced which require their own posture management
- Infrastructure as Code changed the root cause for modifications in the cloud
- Workload hygiene wasn’t addressed at all, as agent installation was extremely painful
- Lack of visibility – if CSPM checks were only against the known assets – organizations were blind to the risks on assets that may exist in their cloud environment
Vendors, understanding that they have a wider and more pervasive problem to solve, began to simply acquire CSPM tools and add these capabilities to their “suite” of extended services – CSPM + container security + serverless security. However, these duct-tape solutions resulted in:
- Solutions not “speaking to each other”
- An exponential increase of alerts (whether relevant or not) overwhelming their teams
- No context whatsoever to help cloud security engineers understand and prioritize their alerts and best focus their efforts
This simply was not a sustainable solution, especially as companies began to digitally transform over the period of COVID starting in 2020. More and more businesses were migrating from on-prem only to the cloud, and there were additionally thousands of companies born in the cloud. These businesses all required comprehensive solutions that could apply compliance and security best practices (at scale), while also achieving security maturity in their cloud security management and posture.
What the future holds for CSPM and CNAPP solutions
Vendors have defined new ways to tackle security challenges and meet security and compliance best practices at scale. Vendors started to invest in specific aspects of these security considerations and focus most acutely within those areas.
For some it was agentless workload scanning, for others it was just getting more enhanced asset management, and others looked at cloud security from the perspective of attack path analysis. Each had their unique benefits:
- Agentless workload scanning: These vendors were able to provide better workload hygiene and saved time by not requiring agent installations.
- Enhanced asset management: These solutions were able to provide continuous cloud visibility into the different cloud accounts, services, and workloads.
- Attack path analysis: This approach provides context to users. It powers the ability to prioritize and connect between disparate alerts and gives cloud security engineers the focus they need on new security threats in their cloud.
But what about compliance?
The emerging aspects needed to be connected back to a CSPM piece and to augment the tooling presented across this discipline. It is with this concept in mind that we have seen the emergence of cloud native application protection platform (CNAPP) solutions in the market. CNAPP solutions build a more comprehensive platform that covers cloud security organizational requirements from early stages of development to runtime.
The Lightspin perspective: Why the future of cloud security is a CNAPP solution and thinking like an attacker
To get an accurate view of your cloud environment and its risks, alongside best practices in CSPM, you need a CNAPP solution. CNAPP solutions are all-in-one platforms that simplify the monitoring, detecting, and remediating of potential cloud security threats and vulnerabilities – from pre-deployment phases to incidents live in production.
However, not all CNAPP solutions are created equal.
Best-in-class CNAPP solutions help organizations supercharge their DevOps and Security Engineer teams by providing them with the context and prioritization of security findings they need, which is only possible if the solution is based on the graph.
Lightspin brings together multiple engines to unify the CNAPP catalog of feature requirements over a graph database. Lightspin uses its offensive-minded cloud security researchers and graph engineers to help your team, out of the box, surface the unknown risks across your cloud. The graph technology at the core of Lightspin’s solution provides 100% visibility, revealing an accurate topology of your environment, so you can identify the cloud assets in your organization and correctly ascertain which have the most critical risks. Lightspin’s solution is agentless and instead of requiring customized queries to identify vulnerabilities, Lightspin does the legwork for your team – helping your organization visualize, prioritize, and even dynamically remediate the most urgent cloud security risks and attack paths you have.