At the essence of a Zero Trust strategy is the mindset that all entities and processes are assumed to be untrustworthy until found otherwise. That means for every IT activity we need to implement a verification process to validate the trust for the activity. We don’t trust a user login until multi-factor authentication (MFA) has been completed. Likewise, we don’t trust a user to safely operate their corporate computing device without endpoint detection and response (EDR) in place.
MFA and EDR are well accepted solutions for organizations seeking a Zero Trust model. For the security team wanting to assure their due diligence in cybersecurity architecture, another front-line Zero Trust resource is a Cloud Security Posture Management (CSPM) solution. CSPM is a market segment for IT security tools designed to identify misconfiguration issues and compliance risks in the cloud.
CSPM as a trust provider for your apps and services
CSPM solutions can help organizations achieve Zero Trust security by providing continuous, automated monitoring and comprehensive visibility across cloud infrastructure, including discovery of assets to be protected, anomalous behaviors, and potential threats. Without a CSPM, your organization is more at risk than necessary to inevitable human errors and IT process vulnerabilities.
The CSPM operates from an assumption that users will misconfigure services to create a greater risk exposure than necessary. To have Zero Trust with your service and application configurations, you need a process like a CSPM to validate the compliance of your IT resources with safe computing objectives.
Leading CSPM solutions
CSPM tools are available from many vendors. Using one of these tools addresses this maxim: You can only expect what you inspect. If you expect your IT estate to have a secure configuration, you must inspect that configuration for weaknesses and vulnerabilities to achieve a Zero Trust model. Some of the leading CSPM products are:
- Check Point CloudGuard
- CrowdStrike Falcon Cloud Security
- Microsoft Defender for Cloud
- Orca Security
- Palo Alto Networks Prisma Cloud
- Wiz
- Zscaler Cloud Protection
Lower your cybersecurity premiums with an effective CSPM
When evaluating CSPM solutions, a leading factor in your decision should be how practical it is for a tool to produce evidence that your organization complies with well-known industry cybersecurity frameworks. One of the top things you can do to lower your cyber insurance premiums is to follow one of the well-known NIST (or other applicable regulatory body) cybersecurity framework(s). CSPM products should allow you to select which frameworks apply best to your organization. Well-known frameworks include:
- NIST SP 800-171 Rev. 2
- SOC 2 Type 2
- SWIFT CSP-CSCF v2022
- HITRUST/HIPAA
- CMMC Level 3
- PCI DSS v4
- FedRAMP High
Not only is your security materially improved by following the vetted model of a framework, but you are also able to measure your cybersecurity readiness against the framework. Capturing the moment-in-time state of your organization vis-à-vis a regulatory framework–and comparing that “security score” to another snapshot in the past–can document your organization’s upward path towards compliance.
This is known as attestation and it’s exactly what cybersecurity underwriters are looking for. An important CSPM feature is to produce easy-to-review cyber readiness self-attestation reports on-demand for auditors and stakeholders.
CSPM Tools and Regulatory compliance
Technically CSPM tools achieve their attestation capability by sensing, monitoring, or otherwise inspecting the configuration of servers, applications, and services and flagging deltas between the observed configurations and the requirements of the framework.
For example, the framework NIST SP 800-53 Rev. 5, “Security and Privacy Controls for Information Systems and Organizations” (which provides a standardized approach for assessing, monitoring and authorizing cloud computing products and services to manage information security risk). There are many hundreds of not thousands of discrete security controls that can be identified when mapping the requirements of the framework to the technical underpinnings of modern cloud computing assets.
Specifically, consider the NIST control, “Authentication to Linux machines should require SSH keys” (as opposed to allowing password-based authentication.) The CSPM, having access to read the settings of the ~/.ssh/config and /etc/ssh/ssh_config files on a protected Linux server, can raise an alert when an inspected server allows password-based authentication.
The best CSPM tools will identify the requirement to modify the SSH settings of a vulnerable server, track the assignment of a remediation task to the Linux server admin team, and increase the security profile ‘score’ of the organization automatically once all Linux servers are in compliance with the control. And the CSPM will continuously monitor that setting in case it is ever inadvertently or maliciously changed.
CSPM Features contributing to Zero Trust
The core posture management capabilities of a CSPM can be considered (1) continuous assessment of the security configuration of your cloud resources, (2) delivery of security recommendations to fix misconfigurations and weaknesses, and (3) a reporting or scoring capability for compliance assessment. This is how you achieve Zero Trust with your computing resources—by inspecting them.
When thinking about the best CSPM for your organization, be sure to consider the multi-cloud support of the solution. Almost all organizations are essentially hybrid cloud estates, specifically with assets across Windows, Linux, VMware, AWS, Azure, and GCP environments. The best security platforms will manifest a holistic approach to where the computing workloads and authentication activities are taking place.
Emerging CSPM trends
Since authentication is involved in every Zero Trust activity, a CSPM’s focus on identity and role assignments is valuable. Think: detecting misconfiguration of your directory service that introduces elevation of privilege risks. Known as the emerging Cloud Infrastructure Entitlement Management (CIEM) discipline, this is a way of ensuring that the identities and access rights of entities, such as users, groups, roles, or applications, are appropriate and secured in cloud environments.
Another emerging CSPM technology is agentless scanning for vulnerabilities and secrets, to include agentless discovery for Kubernetes and container environments. Here you apply Zero Trust to your agent-based primary threat management tools by using the datacenter fabric to detect issues in the absence of server-based agents or until those agents can be provisioned during asset deployment.