Share on LinkedInTweet about this on TwitterShare on FacebookEmail this to someonePin on Pinterest
Read on Mobile

A Practical Guide to Gartner’s Cloud Security Archetypes

cloud security

researchHQ’s Key Takeaways:

  • Cloud Access Security Brokers (CASBs) secure access to enterprise’s cloud-based resources through security policy enforcement points between the cloud service consumer and cloud service provider.
  • Cloud Workload Protection Platforms (CWPPs) secure workloads in modern hybrid and multi-cloud environments, providing unified protection from a single console.
  • Cloud Security Posture Management (CSPM) offer continuous monitoring and automation to identify and remediate risks across multi-cloud environments while reducing alert fatigue.
  • Cloud Infrastructure Entitlement Management (CIEM) improve identity and access management (IAM) through governance controls suited to dynamic, distributed environments.
  • Cloud-Native Application Protection Platforms (CNAPP) were designated by Gartner to reflect emerging cloud security trends. They merge CSPM and CWPP archetypes to protect hosts and workloads in the cloud.

 

Introduction

The cloud security solutions market is growing rapidly and there are many types of solutions to support your specific business needs. But figuring out the right tool, let alone the right type of tool, can be difficult. This guide distills the main concepts of five archetypes that fall under the broader cloud security management platform umbrella:

  • Cloud Access Security Broker (CASB),
  • Cloud Workload Protection Platform (CWPP),
  • Cloud Security Posture Management (CSPM),
  • Cloud Infrastructure Entitlement Management (CIEM), and
  • Cloud-Native Application Protection Platform (CNAPP).

Gartner developed and defined these archetypes, which often overlap in terms of capabilities, to provide businesses with analysis that better informs their decision making. The last two, CIEM and CNAPP, are recent additions.

For each category, we will describe:

  • what each tool category is,
  • where it is best used, and
  • benefits and limitations.

What Is It?

We will look at what each tool category does and highlight some notable features.

In What Context Is It Best Used?

In these sections, we will look at the best deployment patterns and implementation scenarios for each tool.

Per Gartner, deployment patterns for cloud fall into three general groupings:

  1. Infrastructure as a Service (IaaS). This includes the collective group of IaaS-only patterns, including just IaaS and IaaS with containers.
  2. Software as a Service (SaaS) and application. This covers all SaaS, and application-level focused patterns, including Platform as a Service (PaaS).
  3. Mixed. This covers IaaS plus mixed are more complex combinations of IaaS with other cloud services, including SaaS and PaaS.

Gartner assessed CASB, CWPP, and CSPM tools across these three deployment patterns for single, multi, and hybrid cloud implementations. We will take a look at how they ranked and in what scenarios the tool category could be most useful. Please note that Gartner has not yet formally assessed the CIEM and CNAPP archetypes.

Benefits and Limitations

Why use a particular tool category? What are the potential drawbacks to be aware of? We’ll break down the positives and negatives for each one.

Cloud Access Security Broker

What Is It?

CASBs are on-premises or cloud-based security policy enforcement points, placed between cloud service consumers and cloud service providers (CSPs) to combine and interject enterprise security policies as the cloud-based resources are accessed. CASBs consolidate multiple types of security policy enforcement. Example security policies include authentication, single sign-on, authorization, credential mapping, device profiling, encryption, tokenization, logging, alerting, malware detection/prevention, etc.

In What Context Is It Best Used?

According to Gartner, CASBs are most effective on SaaS deployments for single and multi-cloud implementations. CASBs are also somewhat effective in mixed deployments.

Benefits and Limitations

Benefits

  • Good visibility.
  • Good detection. Capable of detecting unsanctioned cloud applications (“shadow IT”) and as well as sensitive data in transit.
  • Rich data. By its nature of controlling users’ access to cloud SaaS applications, CASBs can produce rich audit logs with events related to the users’ behavior using the applications.

Limitations

  • Lack automated action. While CASBs can provide great data and information, they do not have the capacity to take automated action to remediate potential threats. This could be a concern for companies who do not have enough security employees to address the high volume of issues that will need manual intervention.
  • Struggle to provide consistent information because of incompatible services across CSPs.
  • Struggle to keep up with the pace of adoption of services across CSPs
  • CASBs require users to go through a central gateway; therefore, if users access cloud resources outside of this avenue (shadow IT), security teams might be blind to it.

Cloud Workload Protection Platform

What Is It?

According to Gartner, CWPPs are workload-centric security offerings that target the unique protection requirements of workloads in modern hybrid, multi-cloud data center architectures. In plain english, CWPPs help organizations protect their capabilities or workloads (applications, resources, etc.) running in a cloud instance.

CWPP capabilities vary across vendor platforms, but typically include functions like system hardening, vulnerability management, host-based segmentation, system integrity monitoring, and application allow lists. CWPPs enable visibility and security control management across multiple public cloud environments from a single console.

Gartner divides CWPP vendors into eight categories:

  • Broad, Multi-OS Capabilities
  • Vulnerability Scanning, Configuration, and Compliance Capabilities
  • Identity-Based Segmentation, Visibility, and Control Capabilities
  • Application Control/Desired State Enforcement Capabilities
  • Memory and Process Integrity/Protection Capabilities
  • Server EDR, Workload Behavioral Monitoring, and Threat Detection/Response Capabilities
  • Container and Kubernetes Protection Capabilities
  • Serverless Protection Capabilities

In its 2020 Market Guide for Cloud Workload Protection Platforms, Gartner states that workloads are becoming more granular — with shorter life spans — as organizations continue to adopt DevOps-style development patterns, with multiple iterations deployed per week or even per day. The best way to secure these rapidly changing and short-lived workloads is to take a proactive approach. By incorporating security via DevSecOps through the use of Infrastructure as Code templates, pre-deployment vulnerability management and code scanning, workloads are protected from the very beginning.

In What Context Is It Best Used?

Gartner states that the best possible context for a CWPP is a single provider IaaS, particularly where there are requirements for additional security capabilities to protect workloads.

Benefits and Limitations

Benefits

  • Provide visibility into and control over workloads.
  • Provide comprehensive protection against workload risks deployed in IaaS. This is significant because workloads are difficult to protect, and as more organizations adopt container-based service deployments, the difficulty of protecting workloads will persist.
  • Can alert and escalate issues; local policy scripting at the workload level permits posture changes, such as firewall changes and application whitelist changes.

Limitations

  • Lack identity and access management functions.
  • Cannot provide overall risk management services across all cloud deployments.
  • Cannot perform event monitoring outside of workloads.

Cloud Security Posture Management

What Is It?

CSPM solutions continuously manage cloud security risk. They detect, log, report, and provide automation to address issues. These issues can range from cloud service configurations to security settings and are typically related to governance, compliance, and security for cloud resources.

CSPM tools focuses on four key areas:

  • Identity, security, and compliance
  • Monitoring and analytics
  • Inventory and classification of assets
  • Cost management and resource organization

In What Context Is It Best Used?

CSPM tools are most effective when used in multi-cloud IaaS environments. They can also protect IaaS elements of mixed deployments.

Benefits and Limitations

Benefits

  • Provide unparalleled visibility into an organization’s cloud assets and their respective configurations.
  • Provide valuable context by mapping interdependencies between cloud infrastructure, services, and abstraction layers to fully understand the source and scope of risk.
  • Enforce the protection of data by assuring that native and other data security controls are in place.
  • Identify workload issues and potential attack surfaces/exposures by detecting configuration issues/deviation from best practices. They interoperate with native monitoring and alerting to provide effective incident identification and escalation.
  • By integrating with identity platforms or native cloud identity, CPSMs help provide privileged access control to IaaS cloud administration.

Limitations

Most CSPM limitations are connected to their interconnections with native CSP security controls. For example, CSPMs:

  • Do not apply security at the data, operating system or application layers or provide additional data security controls. However, they will enforce native data and application controls.
  • Do not typically perform vulnerability scanning directly; rather, they rely on native tools and other third-party product outputs.

Cloud Infrastructure Entitlement Management

What Is It?

In its 2020 Cloud Security Hype Cycle, Gartner included a new category and corresponding “C” acronym, CIEM. This new archetype describes solutions focused on cloud Identity and Access Management (IAM), which is often too complex and dynamic to be managed effectively by native CSP tools alone. The emerging CIEM category is designated for technologies that provide identity and access governance controls with the goal of reducing excessive cloud infrastructure entitlements and streamlining least-privileged access controls across dynamic, distributed cloud environments.

In What Context Is It Best Used?

IaaS and PaaS environments.

Benefits and Limitations

Benefits

  • Provides visibility into who and what can access your cloud resources.
  • Replaces time-consuming intervention to remediate overly permissive access and entitlements.
  • Protects sensitive data.
  • Prevents overly permissive or unintended access.
  • Enables and empowers audit and compliance functions.

Read more…

Business Challenge:We've curated the most common business challenges Designing a secure cloud architecture
Stage:We've split the research process into 3 tasks Explore Solutions

Latest Additions