What Is CSPM?

Cloud security posture management (CSPM) is the process of assessing cloud-based systems and infrastructures for noncompliance with security requirements, as well as prioritizing and remediating such issues. Thus, CSPM goes beyond vulnerability assessment, as it involves not only identifying, classifying and reporting security issues, but also addressing them strategically to reduce risks to information security. Taken together, these activities comprise a vulnerability management process.

At Fluid Attacks, we offer CSPM to secure your cloud-based assets continuously. It is available in both of our Continuous Hacking plans (Essential plan and Advanced plan) and is included in our 21-day free trial of automated security testing (which is CASA-approved). The CSPM process starts with vulnerability scanning in systems that are undergoing continuous changes. The targets of evaluation (ToE) of such scans are infrastructure as code (IaC) scripts (e.g., those written Terraform, AWS CloudFormation), container images (e.g., Docker files, Docker Compose files) and runtime environments.

The purpose of the cyclical assessment is to find out about the security status of the targeted systems. Assessments imply the identification, classification and report of security weaknesses or vulnerabilities. And since organizations' software and threat landscapes are evolving nonstop, these assessments are something to be done repeatedly and starting as early as possible in the software development lifecycle (SDLC). Some issues that can be detected performing CSPM are unrestricted ports, unencrypted data, excessive privileges, exposed credentials, among many others.

As a basis for assessment, CSPM tools may use requirements taken from international security standards and guidelines (e.g., PCI DSS, HIPAA, GDPR, NIST, NYDFS, CIS, SOC 2). For example, we check for compliance with our curated, ever-evolving set of security requirements. Further, tools in the market may allow the systems' owners to set their organizations' internal policies. In our case, we let our clients configure which vulnerabilities to accept (for a while or permanently), and offer a DevSecOps agent that clients can run in their CI/CD pipelines to automatically enforce acceptance policies. Specifically, this agent can be set to break the build if it identifies risky deployments (i.e., those containing vulnerabilities that the systems' owners have decided not to tolerate).

The step following assessment is prioritization of the detected security issues for remediation. A proficient CSPM solution should offer a method (e.g., risk-based scoring) to identify which security posture weaknesses to solve first. For instance, we inform the assessed systems' owners of the risk exposure that each security issue represents with our CVSSF metric, which introduces adjustments to the CVSS score. This information is delivered through our platform. Among the platform's many features, there are analytics that help decision-making to prioritize remediation.

Remediation is effectively correcting cybersecurity issues. We talked about it in a previous blog post, where we also explained that, when it is not possible to remediate a vulnerability, then the options of mitigating or accepting it should be looked into. Ideally, though, remediation should always be preferred. Cloud security posture management solutions are expected to offer remediation recommendations. We make those available on the platform, as part of the details of every security issue we report. Additionally, we provide the corresponding links to our Documentation, where we show examples of compliant and noncompliant code. After remediating, our clients can just run the scan again to verify if their efforts were effective.

Moving to the cloud is a very promising decision for organizations, especially when benefiting from the offerings of cloud service providers, as their solutions include tools, infrastructure, storage and processing power. Thanks to these features, development companies can create scalable software and save on costs. However, our experience in security assessment has taught us that cloud service misconfigurations are a very common issue. In the framework of the cloud security shared responsibility model (SRM), organizations need to make sure that they use secure configurations. Cloud security posture management is a valuable tool to learn whether this is the case and understand what needs to be done in case of noncompliance.

At Fluid Attacks, we advise organizations to conduct CSPM continuously throughout their SDLC. Moreover, following the DevSecOps methodology, we recommend they start testing and remediating as early into development as possible. Our Continuous Hacking Essential plan is a service that organizations can implement to follow these best practices and start securing their cloud-based systems and infrastructures. Besides, we offer a more comprehensive plan (Advanced plan), which, in addition to Essential plan's features, includes manual source code review and attack simulations by our ethical hackers. We recommend this plan to organizations who want to find complex vulnerabilities that automated tools cannot detect.

Got any questions? Contact us.