CSPM buyer’s guide: How to choose the best cloud security posture management tools

November 27 • 7:00 am

Tags:

No tags

Cloud security posture management (CSPM) explained

Cloud security posture management (CSPM) combines threat intelligence, detection, and remediation that works across complex collections of cloud-based applications. After companies move to the cloud, many are under the impression that their cloud hosting providers are solely responsible for security, a misconception that can lead to data breaches and other security issues. While the responsibility for securing cloud infrastructure falls to cloud services providers, it’s up to customers to configure the cloud and secure their applications and sensitive corporate data.

But securing cloud-based apps and data isn’t simple as there are many threat vectors that operate across neat defensive boundaries. This is why many enterprises have found a need to expand their posture management to more comprehensive products such as cloud-native application protection platforms (CNAPP) or secure service edge (SSE) product lines. CNAPP integrates CSPM with other tools that include cloud access security brokers (CASBs) and tools that directly protect cloud workloads, APIs and infrastructure and include those from vendors such as Wiz, Palo Alto Networks’ Cortex line, Tenable, Crowdstrike and others.

SSE products are more network-focused and integrate CSPM with a different set of tools including software-defined wide area networking, secure web gateways and zero trust network access and include vendors such as Zscaler, Cisco, Palo Alto Networks’ Prisma line, Fortinet and Netskope.

[ Download our editors’ PDF cloud security posture management (CSPM) enterprise buyer’s guide today! ]

In this buyer’s guide

Cloud security posture management (CSPM) explained

What to look for in cloud security posture management (CSPM) tools

Leading vendors for cloud security posture management (CSPM)

What to ask your cloud security posture management (CSPM) provider

Essential reading

That’s where CSPM tools can help. These tools continuously and automatically check for misconfigurations that can result in data leaks and data breaches. CSPM tools manage cloud security risks on an ongoing basis and ensure compliance in the cloud so enterprises can continuously make any necessary changes.

“CSPM solutions use best practices and compliance (PCI, SOC2, etc.) templates to identify drifts and insecure configurations in cloud infrastructure (AWS, Azure, and Google Cloud) in the compute, storage, and network areas,” says Andras Cser, a principal analyst at Forrester Research. “CSPM tools can alert and optionally remediate the insecure configurations.”

CSPM tools look at workloads to see what’s happening and they provide context, so organizations know which of the vulnerabilities or issues is most important, says Charlie Winckless, a senior director analyst at Gartner. “These tools enable companies to prioritize which risks are real, which risks are important, and which risks they may be able to delay fixing a little bit,” he says.

Cloud technologies have been classified as infrastructure as a service (IaaS), platform as a service (PaaS) and software as a service (SaaS). The differences among these three designations are becoming blurred to the point where the labels don’t have much meaning anymore. As enterprises purchase more diverse cloud offerings, the notion of having a single tool such as CSPM that covers all these bases becomes appealing.

What to look for in cloud security posture management (CSPM) tools

Organizations evaluating various CSPM tools should ensure that they cover all the cloud platforms they’re using, says Winckless. “You want to be able to normalize the configuration risks across the major cloud platforms,” he says. “Most organizations that are purchasing these tools will probably be multicloud. They’ll be using at least two clouds, maybe more, since the cloud providers themselves do offer some of this functionality built into their platforms.”

Philip Bues, cloud security research manager at IDC, says the new reality for most organizations is a hybrid multicloud environment, “so you want something that’s going to be able to give you really deep visibility throughout all the environments and workloads that you have. And that’s what the CSPM solution should be able to provide you.”

Other features organizations should look for in CSPM tools include the following:

Comprehensive threat detection: Because threats in multicloud environments are complex, these tools must gather threat intelligence from multiple sources to give companies clear views of their risks.

Integrated data security: Keeping data safe in the cloud requires a multipronged defense that gives companies deep visibility into the state of their data. This includes enabling organizations to monitor how each storage bucket is configured across all their storage services to ensure their data isn’t inadvertently exposed to unauthorized applications or users.

Automated alert remediation: Organizations must ensure that the CSPM tools they select can automate routine security monitoring, audits, and remediations across their cloud environments. This allows security teams to prioritize and remediate the risks that can potentially cause the most damage.

Benefits of CSPM tools

CSPM tools offer multiple benefits that help companies boost security, minimize their risk exposure in cloud environments, and reduce costs. These benefits include:

Proactively identifying and addressing risks before cybercriminals can exploit them using real-time visibility and automatic detection of vulnerabilities, misconfigurations, and security gaps.

Continuously monitor configurations as they relate to industry benchmarks and standards to ensure compliance with best practices and regulations.

Automating policy enforcement and remediation, which cuts the time and expense of manually resolving security issues across cloud environments.

Integrating devops workflows with CSPM processes to embed security throughout the software development life cycle.

Pitfalls of CSPM tools

There are some pitfalls that companies need to be aware of when it comes to CSPM tools, including:

Not understanding the requirements of CSPM tools: This is one of the biggest mistakes that organizations can make when they’re shifting workloads to the cloud because things that weren’t connected before are now interconnected, says IDC’s Bues. The best way to implement CSPM tools is to ensure teams receive the proper training and proper awareness for how this solution is supposed to work within the environment. “You don’t want to have the security team with little or no cloud experience or developers with limited security experience trying to manage this new CSPM solution,” he says. “You should have the developers and the security team working together because everyone has different needs.”

Not opting for a multicloud CSPM tool: Another mistake companies make is selecting tools that offer a one-size-fits-all approach offered by public cloud vendors that don’t offer a unified view across all their cloud environments. Organizations should opt for CSPM tools that provide multicloud monitoring and protection.

Thinking they’re too small or not mature enough: A company that assumes it’s too small or not mature enough to consider security will always put the business at risk as it typically only thinks about security after an issue or breach occurs. However, companies of all sizes should ensure they protect their assets across teams by implementing CSPM tools.

Leading vendors for cloud security posture management (CSPM)

Vendors have been incorporating CSPM functions into their overall CNAPP or SSE platforms, including CrowdStrike, Palo Alto Networks, Wiz, Zscaler and Tenable. This means that the modern standalone CSPM tool has all but disappeared. One extreme example is Check Point Systems, who has gotten out of CSPM entirely and has taken its CNAPP efforts to integrate with Wiz’ product line. But it is important to start with this function as you investigate how to protect your cloud estate, and to help with these efforts, we have highlighted a few of the CSPM tools based on discussions with analysts and our own independent research.

SentinelOne Singularity CSPM is part of a collection of integrated modules that together comprise a comprehensive CNAPP solution. You can pinpoint cloud misconfigurations and monitor changes continuously to public clouds from AWS, Azure and Google Cloud. It also includes an offensive detection engine called Verified Exploit Paths and AI-based threat-detection research to help augment its protective features.

Sweet.Security Runtime CNAPP’s CSPM module is just part of a comprehensive CNAPP solution that offers application, data and API security modules. It monitors changes in near real-time and helps to remediate cloud workload misconfigurations and protects development pipelines. It combines its runtime instrumentation with other metadata to provide overall risk assessment scoring. It also offers a unified management of security issues, such as exposed APIs that are linked to misconfigured identities.

Tenable CSPM is part of its overall cloud security platform, which integrates a wide collection of tools including the traditional CNAPP suite along with more development-oriented protection for AI, code pipelines, data and threat detection tools. It provides continuous security scans across AWS, Azure and Google Cloud along with producing audit reports and integration with its cloud infrastructure entitlement management tools as well.

Questions to ask your cloud security posture management (CSPM) provider

When investigating the best CSPM fit for your enterprise security needs, ask potential vendors these questions:

How can you calculate your baseline so you can track changes to your cloud-based assets?

Does the CSPM platform work for all three of the major public clouds (Amazon Web Services, Google Cloud, and Microsoft Azure) as well as various Kubernetes and other container-based implementations? What about support for common SaaS apps such as Box, Salesforce, ServiceNow, and Workday? Each product’s coverage varies. Some products place agents in your cloud, some use read-only access to scan your environment and resources, and some have writing access to enable changes to remediate issues in your accounts.

How real-time is it for notifications about these changes, policy violations, and other unusual events? Does it track misconfigured weak security groups, remote access, app control mistakes, and network changes? All cloud providers offer built-in activity monitoring, but if you use multiple clouds, you want your CSPM platform to parse this rich supply of data and make actionable sense of it.

How real-time is it to automate remediation? The best CSPM platforms will continuously scan for vulnerable systems and some offer ways that they can detect when a new virtual machine has created an insecure situation for example.

What other security and notification tools does it integrate with, such as security information event management (SIEM) and security orchestration, automation, and response (SOAR)?

How many compliance/auditing reporting frameworks are supported on each cloud provider? Each tool supports a different framework collection, which isn’t necessarily the same across all the clouds either to make things harder for you, too.

What is the cost? Some vendors offer a limited free trial or tier; others charge per host or in more complex ways that might mean a surprise when the bill comes due. Few are like Sysdig that offer a public and transparent pricing webpage.