Cloud Security Posture Management

Jump to section

Share this post:

Share on twitter
Share on linkedin

Cloud Security Posture Management (or CSPM) is a piece of technology that eases out cloud security efforts for enterprises. This is true for organisations that are either already on public cloud, or even in process of migration. Public cloud deployments are built of multiple moving parts such as network, storage, containers, server-less applications and so on. 

In fast paced organisations, these moving parts “move” (or change) as frequently as every hour or even minute. This brings about a towering challenge of security teams keeping up with these changes and ensuring they do not adversely impact the security posture of the organisations public cloud deployment.

This is where Cloud Security Posture Management or Cloud Security Posture Management plays a crucial role. CSPM solutions take some of this load off security teams by providing visibility, continuous secure configuration management, threat detection and compliance. 

Let’s deep dive a little more now.

Importance of Continuous Security Management

Where is your organisation’s critical information – somewhere in a data warehouse, database, or backed up on S3 buckets (or similar alternatives), isn’t it? Well that’s the case for most organisations hosted on the cloud. What happens when an administrator accidentally opens up an S3 bucket publicly, or a developer accidentally pushes an access key to the open? You have a breach in the making right there! 

This is precisely why:

Gartner estimates 95% of breaches occur due to configuration errors 


A survey by IDC brought out a serious finding according to which 80% of companies experienced a cloud data breach and most arising due to misconfigurations

Those are some really scary numbers!

Why do Cloud Data Breaches occur?

Let’s look at why breaches occur in the cloud in the first place, and how is this a little different than traditional data centres or applications.

  • Long live the perimeter : in the cloud, there is a network, yes, of course there is. But there are also a bunch of services that are “perimeter-less”. This drastically increases the attack surface for an organisation and it’s applications. For example, S3 buckets are hosted within a common AWS network, these are NOT hosted within enterprise network boundaries, but are governed by logical access control via S3 bucket policies.
  • Lack of adequate preventive controls : public cloud adoption is all about engineering speed and agility, which often leaves security taking a back seat, basic controls such as data encryption, access keys restriction, restrictive public access are often missed out.
  • They are faster, smarter than you think : the bad guys are backed with high end technology and compute at their disposal, it’s likely they would see a misconfiguration very quickly, they’re watching out for these all the time. In fact, there are tools to their disposal that present a list of exploitable resources, such as public S3 buckets!

Why do Misconfigurations occur?

  • Complexity : AWS alone has 300+ services (as of this blog post), and engineering teams are hungry to try these out. It gets complex when tens of services are talking to each other in any standard public cloud deployment. And thus, cloud security teams are posed with a constant challenge of keeping up with rapid adoption and management of these services from a security standpoint.
  • Security knowhow : hosted or physical data centre deployments are well known and infrastructure teams possess in depth understanding in managing the same. This doesn’t always hold true for public cloud deployments. Infrastructure teams quite often, go ahead with “default” configurations or open up permissive identity (or network) access in order to get a service up and running! We’ve seen this happen all the time : engineering teams gets an access denied error, infrastructure team opens up more access, the setup works, infrastructure team misses reverting these changes or trimming them down.
  • Scale : vast variety of services, with production changes going on by the hour or minute presents infrastructure and security teams with the challenge of monitoring and reviewing these changes at scale. This is where fatigue sets in and misconfigurations occur!

Cloud Security Posture Management

Well there are ways to deal with these challenges, at scale. 

Enter Cloud Security Posture Management, or CSPM.

CSPM solutions help enterprises continuously monitor their public cloud deployments for misconfigurations, or potential security issues that could lead to a compromise. It creates visibility for DevSecOps or Infrastructure teams to discover and analyse public cloud deployments. With help from such technology, teams can quickly pinpoint areas that need attention, irrespective of location or cloud service provider.

A typical CSPM is an agent-less SaaS deployment that helps achieve the below objectives.

Continuous Discovery and Visibility

CSPM tools typically run scans across public cloud deployments to discovery network, compute, storage, server-less and many more types of resources. Resources are tagged with their associated configurations which provide further details into their configuration, type or security parameters. An enterprise, can at any point in time deep dive into resources, their configurations and associations to understand interlinkages, dependencies and threat landscape. CSPM solutions help organisations get a view described earlier irrespective of public cloud providers in a single pane of glass.

Security Misconfiguration Detection

Infrastructure changes in the cloud occur rapidly. Like we’ve seen already, some of these changes can lead to exposure of sensitive data or systems. 

Just like any typical hardening standard, there are certain best practices that should be followed from a security perspective. Some insights around these best practices could be found in our post around securing S3, or AWS networking 101

But, it might get challenging to continuously monitor changes in the environment to flag when a resource or system deviates from these best practices. This is where CSPM plays a crucial role. 

Any typical CSPM product monitors popular cloud platforms such as AWS, Google or Azure for changes and alerts when a change could adversely impact the security posture of a cloud deployment.

For instance, Cy5’s Cloud Security Posture Monitoring offering scans 60+ cloud services and runs 300+ checks on a continuous basis. Customers can alert on security misconfigurations over email or slack as required.


There are times where enterprises need to comply with certain regulations. For example, organisations that store or process credit card information need to comply with PCI-DSS standards, organisations that process healthcare data in the United States need to comply with HIPAA. 

Proving compliance requires reviewing security implementations against defined controls within the standard. This can prove quite overwhelming for multi-cloud and large scale deployment. 

Cloud Security Posture Management tools ease out the effort of monitoring and proving compliance, by continuously checking existing security configurations and measuring them against a given compliance standard. 

The below screenshot is an example of how Cy5’s CSPM offering gives visibility into compliance posture of an organisation’s cloud deployment.

One can drill-down into individual compliance reports to understand which controls are failing across which type of resources.

Drift Detection and Automated Remediation

Well, we found out we’ve got a public S3 bucket with sensitive data in it. Great! What’s next?

By the time such security issues are manually reviewed, escalated and fixed, the adversaries have already found their way to the affected resources and done the damage. 

Automated remediation is a key functionality of Cloud Security Posture Management platforms, which enables customers to remediate the obvious class of findings or security issues instantly via automation. Security issues such as public S3 buckets, open SSH or RDP ports etc, such be remediated with automation, without doubt.

Similarly, for highly sensitive deployments, it might be a good idea to ensure the designated security posture remains unchanged. Drift detection is a feature offered by a few CSPM solutions that detects when a set of configurations change or deviate from existing baselines.

Threat Detection

Catching security misconfigurations is a good idea, no doubt. But this is in no way adequate to protect an enterprise from security threats.

Preventive security should always be complemented by detection techniques, such that adversaries that slip past preventive security layers, are caught early in their act. This is where threat detection plays an extremely crucial role. Some (not all) Cloud Security Posture Monitoring tools provide the capability of ingesting events such as CloudTrail, VPC Flow Logs from an AWS perspective, and detect threats that might be trying to make way into a public cloud deployment. 

For instance, an access key being invoked from a location other than ones generally used, could be cause of concern (or potential threat) and might need to be investigated.

Cy5’s Cloud Native Security Platform offers a Cloud SIEM as a service which enables organisations to detect threats early on in the attack kill chain, and hopefully prevent a breach. Below is what a typical threat dashboard might look like, where detections are grouped by attack tactics.

Infrastructure as Code Scanning

Let’s now talk some “Shift Left” in cloud security. Why wait for scans in production to alert you about a misconfiguration, when, a misconfiguration can be prevented from reaching production in the first place?

This is precisely what infrastructure-as-code scanning does.

For organisations have well developed CI/CD pipelines, it’s generally a good idea to manage production cloud infrastructure via code, using tools such as TerraformCloudformation etc. Once this is done, security teams can implement checks and balances to scan the code (which represents infrastructure), to catch potential security issues and stop them from being executed on production. Here’s an excellent post by Snyk on Infra-as-code Security.

Examples of CSPM Checks

Here are some examples of security issues that Cloud Security Posture Monitoring systems are capable of detecting and fixing automatically:

  • S3 bucket misconfiguration – catching poorly configured S3 buckets that could leave sensitive data exposed to public access
  • IAM issues – poorly managed IAM users, access keys or policies that could lead to initial access or privilege escalation
  • Misconfigured security groups – happens all the time! Accidentally opened up remote access ports such as SSH, RDP

Going Beyond CSPM

The Cy5 Unified Cloud Security Platform goes above and beyond a typical CSPM in adding business context to resources hence giving an enterprise the capability to prioritise one issue over another while dealing with security at scale. For example, one could prioritise fixing issues around sensitive assets before non-sensitive ones. In case you’re interested in giving this a shot, sign-up here.