Cloud Security Posture Management (CSPM) solutions help you secure your cloud platforms and your development pipeline on those platforms. CSPM provides you with an infrastructure-centric perspective on cloud security. The cloud, however, is more than just platforms like AWS, GCP, and Azure. Your business teams use dozens or hundreds of SaaS and homegrown cloud applications. For all these applications and for the infrastructure you use on cloud platforms, identity is the only perimeter you can count on. Managing the risks associated with human, machine, and API identities and what these identities can access is critical. You need Identity Security for an identity-centric perspective to cloud security, a perspective that complements CSPM.
What is CSPM?
IT staff and developers use cloud platforms like AWS, Azure, and GCP to spin up servers, applications, and storage as needed. But these platforms are complex, and it’s easy to make mistakes. CSPM solutions have evolved over the last few years to identify and remediate misconfigurations in cloud platforms, as well as in the virtual machines, containers, and databases hosted on these platforms. CSPM delivers continuous visibility into the security posture of your platforms and enables you to measure compliance on an ongoing basis with frameworks like CIS and NIST
What is Identity Security?
What is Identity Security, you may ask? While CSPM (Cloud Security Posture Management) addresses infrastructure misconfigurations, Identity Security focuses on identity and access misconfigurations. The complexity of enterprise identity and access is no less than the complexity of cloud platforms. There are two sides to the access problem: the resource side and the identity side. On the resource side, every application, data store, or infrastructure element has its own authorization model, its own permissions, and other settings. Most applications are configured by business teams rather than IT or security staff. On the identity side, human identities, such as employees, vendors, partners, and contractors with their joiner-mover-leaver lifecycle, are dwarfed today by machine and API identities with much more dynamic lifecycles. Constant change makes configurations that bind identities to resources through accounts, groups, roles, policies, and permissions a daunting task. Identity security identifies and fixes all these misconfigurations and enables you to maintain a secure posture. It transcends compliance-driven identity governance and complements both CSPM and identity providers.
Stop data breaches
Both CSPM and Identity Security help you identify and fix security risks that can lead to data breaches. Some CSPM solutions include cloud infrastructure entitlement management (CIEM) features and can manage least privilege access specific to a cloud platform and detect publicly accessible data. However, they miss the overall business context of identities, the context that is critical for prioritization and remediation, and job-appropriate permissions for all employee and non-employee identities. And, because they only integrate with infrastructure platforms, they are unaware of the security risks tied to misconfigurations in SaaS and other application deployments and identity lifecycle risks.
Similarly, their compliance value proposition is limited. For example, they can’t support access reviews across a DevOps stack or an entire organization or detect Segregation of Duties conflicts in financial business processes or the IT environment.
What’s needed is a security program and practice that combines CSPM with Identity Security, delivering visibility and remediation of security and compliance risks across the cloud attack surface. CSPM and Identity Security solutions can work together to stop data breaches.