The cloud security solutions market is growing rapidly and there are many types of solutions to support your specific business needs. But figuring out the right tool, let alone the right type of tool, can be difficult. This overview offers insight into the main concepts of five archetypes that fall under the broader cloud security management platform umbrella:
For more information about Cloud Security, call our security consultants at +31 (0) 345 506 105 or send an email to info@isoc24.com
Gartner developed and defined these archetypes, which often overlap in terms of capabilities, to provide businesses with analysis that better informs their decision making. The last two, CIEM and CNAPP, are recent additions.
For each category, we will describe:
What is it? We will look at what each tool category does and highlight some notable features.
In what context is it best used? In these sections, we will look at the best deployment patterns and implementation scenarios for each tool.
Per Gartner, deployment patterns for cloud fall into three general groupings:
Gartner assessed CASB, CWPP, and CSPM tools across these three deployment patterns for single, multi, and hybrid cloud implementations. We will take a look at how they ranked and in what scenarios the tool category could be most useful. Please note that Gartner has not yet formally assessed the CIEM and CNAPP archetypes.
Benefits and limitations? Why use a particular tool category? What are the potential drawbacks to be aware of? We’ll break down the positives and negatives for each one.
What is it?
CASBs are on-premises or cloud-based security policy enforcement points, placed between cloud service consumers and cloud service providers (CSPs) to combine and interject enterprise security policies as the cloud-based resources are accessed. CASBs consolidate multiple types of security policy enforcement. Example security policies include authentication, single sign-on, authorization, credential mapping, device profiling, encryption, tokenization, logging, alerting, malware detection/prevention, etc.
In what context is it best used?
According to Gartner, CASBs are most effective on SaaS deployments for single and multi-cloud implementations. CASBs are also somewhat effective in mixed deployments.
Benefits
Limitations
What is it?
According to Gartner, CWPPs are workload-centric security offerings that target the unique protection requirements of workloads in modern hybrid, multi-cloud data center architectures. In plain English, CWPPs help organizations protect their capabilities or workloads (applications, resources, etc.) running in a cloud instance.
CWPP capabilities vary across vendor platforms, but typically include functions like system hardening, vulnerability management, host-based segmentation, system integrity monitoring, and application allow lists. CWPPs enable visibility and security control management across multiple public cloud environments from a single console.
Gartner divides CWPP vendors into eight categories:
In the Market Guide for Cloud Workload Protection Platforms, Gartner states that workloads are becoming more granular — with shorter life spans — as organizations continue to adopt DevOps-style development patterns, with multiple iterations deployed per week or even per day.
The best way to secure these rapidly changing and short-lived workloads is to take a proactive approach. By incorporating security via DevSecOps through the use of Infrastructure as Code templates, pre-deployment vulnerability management and code scanning, workloads are protected from the very beginning.
In what context is it best used?
Gartner states that the best possible context for a CWPP is a single provider IaaS, particularly where there are requirements for additional security capabilities to protect workloads.
Benefits
Limitations
What is it?
CSPM solutions continuously manage cloud security risk. They detect, log, report, and provide automation to address issues. These issues can range from cloud service configurations to security settings and are typically related to governance, compliance, and security for cloud resources.
CSPM tools focus on four key areas:
In what context is it best used?
CSPM tools are most effective when used in multi-cloud IaaS environments. They can also protect IaaS elements of mixed deployments.
Benefits
Limitations
Most CSPM limitations are connected to their interconnections with native CSP security controls.
For example, CSPMs:
What is it?
In its Cloud Security Hype Cycle report, Gartner included a new category and corresponding “C” acronym, CIEM. This new archetype describes solutions focused on cloud Identity and Access Management (IAM), which is often too complex and dynamic to be managed effectively by native CSP tools alone. The emerging CIEM category is designated for technologies that provide identity and access governance controls with the goal of reducing excessive cloud infrastructure entitlements and streamlining least-privileged access controls across dynamic, distributed cloud environments.
In what context is it best used?
IaaS and PaaS environments.
Benefits
Limitations
What is it?
Gartner recently designated CNAPP as a new category to reflect emerging trends in cloud security. CNAPPs bring application and data context in the convergence of the CSPM and CWPP archetypes to protect hosts and workloads, including VMs, containers, and serverless functions.
In what context is it best used?
IaaS and PaaS environments.
Benefits
iSOC24 carries the Rapid7 InsightCloudSec (formerly known as DivvyCloud) solution in its portfolio. Please see below for a description of the solution and its advantages.
Where does Rapid7 InsightCloudSec fit in?
The combination of capabilities and broad positioning across the CSPM, CWPP, and CIEM categories supports InsightCloudSec’s placement into Gartner’s newest archetype, CNAPP. InsightCloudSec fits nicely in the CSPM category and has become recognized as an industry leader in this capacity. InsightCloudSec also checks off boxes in the CWPP category, and our position is made even stronger when working in conjunction with Rapid7’s InsightVM tool. Furthermore, InsightCloudSec’s recently released Cloud IAM Governance module fits into the CIEM category as well.
What makes InsightCloudSec stand out?
We’ve approached cloud security in a unique way. Here’s how we’re different.
When a threat is identified, InsightCloudSec can perform automated remediation actions, including reconfiguring cloud services, making changes to cloud infrastructure, driving human-centered workflows with integration into systems like ServiceNow and Jira, and orchestrating workflow actions in other security and management systems.
Rapid7 InsightCloudSec’s Cloud IAM Governance module fits into the CIEM category. This new IAM Governance Module helps you:
Balancing cloud security and compliance to support DevOps is critical, as the fundamental role of traditional security teams is changing substantially. As we look to integrate security into the DevOps culture, it is important to rethink our approach and minimize real or perceived friction. A key part of this evolution is adoption of modern tools that support the developer-driven, API-centric, and infrastructure-agnostic patterns of cloud-native security. Rapid7 offers exactly that with an InsightCloudSec and InsightVM integration that brings best-in-class capabilities together to solve problems holistically.
When used in combination with Rapid7’s InsightVM tool and its CWPP capabilities, InsightCloudSec’s position as a CSPM solution is strengthened even more, giving customers the ability to scan for vulnerabilities and baseline compliance. The combination of InsightVM and InsightCloudSec exemplifies the convergence of CWPPs and CSPMs into the new CNAPP category. By using both InsightVM and InsightCloudSec concurrently, organizations get the best of both worlds.
CSPM and CIEM tools, like InsightCloudSec, are important investments for organizations seeking to innovate while staying secure in the cloud. CSPMs provide incredible visibility, monitoring, and detection while taking security a step further — automating responses to mitigate potential risks. CSPMs are uniquely positioned to handle the current and future challenges that make it difficult for organizations to stay secure in the cloud. And with the challenges of identity and access posing significant challenges to cloud security in the near term, the CIEM archetype cannot be overlooked. Fortunately, InsightCloudSec’s IAM Governance module fits into this category.
Going beyond CASBs, CWPPs, and CSPMs and into the realm of CNAPPs, the combination of InsightVM and InsightCloudSec offers the best of both worlds as we move toward the next generation of cloud-native security solutions.
Interested in how InsightCloudSec and/or InsightVM can help fuel innovation without sacrificing security? Schedule a personalized demo with one of our cloud security experts.
For more information about Cloud Security, call our security consultants at +31 (0) 345 506 105 or send an email to info@isoc24.com