Update: This blog was originally published on 10 June 2021, and is updated to include statistics pertaining to Cloud Security trends in 2022.
Growing complexity in cloud infrastructure has led to new needs and challenges when securing cloud environments. With Gartner’s focus on a shared responsibility model, cloud customers need to rethink their cloud security strategy. Unfortunately, there is no one-size-fits-all approach to cloud security. But Gartner researchers have emphasized three tools that are essential to the future of securing cloud environments — Cloud Access Security Broker (CASB), Cloud Workload Protection Platform (CWPP), Cloud Security Posture Management (CSPM)Cloud Security Posture Management (CSPM), and Cloud Native Application Protection Platforms (CNAPP). Learn more about these and how they can help you future-proof your cloud security.
Cloud Access Security Platform (CASB)
Cloud Access Security Brokers (CASB) are cloud-based or on-premises security software tools placed between cloud applications and their users to monitor and enforce enterprise security policies on access to cloud-based resources. CASBs combine several kinds of security policy enforcement, generally centered around data protection, and independent of the device being used to access cloud services For instance, CASBs often cover security policies around Single Sign-On (SSO), authorization, logging, or encryption and may also support malware detection and alerting of prohibited behavior.
CASB Use Cases
- Visibility: Discovery of SaaS services in use, basic risk assessment, forensic investigation
- Data protection: DLP, Governance, Data encryption, MDM
- Threat protection: helps protect your clouds from, malicious insiders, compromised accounts, or malware
- It also covers the policies to support compliance needs: data protection requirements, data sovereignty, global regulations, etc.
Cloud Workload Protection Platform (CWPP)
Cloud Workload Protection Platforms (CWPPs) are, as defined by Gartner, “workload-centric security offerings that target the unique protection requirements of workloads in modern hybrid, multi-cloud data center architectures”
Essentially, CWPPs are endpoint protection solutions specifically tailored to server workloads wherever (and however) they are running today: VMs (Virtual Machines), public cloud IaaS (infrastructure as a service), PaaS and generally container-based application architectures as well.
CWPP Use Cases
CWPPs are generally deployed with an agent, and replace endpoint solutions by supporting things like:
- Discovery and inventory of workloads across environments
- System Integrity Assurance and Application Whitelisting in VMs
- Workload Behavioral Monitoring and Threat Detection/Response Capabilities
- Container and Kubernetes Protection
- Serverless Protection
Organizations often find it difficult to ensure that all the workloads they manage have suitable safety measures. CWPP offers centralized visibility and security management of all the workloads in the cloud with resources on allcloud providers shown in a single console.
Cloud Security Posture Management (CSPM)
According to Gartner, CSPM (cloud security posture management) is a mandatory tool for cloud security. CSPMs take advantage of native API integrations with IaaS cloud service providers to discover and assess the risks of cloud assets and configuration with a very simple integration that does not require agents or affect workload performance.
"Nearly all successful attacks on cloud services are the result of customer misconfiguration, mismanagement and mistakes. Security and risk management leaders should invest in cloud security posture management processes and tools to proactively identify and remediate these risks."
CSPM Use Cases
- Constant visibility and enforcement of security controls across multi-cloud providers
- Discovery and identification of cloud workloads and services
- Threat detection and alert prioritization
- Cloud risk management, risk visualization, and risk prioritization capabilities
- Continuous compliance monitoring against a variety of industry or geography-specific regulations
Cloud Native Application Protection Platforms (CNAPP)
Cloud Native Application Protection Platforms can be defined as an streamlined solution that comes to market to offer an integrated set of security capabilities stretching across the cloud-native applications life cycle. CNAPPs bring together many of the existing cloud security tools that have so far been used alone, such as CSPM (Cloud Security Posture Management), CIEM (Cloud Identity and Entitlements Management), software artifact scanning and runtime CWPP (Cloud Workload Protection Platform) capabilities.
Interestingly, Gartner also predicts that by 2025, 70% of organizations will consolidate the number of vendors securing the life cycle of cloud-native applications to a maximum of three vendors. Which means that most organizations will prefer to use integrated cloud security solutions that give them the maximum protection for their cloud resources.
CNAPP Use Case and Why is it Important to Have a CNAPP?
Just as a cloud-native approach is critical with applications, it is also important to the security of cloud environments. Applications are being developed at higher velocity leveraging cloud-native capabilities such as container, Kubernetes, and serverless functions. As enterprises increase their adoption of cloud computing, it is therefore not surprising to see enterprises relying more on cloud-native application development and leveraging microservices architectures. In turn, the need to secure cloud-native applications is driving the emergence of security tools that integrate capabilities like CSPM, CIEM, CWPP, etc. across the life cycle of cloud-native applications, from development to production and operations.
Which Cloud Security Tools Are For You?
Which cloud security tools are the best option for you depends on a lot of factors, like your immediate and long-term cloud security priorities.
1. If your primary concern is to have visibility and control of all enterprise cloud usage (including the use of unsanctioned SaaS applications) or you need DLP, then a CASB is probably required.
2. If protecting your cloud workloads themselves and reinforcing application security are a priority, CWPP is likely the better choice. Before committing to a vendor however, you should evaluate if the workload security solution will fare well with the types of cloud services that you are using or plan to use. For example, if your infrastructure relies on containers, the workload security product should be able to inspect the containers for security risks.
3. If your most pressing need is to comply with cloud configuration best practices or compliance requirements, then a dedicated CSPMa dedicated CSPM is most likely the best solution. CSPM tools use the cloud provider’s application programming interfaces (API) to automate security benchmarking and audit checks, helping you to stay compliant and audit-ready on the go. For example, a CSPM tool can help you to avoid having a leaky S3 bucket with customer data (crown jewels) exposed for hackers to attack.
4. If you already have some cloud security here and there but it is not sufficient to meet your growing cloud adoption, then a CNAPP solution is most suitable for you. This means that your cloud security tool will give you holistic protection. A CNAPP will help you with end-to-end cloud native security. With a CNAPP, your security teams can identify and remediate the most critical security risks while maintaining a holistic approach to address vulnerabilities in cloud environments in build time.
Note: CSPMs are a required functionalityCSPMs are a required functionality regardless of what tools you use, so if you're not buying a dedicated CSPM you'll want to make sure that you have coverage of your cloud security posture from other tools (and sufficient for your needs).
CASBs, CWPPs, CSPMs, and CNAPPs all help secure the cloud, but they do so in different ways and with different scopes of coverage despite some amount of overlap. Which tool or tools are the right ones to deploy in your organisation will depend on a myriad of factors including: is the focus protecting SaaS or IaaS? Is it protecting data or protecting workloads? How large is the cloud security team and more! In choosing the right tool, an organization should clearly define its cloud security needs and communicate with stakeholders and business executives about those needs.
If you need an expert consultation on which cloud security strategy is best for you, then fill up this formfill up this form and a Horangi Cloud Security Specialist will walk you through Warden, a flagship all-in-one Cloud Security platform.