Table of Contents

What is Cloud Security Posture Management?

The Cloud Security Posture Management (CSPM) market, as defined by Gartner, is in response to the growing need to correctly configure public cloud IaaS and PaaS services. A single misconfiguration can expose hundreds or thousands of systems or highly sensitive data to the public internet.

Misconfiguration and Data Breaches

What may be described as a "data breach" is more often a cloud storage bucket containing sensitive data that is accidentally exposed to the internet. These are just a few examples of data breaches due to misconfiguration.                                       

CSPM-facebook              CSPM-voter               CSPM-AWS

Why Do Misconfigurations Occur?

Misconfigurations are made possible by at least four factors:

  1. The cloud is inherently programmable. Public cloud infrastructure is driven by APIs, which enable developers to scale up and spin down large amounts of infrastructure via code. As easy as it is to make infrastructure changes, it is also just as easy to introduce misconfigurations.
  2. The cloud has enabled a “sprawl” of new services and technologies. When concepts such as microservices are combined with new technologies such as containers, Kubernetes, and serverless Lambda functions, there are many more resources to manage than just traditional servers, networks, and databases.
  3. The cloud features fundamentally new technologies that are quite different than what are found in physical data center environments. For example, IAM permissions enable users to access resources in an account regardless of network segmentation. IAM therefore can facilitate a new type of lateral movement that cannot be detected with traditional security tools.
  4. The size and complexity of enterprise environments make it incredibly difficult to know what is running where. Typical enterprise cloud environments can contain thousands or tens of thousands of resources, regions, and accounts. It can be very easy for a developer to create the wrong resource, be too liberal with permissions, or lose track of where critical resources are stored.

All of these factors are compounded by the lack of visibility into public cloud infrastructure. Many enterprises have no idea what type and how many cloud resources are running and how they are configured. As a result, serious cloud misconfigurations often go undetected for days, weeks, or even longer. View the infographic.

The Shared Responsibility Model

Security is a shared responsibility between a cloud provider, such as AWS and Microsoft Azure, and their customers. In this 'shared responsibility model," the cloud provider is responsible for “security of the cloud,” which includes all the infrastructure that runs cloud services. The customer is responsible for “security in the cloud,” which is the configuration of cloud resources used by the customer.

 

Shared Responsibilibity ModelDespite this model, there remains confusion about the demarcation of responsibility between cloud providers and their customers. According to a Barracuda Networks survey of 550 IT decision makers, 64% of respondents claimed that their cloud provider should protect customer data in the cloud, which is clearly the customer’s responsibility according to the Shared Responsibility Model.

 

This dangerous disconnect between perception and reality puts many organizations at risk. This is why, according to Gartner, through 2023 at least 99% of cloud security failures will be the customer’s fault.

Why is CSPM Important?

CSPM is defined by Gartner as "a continuous process of cloud security improvement and adaptation to reduce the likelihood of a successful attack." Because public cloud infrastructure is constantly changing, CSPM solutions continuously monitor enterprise cloud environments to identify gaps between their stated security policy and the actual security posture.

 

At the heart of CSPM is the detection of cloud misconfiguration vulnerabilities that can lead to compliance violations and data breaches⁠. CSPM offerings typically use APIs of the underlying cloud providers to monitor public cloud environments for security or policy violations with the option of remediating the violations to ensure continuous compliance.

 

Some of the benefits of CSPM include:

  • Continuous visibility into multiple cloud environments of policy violations.
  • Optional ability to perform automated remediation of misconfigurations to ensure continuous compliance
  • Leverage of prebuilt compliance libraries of common standards or best practices such as CIS Foundations Benchmarks, SOC 2, PCI, NIST 800-53, or HIPAA.

CSPM Uses

CSPM offerings typically focus on identifying the following types of policy violations:

  • Lack of encryption on databases or data storage.
  • Lack of encryption on application traffic, especially that which involves sensitive data.
  • Improper encryption key management such as not rotating keys regularly.
  • Overly liberal account permissions.
  • No multi-factor authentication enabled on critical system accounts.
  • Misconfigured network connectivity, particularly overly permissive access rules or resources directly accessible from the internet.
  • Data storage exposed directly to the internet.
  • Logging is not turned on to monitor critical activities such as network flows, database access, or privileged user activity.

Fugue and CSPM

Fugue is an enterprise CSPM solution developed for engineers, by engineers. Fugue is different in that it addresses cloud security as a software engineering problem—because the cloud is 100% software. Fugue builds a complete model of your public cloud infrastructure environment as a baseline, continuously detecting drift and enforcing the baseline for security-critical resources. With Fugue, you get full visibility into your cloud security posture and the assurance that it stays in continuous compliance.


In modern cloud operations, security must be integral to the software development process, rather than bolted on after the fact as a security analysis function. With Fugue’s API, cloud security and compliance can be integrated into CI/CD pipelines for provisioning guardrails and to empower developers to validate compliance earlier in the software development life cycle. Fugue supports custom policies as well as frameworks for CIS Foundations Benchmarks, GDPR, HIPAA, ISO 27001, NIST 800-53, PCI, and SOC 2. Fugue is available for AWS and Azure. 

 

 

Want to get this in a pdf? Get the datasheet.

CSPMPillar-CTA-ds