Cloud security tools: Understanding the differences between CASB, CSPM and CWPP
Cloud Security is a broad and complex topic. I remember when we first started the Cloud Security Alliance we counted 13 different domains and later 14, before it hit the mainstream. But as cloud adoption increases through rapid innovation and consolidation, analysts such as Gartner are quick to follow the money and put their own taxonomy on it to define the markets.
Gartner came up with 3 different categories for the cloud security tools:
Cloud Access Security Brokers (CASBs) are on-premises, or cloud-based security policy enforcement points, placed between cloud service consumers and cloud service providers to combine and interject enterprise security policies as the cloud-based resources are accessed. CASBs consolidate multiple types of security policy enforcement, such as authentication, single sign-on, authorization, credential mapping, device profiling, encryption, tokenization, logging, alerting, malware detection/prevention and so on. (source: Cloud Access Security Brokers)
CASB is the broadest and most mature toolset. It focuses on SaaS Security and gives enterprises visibility and control over the usage of SaaS (the main cloud market). Usually deployed as a proxy in the enterprise premises, it’s commonly used for Office 365, Salesforce and other SaaS applications. The deployment model made it possible to be integrated in firewalls and network security hardware in the enterprise, and it’s starting to extend to PaaS and IaaS usage.
Cloud Workload Protection Platforms (CWPP) is defined by host-centric solutions that target the unique requirements of server workload protection in modern hybrid data center architectures. (source: What is Cloud Workload Security?)
As soon as the IaaS market started to grow, it comes the need to protect workloads that were being migrated to IaaS such as AWS and Azure. There’s no revolution here as we are talking about adapting mature solutions such as vulnerability management, application security and anti-malware to fit the new requirements for IaaS in terms of elasticity and API connectivity.
Cloud Security Posture Management (CSPM) automatically assess your cloud environment against best practice and security violations to provide the steps required to remediate them – often through automation (source: CSPM: A new class of security tools)
With the widespread adoption of IaaS, data breaches through mismanagement of IaaS usage are becoming a commonplace. Nearly all successful attacks on cloud services resulted from customer misconfigurations. The main use is to verify that cloud configurations are following security best practices such as CIS AWS/Azure/GCP benchmark.
Regardless of the overlaps between the 3 categories, stay focused on your main use cases:
- If your goal is to control and have visibility about the enterprise usage of SaaS applications, then you definitively need a CASB.
- If your goal is to protect your data and applications (your workloads) on IaaS/PaaS, you probably need a CWPP. If you have legacy workloads or an hybrid setup, then the focus should be extending your existing workload protection tools to IaaS/PaaS. The first step is to evaluate if your existing workload security solutions can cope with the IaaS/PaaS services your organization is using. A good example is containers as a service - when containers or services such as Elastic Container Service on AWS, your workload security solution must be able to inspect containers and integrate with containers as a service.
- If your goal is to assess and comply with configuration best practices of IaaS/PaaS, then CSPM is a must. These solutions are easy to configure and deploy, as they leverage the cloud provider APIs to automate the CIS benchmark checks that will help you avoid becoming yet another headline for having leaky S3 bucket full of customer data exposed to the public, or threat actors.