Establishing a Foundation: The Essential Role of CSPM in Cloud Security Maturity

Josue Ledesma

February 01, 2024

Establishing a Foundation: The Essential Role of CSPM in Cloud Security Maturity

The increasing shift towards cloud adoption continues to increase and there’s no letting up. According to Gartner®, “worldwide public cloud services are forecast to grow by 19.1% in current U.S. dollars in 2024. Organizations continue accelerating cloud adoption, which is driving a five-year compound annual growth rate of 19.7% (19.1% in constant currency)”¹. Cloud computing offers immense scalability and flexibility, but alongside it, a unique set of security challenges. Department leaders now know that traditional methods of cybersecurity aren’t sufficient to address the threats and operational risks cloud computing offers. A cloud-native security strategy is needed but many organizations still struggle with what a successful strategy looks like. 

“The issue, fundamentally, starts at the terminology level,” says Raphael Peyret, vice president of product at Horangi Cyber Security, a Bitdefender company.. “There are vendors who claim to offer cloud-based security solutions but they’re really traditional security tools that live in the cloud. They’re cloud-based as a deployment model. What organizations really need are cloud-native security solutions.” 

These cloud-native solutions are designed to specifically address cloud security challenges and interact with complex cloud environments. However, given the complexities in implementation, organizations need to take a methodical approach or risk purchasing advanced products they can’t utilize due to lack of expertise, staff, and infrastructure. It’s best to start with a Cloud Security Posture Management (CSPM) solution to build on for effective cloud security. 

Let’s explore how security organizations can start building a road map for cloud security maturity while providing an understanding of the cloud native security landscape. 

A History of the Shift in Cloud Security 

Initially, as organizations dipped their toes into cloud services in minimal ways, the security measures applied were similar to those used to secure on-prem assets. The focus was primarily on safeguarding endpoints and securing network perimeters, but on the cloud. As a result, Cloud Workload Protection Platforms (CWPPs) emerged as a key solution. 

However, with the rise of DevOps and the deeper integration of cloud adoption into product and software development, it became clear that CWPPs, while effective for certain aspects of cloud security, weren't sufficiently distinct from traditional endpoint protection platforms to warrant a standalone solution. Furthermore, they didn't adequately address the new attack surface presented by the cloud: the management plane. Effective cloud security required a paradigm shift from the traditional methods of endpoint and network security. Solutions needed to be more deeply embedded and integrated within the software development lifecycle, ensuring seamless security measures that support efficiency and productivity without compromising on protection. 

The Emergence of Cloud-Native Security Solutions 

To address the new needs of cloud-first organizations, Cloud-Native Application Protection Platforms (CNAPPs) emerged. These solutions and its components were developed with the cloud's dynamic, scalable, and distributed nature in mind. These tools provide comprehensive visibility and security, flexibility, and an operational ease that allows organizations to embed security in the software development lifecycle with minimal disruption. 

Components of CNAPP 

CNAPP encompasses various components, each addressing specific aspects of cloud security. These include:  

  • Cloud Security Posture Management (CSPM): Focuses on identifying and remedying misconfigurations and compliance risks within cloud environments, offering comprehensive visibility across complex cloud environments. 
  • Cloud Infrastructure Entitlement Management (CIEM): Manages and secures identity and access management in cloud environments, ensuring that permissions are appropriate, and risks of excessive entitlements are minimized. 
  • Infrastructure as Code (IaC) security: Shifts security earlier in the CI-CD pipeline (“shift-left”), especially for mature organizations utilizing IaC, to prevent insecure configurations from being deployed and ensuring more secure cloud environments through automated checks.  
  • Cloud Workload Protection (CWP): Protects cloud workloads such as servers, storage, and databases against threats. 
  • Cloud Detection and Response: Provides active monitoring and response mechanisms to identity and counteract security threats within cloud environments, enhancing overall protection and resilience. 

Effective Cloud Security Requires More Than Just Point Solutions 

While these advanced solutions represent significant strides in cloud protection, their effectiveness hinges on how they are implemented which is partly a matter of how security is viewed and prioritized. “There’s a discrepancy between the pace of cloud adoption across revenue drivers; business applications and the DevOps teams that run them,” Peyret says. “And security, which is often seen as a cost center. To catch up, an organization may think simply purchasing a CNAPP will solve the problem.” 

This, unfortunately, doesn’t solve root problems found within many organizations, which is a lack of time, resources, expertise, and talent. A recent ISACA report found that 59% of cybersecurity leaders say their teams are understaffed. They also report that cloud computing is the second most important quality in hiring new cybersecurity staff. These tools are complicated and require cloud-security experts to effectively utilize them. If an organization gets ahead of themselves and spends their budget on a major CNAPP solution without the corresponding team and programs in place, it will be poorly implemented and lead to an inflated sense of protection. 

Leaders should instead start small with CSPM as a starting point towards cloud security maturity, and progressively build from there. 

How CSPM Helps Organizations Build Towards Cloud-Native Security Maturity 

CSPM was initially conceived by cloud security experts who understood the complexities of the cloud quite well. While the first CSPM tools were initially too “noisy,” newer ones are designed to minimize alert fatigue and provide contextual analysis. “These are, essentially, ‘CSPM+’ solutions,” Peyret says. “They’re more efficient and accessible to teams and individuals who have less expertise in cloud security.” He likens CSPM to a corporate building management system. It checks the doors, windows, alarms, and reports on what’s open, when keycards have been used, and who’s going in and out. 

In the same way, CSPM collects and analyzes data across your cloud environment to identify and surface potential risks and vulnerabilities in a cloud-native way, which means it can analyze multi- and hybrid cloud environments. This is done continuously, and extends beyond vulnerabilities to detect misconfigurations, compliance lapses, and security threats. 

CSPM also automates critical security tasks to provide cloud compliance expertise across a number of regulatory standards such as GDPR, CCPA, banking regulations, and/or voluntary standards like SOC2 and ISO 27001. This is done by identifying areas of non-compliance, providing contextual analysis, and ensuring security policies are enforced across an entire cloud environment.   

These visibility and compliance benefits are essential for any organization, regardless of cloud complexity, making CSPM the first line of defense and regulatory adherence. Peyret says it’s analogous to having a firewall and AV for traditional security. It provides fundamental protection that allows organizations to further invest in more advanced proactive protection tools that build towards cloud security maturity. 

It’s also effective right out of the box, designed to offer cloud security from day one, making implementation much easier compared to other complex CNAPP tools so that teams with minimal cloud security knowledge are still capable of using the tool. 

Effective Cloud Security Requires a Maturity-Model Approach 

“Too often, I’ve seen an organization purchase a CNAPP only to have no one analyze its findings or alerts” Peyret says. According to the 2023 Cybersecurity Assessment report, 78.3% of US IT and security leaders said that they’ve bought a tool in the last 12 months that “didn’t live up to the marketing hype” and 43% of global respondents indicated their solution was too complex. 

It’s not enough to just acquire the most advanced cloud security tools and this scenario makes it even more difficult to allocate budget to security, resulting in a less-secure organization. Leaders should prioritize starting with CSPM that will then allow their team to make the most of a resource-strapped department. Think of CSPM as a tool like Photoshop. It's a powerful application that you can spend years learning all the finer points of, but can already get a lot done with just a few core capabilities. However with more understanding, time, and the right team behind it, it’s possible to increase utilization for even more capabilities. 

In a similar way, implementing CSPM properly will provide a good baseline of protection while allowing organizations to layer on more complex cloud-native security essentials like CIEM, and CWP. By laying on the groundwork for more advanced cloud security, organizations can easily bypass the operational and implementation challenges that cloud security often results in.  

Taking on this methodical approach is necessary for strategic cloud security success.

Contact an expert

Gartner, Forecast: Public Cloud Services, Worldwide, 2021-2027, 4Q23 Update by Hardeep Singh, Colleen Graham, Shailendra Upadhyay, Amarendra., Arunasree Cheparthi, Varsha Mehta, Nicholas Carter, Robin Schumacher, December 20, 2023

GARTNER is a registered trademark and service mark of Gartner, Inc. and/or its affiliates in the U.S. and internationally and is used herein with permission. All rights reserved.



Josue Ledesma

Josue Ledesma is a writer, filmmaker, and content marketer living in New York City. He covers cyber security, tech and finance, consumer privacy, and B2B digital marketing.

View all posts

You might also like