CSPM (cloud security posture management) and where it fits within your infrastructure

Vikrum Nijjar

Cloud and other B2B infrastructure providers are notorious for creating a new and never ending stream of buzzwords and acronyms. As things progress the marketing speak muddies where it fits and who it applies to. However, as with all things they start with a kernel of genuine good faith to communicate a niche offering.

“Attribution-ShareAlike 2.0 Generic (CC BY-SA 2.0) https://www.flickr.com/photos/111692634@N04/15423276943”

Cloud security posture management (CSPM) is a relatively new acronym in the secops space. In a nutshell, CSPM can be described as an offering that:

  • Snapshots your cloud settings and other cloud metadata
  • Checks for misconfigurations with a focus on security

That’s all it is in its narrowest incarnation. It’s a point-in-time analysis of your cloud infrastructure. Common questions that a CSPM tool can answer are things like:

  • Inconsistent MFA settings across your users
  • Misconfigured or test firewall/security groups left attached in production
  • Overly permissive IAM policies that can allow for privilege escalation
  • Configuration deviations across your source control repos such as code-review settings
  • Asset and inventory analysis across all of your accounts, regions, and providers

Providers further overload CSPM to sell more things like auto-remediation, continuous monitoring, or pre-packaged compliance and regulatory checks. However, these other areas start to overlap with other teams’ responsibilities that are covered by: SIEM tools, compliance/regulatory reports, and IaC static analysis. In true software fashion, there isn’t a one-size fits all approach—it’s completely normal to see overlap between these areas of concern.

At Gold Fig we believe that CSPM is a specialization of infrastructure-as-deployed. Not only can a CSPM tool such as Introspector answer questions about security and compliance, but having a full inventory of your cloud provider’s settings, configurations, and relationships between them all gives infrastructure teams tools to further consolidate one-off code that live in brittle bash scripts and the like.

SIEM tools are focused on the logs and events through the prism of security. Compliance tools are focused on items that fall squarely into external requirements. CSPM tools let your team encode your team’s own internal priorities.

Subscribe to our infosec for startups newsletter