As enterprises shift their workloads to the cloud, securing cloud environments has become an imperative.
Gartner forecasts that worldwide public cloud spending will increase by 18.4% in 2021 to a total of $304.9 billion. The market research firm predicts that the proportion of IT spending shifting to the cloud will accelerate, with the cloud projected to make up 14.2% of the total global enterprise IT spending market in 2024, up from 9.1% in 2020.
As organizations shift IT spending more to cloud services, they are facing more regulations, a high rate of data loss, and a surge in attacks on their cloud apps.
To confront these challenges, they will need to gain visibility and security for their software-as-a-service (SaaS), platform-as-a-service (PaaS), and infrastructure-as-a-service (IaaS) clouds. There are several tools out there that can help organizations provide security for their cloud environments. Below, we’ll examine at a high-level four options that are growing in adoption.
CASB (Cloud Security Access Broker)
The Cloud Access Security Broker (CASB) is essentially a firewall for cloud services. It provides a security policy enforcement gateway to ensure that users’ actions are authorized and compliant with company security policies.
A CASB can identify all the cloud services used by an organization, including shadow IT/unapproved or unmanaged SaaS and PaaS products, and raise alerts when necessary. It enables cloud usage tracking, reporting, and logging, assessing the risks posed by shadow IT, and event monitoring.
A CASB has auditing and reporting tools for regulatory compliance, including cloud-stored data. These tools provide user authentication and authorization and policy enforcement, such as moving and encrypting files, changing permissions, and filtering messages.
Threat protection is another area where a CASB can help an organization. A CASB protects cloud services for authorized users and applications and provides anti-phishing, account takeover, URL filtering, malware detection, and sandbox protections.
In terms of data security, a CASB can monitor access to data and enforce data-centric security policies by providing granular access controls, such as access to cloud services only through designated devices or platforms. It also offers policy-based encryption.
CWPP (Cloud Workload Protection Platform)
A Cloud Workload Protection Platform (CWPP) provides a workload-centric security protection solution for all types of workloads, including physical servers, virtual machines (VMs), containers, and serverless workloads. CWPP furnishes a single pane of glass for visibility and protection across on-premises and cloud environments.
According to Gartner, CWPP encompasses eight layers of control. In order of importance, these capabilities include:
- Hardening, configuration, and vulnerability management, including scanning for vulnerabilities before software is pushed to production
- Network firewalling, visibility, and microsegmentation
- System integrity assurance
- Application control and allowlisting
- Exploit prevention and memory protection
- Server workload EDR, behavioral monitoring, and threat detection and response
- Host-based IPS with vulnerability shielding
- Anti-malware scanning
A CWPP provides a number of benefits, including the ability to identify vulnerabilities earlier in the CI/CD process, faster detection of exploits and active threats, and greater context and investigative capabilities when responding to an incident. CWPP solutions that map observed activity to the MITRE ATT&CK enterprise matrix provide analysts and investigators with greater context and help them understand the severity of an incident.
CSPM (Cloud Security Posture Management)
While CWPP protects workloads from the inside, Cloud Security Posture Management (CSPM) protects workloads from the outside by assessing secure and compliant configurations of the cloud platform’s control plane.
To accomplish this, CSPM provides a set of tools that support compliance monitoring, integration with DevOps processes, incident response, risk assessment, and risk visualization.
A CSPM solution identifies unknown or excessive risk across an organization’s entire cloud estate, including cloud services for compute, storage, identity and access, and more. It offers continuous compliance monitoring, configuration drift prevention, and security operations center investigations.
Organizations should create policies to define the desired state or configuration for the cloud infrastructure; they can use a CSPM product to monitor those policies. It enables enterprises to detect and address configuration issues affecting their cloud environments as described by the Center for Internet Security (CIS) benchmarks for cloud providers and the MITRE ATT&CK cloud matrix.
CSPM tools automatically check the cloud environment against compliance and security violations and provide automated steps to remediate them. With CSPM tools, organizations can be aware of new risks to their environments, guard against breaches, and build a set of uniform cloud configurations.
CNAPP (Cloud-Native Application Protection Platform)
Combining the capabilities of CWPP and CSPM, the Cloud-Native Application Protection Platform (CNAPP), a term coined by Gartner, scans workloads and configurations in development and protects them at runtime.
Securing cloud-native applications involves a continuous set of processes focusing on identifying, assessing, prioritizing, and adapting to risk in cloud-native applications, infrastructure, and configuration.
Cloud-native applications require a systematic approach to identity and entity management and embrace a least privileged, or zero trust, security posture. Robust cyber hygiene around user identity management for developers and users must be a part of the strategy.
CNAPP tools provide unified visibility for SecOps and DevOps teams, a set of capabilities to respond to threats and secure cloud-native apps, and automation of vulnerability and misconfiguration remediation.
A CNAPP identifies and prioritizes all workloads, data, and infrastructure across endpoints, networks, and cloud based on risk. It guards against configuration drift and supplies vulnerability assessments across VMs, containers, and serverless environments.
Using CNAPP, organizations can build policies based on zero trust and observe behaviors to eliminate false positives and achieve scale with good behavior enforcement. It empowers security operations centers by mapping cloud-native threats to the MITRE ATT&CK enterprise and cloud matrices.
Having separate CWPP and CSPM tools for the same teams means unnecessary overhead and additional training for employees. It makes sense that these will collapse into a CNAPP solution.
Which Is Your Best Option?
Which tools an organization selects depends on its priorities. If its primary concern is to control enterprise cloud usage, then CASB is probably the best option.
If the organization’s priority is to protect its workloads on the cloud and reinforce application security, CWPP is likely the better choice. The organization should evaluate if its current workload security solution can cope with the cloud services it uses now. For example, if it is using containers, its workload security product should be able to inspect the containers for security risks.
If the company’s most pressing need is to comply with cloud configuration best practices, then CSPM is most likely the best solution. CSPM tools use the cloud provider’s application programming interfaces to automate security benchmark and audit checks that enable you to avoid having a leaky S3 bucket with customer data exposed to the internet, for example.
In choosing the right platform, an organization should clearly define its cloud security needs and communicate with stakeholders and business executives about those needs.
Uptycs provides CNAPP (CWPP+CSPM) capabilities to secure your cloud workloads. Request a demo here!
Tyson Supasatit is Senior Technical Product Marketing Manager at Uptycs and helps the security community think differently about their endpoint data. Prior to Uptycs, Tyson spent nine years at ExtraHop helping people to think differently about network data. From 2000 to 2005, he wrote and edited the Association for...
Other posts you might be interested in
7 min read | February 6, 2020
Best Intrusion Detection Techniques In Cloud ComputingRead More
8 min read | March 10, 2021
What you need to know about CWPP (cloud workload protection platform)Read More
7 min read | July 9, 2021