The Cloud Security Posture Management (CSPM) previously known as Cloud Infrastructure Security Posture Assessment was defined in response to the growing need of organizations to correctly configure public cloud IaaS and PaaS services and address cloud risks. CSPM is a class of security tools as defined by Gartner include use cases for compliance monitoring, DevOps integration, incident response, risk assessment, and risk visualization.
According to Gartner, by 2020, 95% of cloud security issues will be the result of misconfiguration. A single misconfiguration can expose hundreds or thousands of systems or highly sensitive data to the public internet.
What may be described as a "data breach" is more often a cloud storage bucket containing sensitive data that is accidentally exposed to the internet. These are just a few examples of data breaches due to misconfiguration.
Misconfigurations are made possible by at least four factors:
All of these factors are compounded by the lack of visibility into public cloud infrastructure. Many enterprises have no idea what type and how many cloud resources are running and how they are configured. As a result, serious cloud misconfigurations often go undetected for days, weeks, or even longer and taking the appropriate measures to secure cloud applications and services can be a challenge. View the infographic on the 4 reasons why misconfiguration occur.
Security is a shared responsibility between a cloud provider, such as AWS and Microsoft Azure, and their customers. In this 'shared responsibility model," the cloud provider is responsible for “security of the cloud,” which includes all the infrastructure that runs cloud services. The customer is responsible for “security in the cloud,” which is the configuration of cloud resources used by the customer.
Despite this model, there remains confusion about the demarcation of responsibility between cloud providers and their customers. According to a Barracuda Networks survey of 550 IT decision makers, 64% of respondents claimed that their cloud provider should protect customer data in the cloud, which is clearly the customer’s responsibility according to the Shared Responsibility Model.
This dangerous disconnect between perception and reality puts many organizations at risk. This is why, according to Gartner, through 2023 at least 99% of cloud security failures will be the customer’s fault.
Cloud Security Posture Management (CSPM) is defined by Gartner as "a continuous process of cloud security improvement and adaptation to reduce the likelihood of a successful attack." Because public cloud infrastructure is constantly changing, CSPM security tools continuously monitor enterprise cloud environments to identify gaps between their stated security policy and the actual security posture.
At the heart of CSPM is the detection of cloud misconfiguration vulnerabilities that can lead to compliance violations and data breaches. CSPM offerings typically use APIs of the underlying cloud providers to monitor public cloud environments for security or policy violations with the option of remediating the violations to ensure continuous compliance.
Some of the benefits of CSPM include:
CSPM offerings typically focus on identifying the following types of policy and security violations:
Fugue is an enterprise CSPM solution developed for engineers, by engineers. Fugue is different in that it addresses public cloud security as a software engineering problem—because the cloud is 100% software. Fugue builds a complete model of your public cloud infrastructure environment as a baseline, continuously detecting drift and enforcing the baseline for security-critical resources. With Fugue, you get full visibility into your cloud security posture and the assurance that it stays in continuous compliance.
In modern cloud operations, security must be integral to the software development process, rather than bolted on after the fact as a security analysis function. With Fugue’s API, cloud security and compliance can be integrated into CI/CD pipelines for provisioning guardrails and to empower developers to validate compliance and check for security violations earlier in the software development life cycle. Fugue supports custom policies as well as frameworks for CIS Foundations Benchmarks, GDPR, HIPAA, ISO 27001, NIST 800-53, PCI, and SOC 2. Fugue is available for AWS and Azure.