Skip to main content

Cloud security tools: Understanding the differences between CASB, CSPM and CWPP

Cloud security tools: Understanding the differences between CASB, CSPM and CWPP

Sergio Loureiro, Cloud Security Director
For the increasingly complex cloud migration across IaaS, PaaS and SaaS, Gartner came up with 3 different markets for cloud security assessment solutions, which leads to many questions about their differences and use cases to protect public cloud services.

Cloud Security is a broad and complex topic. I remember when we first started the Cloud Security Alliance we counted 13 different domains and later 14, before it hit the mainstream. But as cloud adoption increases through rapid innovation and consolidation, analysts such as Gartner are quick to follow the money and put their own taxonomy on it to define the markets.

Gartner came up with 3 different categories for the cloud security tools:


Cloud Access Security Brokers (CASBs) are on-premises, or cloud-based security policy enforcement points, placed between cloud service consumers and cloud service providers to combine and interject enterprise security policies as the cloud-based resources are accessed. CASBs consolidate multiple types of security policy enforcement, such as authentication, single sign-on, authorization, credential mapping, device profiling, encryption, tokenization, logging, alerting, malware detection/prevention and so on. (source: Cloud Access Security Brokers)

CASB is the broadest and most mature toolset. It focuses on SaaS Security and gives enterprises visibility and control over the usage of SaaS (the main cloud market). Usually deployed as a proxy in the enterprise premises, it’s commonly used for Office 365, Salesforce and other SaaS applications. The deployment model made it possible to be integrated in firewalls and network security hardware in the enterprise, and it’s starting to extend to PaaS and IaaS usage.

Cloud Workload Protection Platforms (CWPP) is defined by host-centric solutions that target the unique requirements of server workload protection in modern hybrid data center architectures. (source: What is Cloud Workload Security?)

As soon as the IaaS market started to grow, it comes the need to protect workloads that were being migrated to IaaS such as AWS and Azure. There’s no revolution here as we are talking about adapting mature solutions such as vulnerability management, application security and anti-malware to fit the new requirements for IaaS in terms of elasticity and API connectivity.

Cloud Security Posture Management (CSPM) automatically assess your cloud environment against best practice and security violations to provide the steps required to remediate them – often through automation (source: CSPM: A new class of security tools)

With the widespread adoption of IaaS, data breaches through mismanagement of IaaS usage are becoming a commonplace. Nearly all successful attacks on cloud services resulted from customer misconfigurations. The main use is to verify that cloud configurations are following security best practices such as CIS AWS/Azure/GCP benchmark.

The bottom line is look at your cloud use cases and security requirements. In a nutshell, if your organisation is putting sensitive data in SaaS, deploy a CASB. If your organization is processing sensitive data in IaaS, deploy both CSPM to assess your cloud configuration and extend your Workload Protection to the cloud with CWPP. Download our Guide for Infrastructure-as-a-Service Security for more information.


More information:

IaaS security in a nutshell

Top 10 cloud security myths infographic

Looking for anything in particular?

Type your search word here