Gartner Reprint Cloud Security Posture Management
11/21/2019 Gartner Reprint Licensed for Distribution Innovation Insight for Cloud Security Posture Management Publish
Views 561 Downloads 16 File size 616KB
Recommend stories
- Author / Uploaded
- Daniel Smith
Citation preview
11/21/2019
Gartner Reprint
Licensed for Distribution
Innovation Insight for Cloud Security Posture Management Published 25 January 2019 - ID G00377795 - 30 min read By Analysts Neil MacDonald
Nearly all successful attacks on cloud services are the result of customer misconfiguration, mismanagement and mistakes. Security and risk management leaders should invest in cloud security posture management processes and tools to proactively and reactively identify and remediate these risks.
Overview Key Findings ■ The rapid adoption of cloud services, along with an increasing number of cloud infrastructure
and platform services, has created an explosion in complexity and unmanaged risk. ■ IaaS providers deliver basic configuration and risk assessment capabilities, but only address
their own services. Most enterprises will require hybrid, multicloud capabilities. ■ The market is in flux. There has been a large increase in the number of CSPM offerings over past
18 months, with some initial market consolidation via acquisitions. ■ To differentiate, vendors are adding scanning for vulnerabilities, sensitive data and malware. ■ CSPM tools alone won’t eliminate cloud risk. Process and culture changes are also needed.
Recommendations Security and risk management leaders responsible for cloud security should: ■ Prioritize a CSPM project in 2019. Sign short-term contracts only as the market evolves. ■ Use the cloud provider’s built-in CSPM capabilities if the organization only has a small
deployment with basic requirements and is only using a single IaaS provider. ■ Evaluate CASB providers (if already in use or planned) for CSPM needs, as the CASB market
leaders have well-developed CSPM capabilities.
https://www.gartner.com/doc/reprints?id=1-674W4BM&ct=190206&st=sb
1/19
11/21/2019
Gartner Reprint
■ Engage the cloud operations team. A broader cloud management platform may already be in use
for inventory, billing and resource utilization that provides sufficient security capabilities. ■ Extend CSPM risk assessments into the development process for the proactive elimination of
risk before cloud workloads, services and configurations are placed into production. ■ Ensure the enterprise strategy for CSPM includes the identification and discovery of sensitive
data and malware in cloud file repositories and databases.
Strategic Planning Assumptions By 2021, 50% of enterprises will unknowingly and mistakenly have some IaaS storage services, network segments, applications or APIs directly exposed to the public internet, up from 25% at YE18. Through 2024, workloads that leverage the programmability of cloud infrastructure to improve security protection will suffer at least 60% fewer security incidents than those in traditional data centers. Through 2023, at least 99% of cloud security failures will be the customer’s fault. Through 2024, organizations implementing a CSPM offering and extending this into development will reduce cloud-related security incidents due to misconfiguration by 80%. The enterprise adoption rate for CSPM tools will reach 20% by 2021, up from less than 5% at YE18.
Analysis This document was revised on 19 February 2019. The document you are viewing is the corrected version. For more information, see the Corrections page on gartner.com. High levels of automation and user self-service in public cloud IaaS and PaaS services (a converging market that Gartner refers to as cloud infrastructure and platform services [CIPS]) has magnified the importance of correct cloud configuration and compliance. A single mistake can immediately expose thousands of systems or large amounts of sensitive data. The increasing adoption of cloud services, combined with the increasing number of platform services and a lack of cloud skills (including security), have left enterprise information and workloads exposed. Compounding the issue, a lack of comprehensive visibility into programmatic cloud infrastructure means that incorrect and noncompliant configurations go undetected for extended periods of time. The result is that, while the underlying cloud provider infrastructure itself is secure, most enterprises don’t have the processes, tooling maturity or scale to use the cloud securely (see “Clouds Are Secure: Are You Using Them Securely?”). Security and risk management leaders need a cloud security posture management (CSPM) strategy that embraces a continuous adaptive risk https://www.gartner.com/doc/reprints?id=1-674W4BM&ct=190206&st=sb
2/19
11/21/2019
Gartner Reprint
and trust assessment (CARTA) strategic approach (see Note 1 and “Seven Imperatives to Adopt a CARTA Strategic Approach”). Further, this CARTA approach to CSPM should extend into development, to identify and remediate cloud risks before they are released into production (see Figure 1). Figure 1. Continuous, Life Cycle Approach to Cloud Security Posture Management
Source: Gartner (January 2019)
As shown in Figure 1, CSPM should be thought of as a continuous process of cloud security posture improvement and adaptation with a goal to reduce the likelihood of a successful attack and the damage in the event an attacker gains access (see Note 2). Since cloud infrastructure is always in flux, the strategy for CSPM should be one of continuous assessment and improvement throughout the life cycle of cloud applications, beginning in development and extending into production (left to right in Figure 1), responding and adapting where needed. Likewise, since new cloud capabilities and new regulations are continuously being introduced, the best practices for secure cloud usage will also always be in flux. The top part of Figure 1 shows that the CSPM governance strategy should be constantly evolving and adapting to emerging best practices, evolving industry standards and external threat intelligence, as well as adapting to observed risks coming from development and production. A CARTA approach to CSPM delivers continuous cloud compliance. As shown in Figure 1, we are continuously monitoring for gaps between our desired security policy (driven from our cloud risk and governance processes), the
https://www.gartner.com/doc/reprints?id=1-674W4BM&ct=190206&st=sb
3/19
11/21/2019
Gartner Reprint
intended security posture (what the developer/DevOps team intended) and the actual security posture observed at runtime. Nearly all successful attacks on cloud services are a result of customer misconfiguration, mismanagement and mistakes. CSPM offerings directly target this need. The CSPM offerings discussed in this research help to automate the CSPM process, make it repeatable and allow it to scale with the needs of digital business.
Definition CPSM offerings continuously manage cloud risk through the prevention, detection, response and prediction of where excessive cloud infrastructure risk resides based on common frameworks, regulatory requirements and enterprise policies. The core of CSPM offerings proactively and reactively discover and assess risk/trust of cloud services configuration (such as network and storage configuration), and security settings (such as account privileges and encryption). Ideally, if a setting is noncompliant or a configuration represents excessive risk, the CSPM offering can take automated action to adapt, including remediation.
Description As enterprises place more services in public cloud and as the public cloud providers introduce more infrastructure and platform services directly into the hands of developers, it is becoming increasingly complex and time-consuming to answer the seemingly straightforward question “Are we using these services securely?” and “Does the configuration of my cloud services represent excessive risk?” For example, manually assessing the secure setup and configuration in Amazon Web Services (AWS) across more than 160 different services, each with varying granularities of authorization policies, is extremely difficult, if not impossible. Simple misconfiguration issues (such as open AWS S3 buckets) represent significant risk (see “Open File Shares Are Your Biggest Cloud Security Problem”) and occur often, as evidenced by continuing publicized data disclosures from publicly exposed AWS S3 buckets. 1 In addition to the sheer number of cloud services to secure, other factors are driving the need for CSPM, such as: ■ The issue of cloud visibility due to cloud sprawl. Most enterprises don’t have comprehensive
visibility of enterprise cloud deployments and services, and the problem is worsening. ■ The dynamic and ever-changing nature of cloud infrastructure. The scale-out capabilities of
cloud services means that new systems and services are constantly being added. ■ The issue of consistent, secure and compliant cloud infrastructure will become more complex as
more and more organizations adopt a “multicloud strategy,” where they use more than one IaaS and PaaS provider by design.
https://www.gartner.com/doc/reprints?id=1-674W4BM&ct=190206&st=sb
4/19
11/21/2019
Gartner Reprint
■ The adoption of serverless PaaS (such as AWS Lambda and Azure functions) further
complicates security (see “Security Considerations and Best Practices for Securing Serverless PaaS”). With serverless PaaS, there is no traditional OS or VM for IT to use as a control point, so the problem of absolutely correct configuration becomes even more critical. ■ IaaS and PaaS capabilities are built to be “self-service” for the developers, removing IT and
information security from the planning and deployments. ■ Developers aren’t security experts, yet they are being asked to make security and risk decisions
(such as the use of encryption, key management, service authorization, the use of API gateways and so on). Without additional visibility and control, mistakes and misconfigurations are inevitable. ■ The shift to DevOps places an emphasis on speed and rapid iterations, making traditional
security tools too slow, cumbersome and reactive to use for managing cloud risk. In addition, security and compliance checks need to be integrated directly into the development pipeline (DevSecOps). Note that security is just one of a number of enterprise capabilities needed for overall cloud platform management. There is a broader category Gartner refers to as cloud management platforms that includes a broad portfolio of enterprise cloud management and operations capabilities (see “Magic Quadrant for Cloud Management Platforms”). This research note focuses on security-specific CSPM offerings, including the built-in capabilities of the cloud providers themselves.
Benefits and Uses CSPM offerings provide continuous monitoring and assessment of compliance and risk across the variety of cloud services an enterprise is using. This is accomplished using the APIs of the underlying cloud platform, avoiding the use of agents. The benefits to security and risk management leaders include: ■ Policy visibility and consistent enforcement across multiple cloud providers. ■ Continuous discovery and identification of cloud workloads and services. ■ Alerting on risky new deployments or changes to the cloud environment, hosts or services. ■ Risk assessment versus frameworks and external standards (such as the International
Organization for Standardization [ISO] and National Institute of Standards and Technology [NIST]). ■ Risk assessment versus technical policies and best practices (such as Center for Internet
Security [CIS] and cloud service provider [CSP] best practices). https://www.gartner.com/doc/reprints?id=1-674W4BM&ct=190206&st=sb
5/19
11/21/2019
Gartner Reprint
■ Continuous cloud risk management, risk visualization and risk prioritization capabilities. ■ Verifying operational activities are being performed as expected (for example, key rotations).
The primary purpose of CSPM offerings is to continuously identify and remediate cloud infrastructure risks consistently across all of the cloud IaaS and PaaS platforms in use by an organization. Assessments cover a hierarchy of security, compliance and risk management needs, including identifying: ■ Where cloud configuration and settings violate compliance requirements, and where established
account hygiene best practices are not being followed. This includes, for example, ensuring host OS logs are being gathered, API event logging is turned on and network flow logs are being gathered (if applicable). ■ Excessive account permissions. Highly empowered accounts, or accounts where permissions
are granted but are never used, represent an increased surface area for attack. Developers often provision accounts and services with more permissions than necessary in the name of development speed and to reduce runtime issues, but this increases risk. ■ Accounts and services where multifactor or other strong authentication methods are not used. ■ Excessive or misconfigured network connectivity. Public clouds enable microsegmentation by
default to enforce the principle of least privilege. Network connectivity should be provisioned to the minimum needed (also referred to as zero trust networking) (see “Zero Trust Is an Initial Step on the Roadmap to CARTA”). ■ Assets/workloads/services with direct connectivity to the internet. ■ SSH/RDP for remote management open to the public internet. ■ Data storage exposed directly to the internet. ■ Data storage and fileshares that are promiscuously shared. ■ Data/database storage services that are not kept encrypted at rest. ■ Improper use of encryption key management. ■ Expired keys/certificates, or ones nearing expiration. ■ Externally facing web servers without the use of a WAF or load balancer. ■ APIs exposed directly to the internet. ■ Use of API-based applications and services without the use of an API gateway control point. https://www.gartner.com/doc/reprints?id=1-674W4BM&ct=190206&st=sb
6/19
11/21/2019
Gartner Reprint
■ Any areas of infrastructure where the observed runtime state has deviated in a risky way from
the desired state. Ideally, you should proactively identify where the intended state of the developer deviates in a risky way from the desired state before being placed into production. All of the market-leading CASB vendors (see “Magic Quadrant for Cloud Access Security Brokers”) have added CSPM capabilities, extending their cloud visibility and control platform capabilities to IaaS and PaaS. CASB vendors that offer CSPM capabilities bring additional context to the continuous risk/trust assessment capabilities. Most notably, CASB vendors bring knowledge of what sensitive data looks like and, conversely, what malware looks like. This provides significant advantage when assessing the security posture. For example, an AWS S3 bucket may be designed to be exposed to the public internet. There are legitimate use cases for this. Most CSPM tools would flag this as a risk. However, a content-aware CSPM offering would prioritize an AWS S3 bucket exposed to public internet that contains sensitive data. Thus, CASB content awareness provides the ability to risk-prioritize CSPM findings. Similarly, a perfectly configured and encrypted AWS S3 bucket may contain PII, PCI or other regulated data that the enterprise may not want placed in public cloud at all. A non-content-aware CSPM tool would miss this risk, or a perfectly configured and encrypted AWS S3 bucket may contain malware that needs to be removed. A noncontent-aware CSPM tool would miss this type of risk as well. A complete CARTA-inspired CSPM offering (as shown in Figure 1) would not only continuously assess for risk, but also for trust/trustworthiness. For example, assessing and ensuring that: ■ Workloads are properly tagged (workloads without tags are typically considered to be rogue and
quarantined or removed). ■ Workload, service and API identities are verified by hash, certificate or machine image source
files. ■ Changes that are made to cloud infrastructure are implemented only using a defined change
control process, from defined systems or scripts (for example, banning SSH for remote administration and requiring all changes be driven from development). ■ More advanced CSPM solutions are adding behavioral baselining to establish baseline levels of
“normal” trusted behaviors and then using anomaly detection and clustering via machine learning to identify workloads that might be compromised. ■ Optionally, the workloads (VMs and containers) are patched and configured correctly.
Adoption Rate In “Hype Cycle for Cloud Security, 2018,” we placed CSPM just before the Peak of Inflated Expectations. We estimate that the adoption rate in mid-2018 was in the range of 1% to 5%. We https://www.gartner.com/doc/reprints?id=1-674W4BM&ct=190206&st=sb
7/19
11/21/2019
Gartner Reprint
estimate that this was close to 5% at YE18. Because of the critical need for CSPM capabilities and ongoing public disclosures of cloud breaches due to misconfiguration and mistakes, this market will more than double over the next several years, reaching adoption rates of 20% by 2021.
Risks CSPM offerings fill an important gap, but there are limitations, such as: ■ Visibility. CSPM tools can’t assess what they can’t see. If your enterprise hasn’t yet taken steps
to identify and curtail shadow IaaS/PaaS, the value of CSPM will be limited. Specifically, the enterprise should actively discourage and monitor for the personal use of cloud services where information security does not have visibility (for example, developers with personal accounts in AWS or Azure). ■ Paying too much. Because of the immaturity of the market, pricing models are highly variable. At
the high end, we have seen CPSM contracts priced at $4,000 to $5,000 per account per year. While this might be reasonable for enterprises with a few dozen admin accounts, it is not reasonable when organizations use accounts as an isolation boundary (see “Reimagining Security and IT Resilience for a Cloud-Native DevSecOps World”). For example, we have seen cases where larger enterprises have more than 1,000 accounts in a single cloud IaaS platform. Increasing competition and newer market entrants have dropped pricing closer to $1,000 to $1,500 per account per year with volume discounts bringing this under $1,000. ■ The stand-alone market for CSPM is unsustainable. The CSPM market has evolved to address a
real and significant need, but it risks being subsumed into adjacent markets. The cloud providers themselves are improving their own capabilities. In terms of third-party alternatives, all leading CASB vendors provide some CSPM capabilities. In addition, some cloud workload protection platform (CWPP) vendors have added CSPM capabilities as well as entry by some vulnerability management vendors (see “Market Guide for Cloud Workload Protection Platforms”). At the same time, the cloud providers are building out their own capabilities for their customers — albeit for their cloud services only. The CSPM market will not support the current large number of stand-alone CSPM offerings. On a positive note, if your CSPM provider is acquired or goes out of business, switching vendors is relatively easy as they all use the documented APIs of the cloud providers. ■ Lack of consistent breadth across cloud platforms. Most CSPM vendors are very good at
assessing AWS because that’s where the bulk of the enterprise IaaS workloads are. Many have introduced support for Azure. Very few support GCP, and even fewer assess VMware onpremises. Most enterprises have a mix of several of these. ■ Lack of consistent depth within a cloud platform. Even if AWS is supported by a CSPM provider,
does it understand and support the assessment of all 160 AWS cloud services capabilities? The
https://www.gartner.com/doc/reprints?id=1-674W4BM&ct=190206&st=sb
8/19
11/21/2019
Gartner Reprint
risk is that even with a CSPM tool in use, there are security blind spots that you aren’t aware exist, creating a false sense of security. ■ Lack of data context. Many CSPM solutions do not understand the context of the data —
whether the content is sensitive or malicious — and both are critical to understanding and prioritizing cloud risk. ■ Lack of workload vulnerability and configuration context. The control plane around a workload
may be perfectly configured, but if the workload itself is missing a critical patch or setting, this is a risk that needs to be addressed. This typically is a requirement filled outside of the CSPM offering by more traditional vulnerability management vendors. ■ Being reactive. Many CSPM tools are designed to identify risk and compliance issues after the
cloud workload is already deployed, leaving a small window of exposure until the issue can be remediated. Further, even if issues are identified, many enterprises are reluctant to automate responses, increasing exposure. Ideally, the CSPM offering performs scanning predeployment, rather than just runtime assessments. ■ Limited staff. CSPM offerings identify areas of excessive risk and noncompliance, but who
exactly will monitor these alerts? A shortage of skilled cloud security resources risks limiting the usefulness of CSPM. Automated remediation capabilities help, but there will always be cases that require a person to get involved.
Evaluation Factors We offer the following guidance when designing the CSPM strategy and evaluating CSPM offerings: ■ Where are the CSPM assessments performed from? Most offerings are software delivered in the
form of virtual machine image that can be installed directly in the customer’s cloud infrastructure. Many vendors also offer delivery as a cloud service, performing the assessments on the customer’s behalf and accessing the APIs of the cloud provider using read-only security accounts. ■ How often are assessments performed? This should be modifiable by the customer. In addition
to scheduled scans, on-demand scans should be directly driven by events. For example, the creation of a new storage object would trigger an automatic assessment of the object for risk and compliance. ■ Where does the assessment data go and how is it protected? Like any vulnerability data, CSPM
assessment data is extremely sensitive. The cloud configuration and risk information provides a roadmap for attackers if disclosed. Even if CSPM scanning is provided as a service, the data should remain in the customer’s direct control and treated like all other sensitive data. https://www.gartner.com/doc/reprints?id=1-674W4BM&ct=190206&st=sb
9/19
11/21/2019
Gartner Reprint
■ Breadth of cloud platform coverage. AWS, Azure and Google Cloud Platform are the most
commonly requested public CIPS platforms from enterprise customers. ■ Coverage of isolated public cloud platforms. Some IaaS regions (for example, in China and .gov
clouds) are isolated by design from other regions. CSPM offerings that depend on cross-account visibility may not function without engineering work to get visibility in these clouds. ■ On-premises cloud platform assessments. Very few CSPM vendors provide this, as many
enterprises have solutions already in place for their own data centers. VMware is most commonly requested, with occasional requests for OpenStack with KVM. ■ “Micro” cloud platform assessments. There is significant interest and uptake of Linux
containers in public and private clouds. These environments are cloud platforms in and of themselves, and need to be assessed as such (for example, assessing Docker and Kubernetes configurations according to industry standards for secure configuration). This capability must cover managed Kubernetes services (such as AWS ECS, Amazon EKS, AWS Fargate, Azure Kubernetes Service and Google Kubernetes Engine), as well as on-premises deployments of Kubernetes like Red Hat OpenShift. ■ Breadth of PaaS services covered. Network, storage and compute are the core building blocks
of IaaS, but there are dozens of PaaS services in use by most enterprises that must also be assessed. For example, message queuing, data analytics, data warehouses, relational database services, serverless PaaS and so on. All of these need continuous assessment for risk and compliance. This is an area where CASB vendors fall short, as they typically focus first on the core services. ■ Breadth of SaaS services covered (if any). CASB vendors have an edge here. Most CSPM
vendors that started with IaaS do nothing at the SaaS layer. However, conceptually, the issues of identifying excessive permissions, misconfiguration, exposed sensitive data and malware are the same in SaaS services (such as OneDrive, Box, DropBox and so on) as they are in IaaS. ■ Assessment of accounts, services and other cloud security principals for excessive
entitlements. Based on historical API and service usage patterns, some CSPM offerings can suggest authorization policies to be implemented and trimmed to implement least privilege. ■ Monitoring of user accounts for risky behaviors. User accounts within cloud services should be
monitored for behaviors indicative of a compromised account or insider threat. This is a form of embedded UEBA specific to user/administrator behaviors in cloud platforms (see “Market Guide for User and Entity Behavior Analytics”). ■ Breadth of built-in compliance framework assessments supported. Depending on the specific
requirements of the enterprise, support for PCI, HIPAA, HITRUST, FINRA, FISMA, NIST and similar regulations may be required. Privacy assessments against the GDPR and emerging similar https://www.gartner.com/doc/reprints?id=1-674W4BM&ct=190206&st=sb
10/19
11/21/2019
Gartner Reprint
requirements in India, Australia and other regions should also be supported. Also, assessments against best practices from vendors and third parties (such as the Center for Internet Security) should be supported. ■ Built-in compliance reporting for auditors. Ideally, the CSPM offering provides built-in standard
reports for common compliance requirements to demonstrate continuous compliance to auditors. ■ Ability to customize policy assessments and reports. Most enterprises have their own policies
for secure cloud configuration. The CSPM offering should provide the ability to extend or modify the risk ratings, weightings and subsequent prioritization based on the enterprise’s specific needs. ■ Ability to take automated action when issues are identified. For some extremely risky
situations, automated remediation should be an option (for example, removing storage buckets from being shared on the public internet and removing workloads instantiated without tags). ■ When automated actions are required, how are these actions taken? Does the CSPM offering
use its own scripting language? Is this customizable? Other CSPM providers are building out a library of serverless PaaS functions to trigger on specific situations. Again, are these modifiable by the customer? Is there a community to share common response actions? ■ Ability to identify sensitive data. This ability helps to prioritize risk. How are sensitive data
policies defined? Can DLP policies developed for on-premises sensitive data identification be used or imported? What common dictionaries are provided by the vendor? More advanced offerings may integrate with the cloud provider’s native data classification technology where applicable (for example, AWS Macie and Azure Information Protection). ■ Ability to identify malware and other embedded attacks. There is a risk that cloud storage
repositories become conduits for the spread of malware, especially if unmanaged machines and external users are sharing data. Security vendors with malware detection capabilities (typically using a combination of signature, machine learning and sandboxing techniques) will have an advantage or require CSPM offerings to partner for these capabilities. ■ Ability to map, visualize and control cloud IaaS and PaaS network connectivity. Proper network
segmentation is foundational to cloud security, and visualization capabilities are imperative to be able to understand cloud service connectivity, flows, and patterns within a cloud and across clouds. Based on historical flows, some CSPM offerings can suggest network policies to be implemented to implement zero trust/least privilege networking. Advanced offerings can allow analysis, visualization and control of network segmentation policies across multiple cloud providers, and a few can extend this to on-premises network policies as well.
https://www.gartner.com/doc/reprints?id=1-674W4BM&ct=190206&st=sb
11/19
11/21/2019
Gartner Reprint
■ Ability to scan for issues proactively in development. Ideally, CSPM assessments would take
place in development, delivering against the vision of DevSecOps (see “10 Things to Get Right for Successful DevSecOps”). Issues identified should be resolved before placing the workloads and services into production. ■ CD/CD pipeline support. Some CSPM offerings that support scanning in development can scan
and assess development artifacts directly for embedded cloud risk. This includes, for example, assessing Chef, Puppet, Ansible, AWS Cloud Formation, VMware vRealize Automation and similar scripting languages/frameworks used to create cloud environments (referred to as continuous configuration automation tools) (see “Market Guide for Continuous Configuration Automation Tools”). Risky or noncompliant configurations can be identified early on and the results provided directly to the developer in its own environment (such as via Slack, JIRA or the developer dashboard). ■ Self-service guardrails. Consider the creation of a new storage object. Cloud administrators and
developers need to correctly configure the dozens of settings for a storage object to be considered compliant and secure. Alternatively, why not have the person request the storage object and have it securely created for them? In this way, developers can use cloud services and capabilities that are preconfigured for security, empowering self-service but setting guardrails. ■ Risk-prioritized console and dashboard. Ultimately, the cloud security architect or CISO may
want to get a snapshot view of cloud risk. The CSPM provider should offer a role-based, customizable risk dashboard/heat map for specific roles to get visibility into overall cloud risk and security posture. Advanced CSPMs will offer integration into the native risk dashboard of the cloud provider (for example, AWS Security Hub and Azure Security Center). The console should highlight areas of excessive risk, calculate an overall security posture score and be able to predict how risk would be reduced/security posture improved if specific identified conditions were remediated. ■ The entire platform should be fully API enabled. CSPM offerings should not require the use of
the console to set policies and perform security posture assessments. Every activity in the console should be available via documented APIs. This helps with integration into cloud automation efforts both in development and for production visibility, monitoring and response. ■ Ability to view historical information. The tool should be able to provide forensics-like
investigation and incident response capabilities, offering a view of all cloud security posture changes over time and an ability to see exact configuration at points in the past. ■ Integration into other enterprise security infrastructure. The output of a CSPM offering should
be linked to an enterprise SIEM and risks surfaced through an enterprise governance risk and compliance tool where relevant.
https://www.gartner.com/doc/reprints?id=1-674W4BM&ct=190206&st=sb
12/19
11/21/2019
Gartner Reprint
■ Workload configuration and vulnerability assessment. A comprehensive view of cloud risk
should also extend to the security posture of the workloads themselves. For example, are they patched and configured correctly? The CSPM tool should be able to import this data from a workload vulnerability assessment offering (see Note 3) and overlay it onto its view cloud network topology, or it may provide vulnerability and configuration scanning capabilities directly or as a separately priced module. Optionally, the CSPM may integrate with the cloud provider’s assessment agent where available (for example, AWS Inspector and Azure Secure Center). ■ Cloud threat detection for workloads. A comprehensive view of cloud risk would extend to
monitoring the runtime behaviors of cloud workloads. The workload itself may be perfectly configured along with its PaaS services, but if its behavior is deviating from normal baselines, or it is exhibiting behavior associated with an attack (for example, a callout to a known CNC), then this is a risk that should be addressed. This requires embedded analytics capabilities from the CSPM provider. This capability is most often provided by a CWPP provider from within the workload or directly from the cloud provider. ■ Licensing model. Most CSPM offerings are licensed per account per year on a subscription
basis. If the number of administrative accounts is large, an alternative model would be based on the number of IaaS/PaaS resources used or the number of security principals used — again, on a subscription basis.
CSPM Alternatives Doing it yourself — Since all of the scanning can be performed using documented APIs of the major cloud providers, some larger enterprises have built their own CSPM capabilities. As the market matures, pricing drops and enterprise multicloud usage expands, we expect very few organizations will attempt this themselves. The cloud providers themselves — The major cloud providers have a vested interest in helping their customers securely use their cloud services. All of the IaaS market leaders are building out their own CSPM capabilities and security dashboards (for example, AWS Trusted Advisor, AWS Security Hub, Azure Security Center and Google Cloud Security Command Center). This may be sufficient if an organization is only using a single IaaS/PaaS provider. CASBs — Not every enterprise will require a dedicated, third-party CSPM offering. Many will use their enterprise CASB to fill this need and pay an additional license fee for this capability. CASBs have a slight advantage in the CSPM market, as they provide visibility and control across IaaS, PaaS and SaaS, whereas most pure-play CSPM offerings focus on IaaS and PaaS services only. CASB providers also bring data context (sensitive data and malware) to the CSPM assessments for risk prioritization. Extending CASB projects to continuously assess IaaS/PaaS risk is a best practice (see “10 Best Practices for Successful CASB Projects”).
https://www.gartner.com/doc/reprints?id=1-674W4BM&ct=190206&st=sb
13/19
11/21/2019
Gartner Reprint
CWPP vendors — Several of the CWPP providers have entered the CSPM market as a logical adjacency (for example, CloudPassage, Cloudvisory, Crowdstrike, Lacework, Threat Stack and, most recently, Sophos). CWPP vendors protect workloads from the inside, while CSPM vendors protect workloads from the outside. In addition, McAfee and Symantec are two large CASB providers that also have CWPP and CSPM capabilities, providing visibility, risk and security protection for all three cloud security markets — CWPP, CSPM and CASB. Vulnerability assessment/management providers — There is an established and robust market for workload vulnerability and configuration management offerings from vendors, such as BMC, Cavirin, Qualys, Rapid7, Tenable and others. A complete view of risk would include the workloads themselves, rather than just the control plane configuration. BMC and Cavirin have already entered the CSPM space. Cloud management platforms — Security and compliance are just one requirement of a broader capability for cloud management. There is a broader market referred to as cloud management platforms (CMP) (see “Magic Quadrant for Cloud Management Platforms”), which has market capabilities that overlap with the CPSM market. Security and identity (that is, CSPM) are one of eleven categories of capabilities (see Figure 2). Figure 2. Cloud Management Platform Capabilities
Source: Gartner (January 2019)
https://www.gartner.com/doc/reprints?id=1-674W4BM&ct=190206&st=sb
14/19
11/21/2019
Gartner Reprint
If the organization has purchased a CMP offering, its security module may provide sufficient security-specific CSPM capabilities so that a third-party solution is not needed. Typically, the cloud operations or cloud billing team has already purchased a CMP solution to help them with inventory, billing and resource utilization. However, many of the CPSM vendors listed in this note do not compete in the broader CMP market and focus only on security, providing a level of depth and breadth in security and compliance capabilities that broader CMP vendors don’t yet match.
Recommendations To begin preparing for a CSPM deployment, security and risk management leaders should: ■ Ensure they have visibility into all their enterprise cloud workloads and PaaS services. You can’t
secure what you can’t see. ■ Continuously scan network and security web gateway logs for personal use of IaaS and PaaS
services that would otherwise be invisible to security and compliance monitoring. Encourage these people to use accounts within an enterprise account structure so that CSPM can be enabled. ■ Investigate to see if the enterprise cloud operations team has already purchased a CMP tool.
Several of the leading CMP offerings have solid security and compliance capabilities and may provide enough CSPM capability to meet your requirements. ■ Use what each cloud provider offers built-in, most of which are available at no additional cost, if
they have no budget for a CSPM tool in 2019. Having different policies enforced differently across different clouds is not optimal, but it is better than no visibility and control at all. ■ See if the CASB vendor can provide sufficient CSPM capabilities that meet their requirements, if
they are planning a CASB deployment in 2019 (or have already deployed a CASB). ■ Scan cloud data repositories for sensitive data and malware, regardless of whether they use a
CSPM tool or another solution. When evaluating third-party CSPM solutions: ■ Prioritize the ability of the CSPM offering to respond and take actions to remediate, rather than
just to provide alerts and reports. ■ Prioritize the multicloud use case. The reality is that most organizations will have two or more
IaaS/PaaS providers in use. Hybrid support for on-premises CSPM assessments is a nice-tohave option, as most enterprises already have sufficient controls for their on-premises data centers.
https://www.gartner.com/doc/reprints?id=1-674W4BM&ct=190206&st=sb
15/19
11/21/2019
Gartner Reprint
■ Sign contracts of one to two years only as the market consolidates and prices inevitably drop,
due to the immaturity of the market. ■ Choose a licensing model that makes the most sense for your enterprise.
Representative Providers Gartner is currently tracking approximately 25 third-party providers of CPSM capabilities in this emerging space, including the cloud providers themselves. The barriers to entry for this market are low, as all of the assessments and information can be gathered from the public cloud providers using documented APIs. As expected with technologies nearing the Peak of Inflated Expectations, there have been several early acquisitions by established security providers — most notably Palo Alto Networks, Check Point Software, VMware and Sophos. Cloud IaaS/PaaS providers with built-in CSPM capabilities: ■ AWS Trusted Advisor, AWS Config, AWS Security Hub and AWS Control Tower ■ Azure Security Center, Azure Policy, Azure Management Groups and Azure Blueprints ■ Google Cloud Security Command Center
Third-party CSPM providers: ■ Alert Logic ■ BMC ■ Caveonix ■ Cavirin ■ Check Point Software (acquired Dome9) ■ Cloud Conformity ■ CloudAware ■ CloudCheckr ■ Cloudneeti ■ Cloudnosys ■ Cloudvisory
https://www.gartner.com/doc/reprints?id=1-674W4BM&ct=190206&st=sb
16/19
11/21/2019
Gartner Reprint
■ CloudPassage ■ Crowdstrike (Falcon Discover for AWS) ■ DivvyCloud ■ Fugue ■ Lacework ■ Outpost24 (acquired SecludIT) ■ Palo Alto Networks (acquired Evident.io and RedLock) ■ Saviynt ■ Sonrai ■ Sophos (acquired Avid Secure) ■ Threat Stack ■ Turbot ■ VMware (acquired CloudHealth and CloudCoreo)
CASB vendors with specific CSPM capabilities for IaaS/PaaS: ■ Bitglass ■ McAfee (acquired Skyhigh Networks) ■ Netskope (acquired Swift Security) ■ Oracle ■ Palo Alto Networks (acquired Evident.io and RedLock) ■ Symantec
Evidence 1
AWS S3 buckets exposed:
■ “2018 Ends With One More AWS Exposed Data Mishap,” AWS Insider. ■ https://www.gartner.com/doc/reprints?id=1-674W4BM&ct=190206&st=sb
17/19
11/21/2019
Gartner Reprint
“Pocket iNET ISP Exposed 73GB of Sensitive Data on Misconfigured S3 Bucket,” Latest Hacking News. ■ “119,000 Passports and Photo IDs of FedEx Customers Found on Unsecured Amazon Server,”
Gizmodo. ■ “Cloud Leak: WSJ Parent Company Dow Jones Exposed Customer Data,” UpGuard. ■ “Expert Discovered RoboCent AWS S3 Bucket Containing U.S. Voters’ Records Exposed Online,”
Security Affairs. ■ “Dark Cloud: Inside the Pentagon’s Leaked Internet Surveillance Archive,” UpGuard.
Note 1 CARTA Continuous adaptive risk and trust assessment (CARTA) is a strategic framework for the evolution of information security where the organization’s cybersecurity posture is continuously adapted and risk optimized to desired levels. This is achieved by the continuous assessment of all digital entities, their attributes, their environment and their behaviors for relative levels of risk and trust in development and in production. When the risk is too high, or the trust is too low, security infrastructure (and the resultant security posture) adapts to achieve desired risk levels.
Note 2 Cybersecurity Posture Cybersecurity posture is a relative measure of the overall security strength of an enterprise across policies, processes and controls for the proactive and reactive protection of its digital assets. “Posture,” like health, is not an absolute yes or no, rather it is a relative measure. Perfect protection isn’t possible, but the move to measure, improve and risk-optimize enterprise cybersecurity posture will reduce the likelihood of a successful attack and, when an attacker inevitably gains a foothold, reduce the ability to cause damage.
Note 3 Example Workload Vulnerability/Configuration Assessment Tools ■ Cavirin ■ Outpost24 ■ Qualys ■ Rapid7
https://www.gartner.com/doc/reprints?id=1-674W4BM&ct=190206&st=sb
18/19
11/21/2019
Gartner Reprint
■ Tenable
© 2019 Gartner, Inc. and/or its affiliates. All rights reserved. Gartner is a registered trademark of Gartner, Inc. and its affiliates. This publication may not be reproduced or distributed in any form without Gartner's prior written permission. It consists of the opinions of Gartner's research organization, which should not be construed as statements of fact. While the information contained in this publication has been obtained from sources believed to be reliable, Gartner disclaims all warranties as to the accuracy, completeness or adequacy of such information. Although Gartner research may address legal and financial issues, Gartner does not provide legal or investment advice and its research should not be construed or used as such. Your access and use of this publication are governed by Gartner’s Usage Policy. Gartner prides itself on its reputation for independence and objectivity. Its research is produced independently by its research organization without input or influence from any third party. For further information, see "Guiding Principles on Independence and Objectivity."
About
Careers
Newsroom
Policies
Site Index
IT Glossary
Gartner Blog Network
Contact
Send
Feedback
© 2018 Gartner, Inc. and/or its Affiliates. All Rights Reserved.
https://www.gartner.com/doc/reprints?id=1-674W4BM&ct=190206&st=sb
19/19