To punctuate the complexity of modern cloud security, presenters at Gartner's 2020 Security & Risk Management Summit shared an alarming prediction: "More than 99% of cloud security failures will be the customer's fault," and this will be the case indefinitely.
To master the shared responsibility model and avoid security failures, cloud customers need to rethink their cloud security strategy without relying on traditional, on-premises security approaches.
Unfortunately, there is still no one strategic silver bullet to achieve cloud security. But Gartner researchers emphasized three tools were essential to the future of securing cloud environments: cloud access security brokers (CASBs), cloud security posture management (CSPM) and cloud workload protection platforms (CWPPs).
Here, learn more about how CASB, CSPM and CWPP tools can address the future of cloud security.
CASB: Cloud access security broker
A CASB addresses complexities that result when organizations deploy applications. It acts as a security policy enforcement gateway to ensure that users' actions are authorized and compliant with company policies. The enforcement function of CASB can also help mitigate the threat of shadow IT.
This article is part of
The four pillars of CASB include visibility, compliance, threat protection and data security (see Figure 1 below). Visibility is accomplished through cloud services' usage tracking, reporting, logging and alerts. Authentication, authorization, single sign-on and regulatory requirement enforcement capabilities are incorporated to achieve compliance. For threat protection and data security purposes, CASB tools offer malware detection, firewalls, encryption and data loss prevention features.
Organizations can integrate CASBs via API or network proxies so security functions can be uniformly implemented across all IaaS and SaaS applications. Learn more about how CASB features have evolved to address the most pressing cloud security challenges.
CSPM: Cloud security posture management
Organizations can wield CSPM to conduct continuous compliance monitoring, prevent configuration drift and support security operations center investigation. CSPM can also serve as DevOps guardrails by setting limits on permittable configurations or behavior in cloud.
Gartner recommended CSPM be used to mitigate one of the more persistent cloud security threats: poor configuration. CSPM tools can uniformly apply cloud security best practices to increasingly complex systems, such as hybrid, multi-cloud and container environments.
Among the emerging CSPM features to look out for is a "unified cloud vision of security services," said Gartner senior director and analyst Richard Bartley at the Gartner 2020 Security & Risk Management Summit. In addition, AI and machine learning baselining, native cloud provider tool enhancements and container orchestration context may be incorporated in the next generation of CSPM tools.
Learn more about how CSPM can augment an existing multi-cloud strategy to improve control plane security.
CWPP: Cloud workload protection platform
One significant hurdle to cloud security is the reality that workloads exist in varying states. For example, workloads may run on a Docker container in a public cloud environment in one instant and run in a private cloud the next. Cloud workload placement is further complicated by the increased use of multi-cloud and hybrid environments.
Ensuring the right workloads are deployed in the right places with the right controls is a complex process, making it easy for security incidents to occur. Enter CWPP, which unifies management across multiple cloud providers and spans all types of workloads, including in physical servers, VMs, containers and serverless functions.
CWPP provides "single pane [of] glass visibility and protection" across on-premises and public cloud environments, said Neil MacDonald, vice president and distinguished analyst at Gartner. This high level of visibility is integral to proactively facilitate security and compliance in hybrid and multi-cloud environments.
Learn more about typical features of CWPPs and how they can improve enterprise cloud security programs by addressing unique security needs associated with diversified operations.
Expect change in cloud security tool market
The CASB, CSPM and CWPP markets are "changing, and we're seeing lots of consolidating happening," Bartley said. Many CASB vendors are now providing CSPM tools, for example.
Given that some overlap in features already exists among CASB, CSPM and CWPP offerings, decision-makers should determine whether their current CASB vendor offers CSPM tools before settling on another third-party option. Bundling services may reduce integration complexity with the added benefit of a single management interface. But beware of vendor lock-in.
Organizations should also define all their cloud security needs before making any buying decisions. Gartner advised security leaders to communicate with stakeholders and business executives when determining cloud security goals and needs. Take stock of the cloud service provider's native tools as well. Cloud providers are now offering CSPM-like tools, so selecting the cloud provider's native CSPM option may meet all the organization's security needs.
Bartley recommended entering short-term contracts when it comes to cloud security tools, such as CSPM. Gartner expects service options to expand as the CASB, CSPM and CWPP markets continue to rapidly grow for the foreseeable future.