The cloud security solutions market is growing rapidly and there are many types of solutions to support your specific business needs. But figuring out the right tool, let alone the right type of tool, can be difficult. This guide distills the main concepts of 5 archetypes that fall under the broader cloud security management platform umbrella:
We will look at what each tool category does and highlight some notable features.
In these sections, we will look at the best deployment patterns and implementation scenarios for each tool.
Per Gartner, deployment patterns for cloud fall into 3 general groupings:
Gartner assessed CASB, CWPP, and CSPM tools across these 3 deployment patterns for single, multi, and hybrid cloud implementations. We will take a look at how they ranked and in what scenarios the tool category could be most useful. Please note that Gartner has not yet formally assessed the CIEM and CNAPP archetypes.
Why use a particular tool category? What are the potential drawbacks to be aware of? We’ll break down the positives and negatives for each one.
CASBs are on-premises or cloud-based security policy enforcement points, placed between cloud service consumers and cloud service providers (CSPs) to combine and interject enterprise security policies as the cloud-based resources are accessed. CASBs consolidate multiple types of security policy enforcement. Example security policies include authentication, single sign-on, authorization, credential mapping, device profiling, encryption, tokenization, logging, alerting, malware detection/prevention, etc.
According to Gartner, CASBs are most effective on SaaS deployments for single and multi-cloud implementations. CASBs are also somewhat effective in mixed deployments.
According to Gartner, CWPPs are workload-centric security offerings that target the unique protection requirements of workloads in modern hybrid, multi-cloud data center architectures. In plain english, CWPPs help organizations protect their capabilities or workloads (applications, resources, etc.) running in a cloud instance.
CWPP capabilities vary across vendor platforms, but typically include functions like system hardening, vulnerability management, host-based segmentation, system integrity monitoring, and application allow lists. CWPPs enable visibility and security control management across multiple public cloud environments from a single console.
Gartner divides CWPP vendors into eight categories:
In its 2020 Market Guide for Cloud Workload Protection Platforms, Gartner states that workloads are becoming more granular—with shorter life spans—as organizations continue to adopt DevOps-style development patterns, with multiple iterations deployed per week or even per day. The best way to secure these rapidly changing and short-lived workloads is to take a proactive approach. By incorporating security via DevSecOps through the use of Infrastructure as Code templates, pre-deployment vulnerability management, and code scanning, workloads are protected from the very beginning.
Gartner states that the best possible context for a CWPP is a single provider IaaS, particularly where there are requirements for additional security capabilities to protect workloads.
CSPM solutions continuously manage cloud security risk. They detect, log, report, and provide automation to address issues. These issues can range from cloud service configurations to security settings and are typically related to governance, compliance, and security for cloud resources.
CSPM tools focus on 4 key areas:
CSPM tools are most effective when used in multi-cloud IaaS environments. They can also protect IaaS elements of mixed deployments.
Most CSPM limitations are linked to their interconnections with native CSP security controls. For example, CSPMs:
In its 2020 Cloud Security Hype Cycle, Gartner included a new category and corresponding “C” acronym, CIEM. This new archetype describes solutions focused on cloud Identity and Access Management (IAM), which is often too complex and dynamic to be managed effectively by native CSP tools alone. The emerging CIEM category is designated for technologies that provide identity and access governance controls, with the goal of reducing excessive cloud infrastructure entitlements and streamlining least-privileged access controls across dynamic, distributed cloud environments.
A CIEM is best used in IaaS and PaaS environments.
Many CIEM solutions are not constructed holistically; rather, many vendors that deal with IAM outside the cloud are creating piecemeal solutions based on separate products that deal with identity governance and administration, access management, and multi-factor authentication. Managing identity and access in the cloud requires a much broader contextual understanding of an organization’s cloud environments and the various complex policy layers that determine access and permissions.
Gartner recently designated CNAPP as a new category to reflect emerging trends in cloud security. CNAPPs bring application and data context in the convergence of the CSPM and CWPP archetypes to protect hosts and workloads, including VMs, containers, and serverless functions.
The term CNAPP is often used interchangeably with a non-Gartner acronym, CNSP -- or Cloud- Native Security Platform.
IaaS and PaaS environments.
Strong automation and orchestration
The combination of capabilities and broad positioning across the CSPM, CWPP, and CIEM categories supports InsightCloudSec’s placement into Gartner’s newest archetype, CNAPP (or CNSP in non-Gartner lingo). With its DivvyCloud DNA, InsightCloudSec has strong roots in the CSPM category and is recognized as an industry leader in this capacity.
With the recent addition of Kubernetes protection brought in from Alcide, InsightCloudSec now ensures secure configurations and workloads through automated cloud security and vulnerability management across dynamic cloud environments. This new capability checks the box for the CWPP category.
Furthermore, InsightCloudSec’s Cloud IAM Governance module manages identity and access effectively across ephemeral cloud resources. This capability fits us into the CIEM category as well.
We’ve approached cloud security in a unique way. Here’s how we’re different.
Multi-cloud from the start. This is important because a majority of organizations don’t rely solely on a single CSP; rather, they use a combination of CSPs and/or containers to make up their cloud-native environment. In a multi-cloud environment, you can’t just audit AWS, you have to audit AWS, Azure, GCP, Alibaba Cloud, Kubernetes, etc. And even those that don’t currently use more than one CSP will likely be multi-cloud in the future—either through mergers and acquisitions or through the natural course of innovation among product development teams.
Unified visibility and monitoring. Unified visibility allows you to monitor and understand security and compliance across all of your clouds and containers. InsightCloudSec standardizes multi-cloud data as an asset inventory to make cloud security more accessible, even as new services are released by CSPs. For example, with standard terminology across cloud environments, InsightCloudSec clarifies provider-specific resource names like S3 Bucket (AWS), Blob Storage Container (Azure), or Cloud Storage (Azure). Instead, InsightCloudSec uses the normalized terminology “Storage Container” for all these. With InsightCloudSec’s standardized asset inventory, you can apply a unified policy and automated real-time remediation across all of your environments for an approach that is sustainable, comprehensive, and forward-looking.
Real-time automation and remediation. InsightCloudSecautomates the protective and reactive controls necessary for an enterprise to innovate at the speed of cloud. Automation is the key to being able to achieve both security and speed at scale. With an API polling and event-driven approach to identify risk and trigger remediation, InsightCloudSec provides fast detection of changes, enabling automated remediation to occur in real time. With a highly customizable automation engine, users can quickly and easily define workflows (“Bots”) that deliver automation. A single Bot can be configured to apply a unified approach to remediation across all clouds, creating a consistent, scalable, and sustainable approach to cloud security.
Extensible platform. From custom policies to a robust API, InsightCloudSec can adapt to your unique business needs. We provide a flexible data model with multiple levels of adaptability, including configuration through the user interface, customization through our plugin-based architecture, and automation through our RESTful API.
Risk assessment and auditing. Our Compliance Scorecard delivers a visual representation of risk aligned with regulatory standards, industry standards, or your own corporate standards. Through our interactive heat map, we provide a unified view across all cloud environments that can be filtered by facets like cloud environment, account, business unit, application, risk profile, compliance standard, etc.
Threat protection. We leverage native CSP services and security controls (e.g., Amazon GuardDuty) for best-in-class intelligent threat detection that continuously monitors for malicious activity and unauthorized behavior. This includes cryptocurrency mining, credential compromise behavior, communication with known command-and-control servers, and API calls from known malicious IPs. When a threat is identified, InsightCloudSec uses automated remediation to fix it before it becomes a problem.
Cloud identity and access management. InsightCloudSec analyzes complex roles and identities across cloud and container environments. This capability empowers organizations to take back control over who and what has access to their cloud resources and infrastructure by adopting a least privileged access security model, reducing excessive entitlements, and minimizing blast radius of malicious activities.
Kubernetes protection. InsightCloudSec gives developers freedom to innovate while also maintaining compliance with best practices for workloads running on Kubernetes.
Infrastructure as Code Security. By providing a single, consistent set of security checks and exemptions for infrastructure-as-code (IaC) templates, DevOps teams are well equipped to follow best practices and company policy as early as possible in the continuous integration/continuous deployment lifecycle while minimizing developer frustration and delays caused by inconsistent checks.
Balancing cloud security and compliance to support DevOps is critical, as the fundamental role of traditional security teams is changing substantially. As many organizations look to integrate security into the DevOps culture, it is important to rethink how we approach and minimize real or perceived friction. A key part of this evolution is adoption of modern tools that support the developer-driven, API-centric, and infrastructure-agnostic patterns of cloud-native security.
CWPPs provide much needed visibility and protection over workloads, which is a growing need for organizations who are choosing to take advantage of container technology. CSPMs provide incredible visibility, monitoring, and detection while taking security a step further—automating responses to mitigate potential risks. And with the complexities of identity and access posing significant challenges to cloud security in the near term, the CIEM archetype cannot be overlooked.
All of these categories bring significant benefits to the table, but what’s missing is a powerful, holistic solution. A fully integrated cloud-native solution, like InsightCloudSec, is an important investment for organizations seeking to innovate while staying secure in the cloud. While piecemeal solutions from the individual tool categories can be beneficial, they lack the cohesion and full context that only a CNAPP or CNSP can offer.