Better Together: CMDB + CSPM = Cloud Native Cyber Asset Management
This blog was originally published by JupiterOne here.
Written by Tyler Shields, JupiterOne.
There is a lot of confusion out there when it comes to cloud native IT and cloud security tools. Things have gotten rather complicated over the last few years as we migrate our security and technology stacks into cloud native offerings.
- Cloud Access Security Broker (CASB)
- Cloud Workload Protection Platform (CWPP)
- Cloud Security Posture Management (CSPM)
- Cloud Infrastructure Entitlement Management (CIEM)
- Cloud-Native Application Protection Platform (CNAPP)
- Cloud-Native Configuration Management Database (CMDB)
Sometimes the term is created by a vendor and adopted by the market, and sometimes it originates from an inventive market analyst or reporter. In general each of these is just a bunch of features grouped together to create a market that CISOs and IT leaders want to buy.
I could go through in detail how the overlap on each of the above technologies matters or doesn’t matter to the value delivered to the buyer, but for sake of brevity I’ll scope the discussion down to a few specific terms: CSPM, CWPP, CNAP and CMDB.
Defining the Terms
First off, let’s level set on the traditional terms that have been in the market for a while now. Many of these technologies were created a decade or more ago and have been growing in lockstep with the growth of cloud native applications and cloud computing.
Cloud Security Posture Management
CSPM solutions help you manage cloud security risk. Generally this is done by connecting to, and analyzing, the security settings and configuration of the cloud service provider (CSP) directly. They take a continuous view of the state of your CSP and help look for known security issues while tracking drift and changes in that environment over time. They alert, log, and help you fix these issues as quickly as possible. There are a number of great CSPM vendors in the market today that provide reasonable solutions for security in your cloud environment. From a value perspective, CSPM helps enterprises with governance and security of their CSP (multi cloud or single cloud) native resources.
Cloud Workload Protection and Cloud Native Application Protection Platforms
Compared to CSPM, CWPP is more focused on the security of the cloud workload itself than it is about the configuration of the CSP. There are very unique runtime protection aspects of cloud security that are solved by CWPP targeted products. CWPP products secure workloads from the operating system up through memory, application code, container layer, and even with behavioral process monitoring. A full suite of technology offerings shine through in the CWPP market tackling security in both multiple and hybrid cloud environments.
Configuration Management Database
This might seem like a really old technology to be discussing in a blog focused on cloud and cloud native security technologies - and it is. However, there are reasons why CMDB technologies are required in order to implement the best possible cloud security initiatives. A CMDB solution tracks all of the hardware and software used in the enterprise. It keeps an organized and opinionated view into your environment allowing you to view, visualize, and slice and dice the data however you need. CMDB has been around for a long time and is currently being reinvented by cloud native versions of CMDB technologies. CMDBs track configuration items (CI) for all of the assets that are in the system making the value increasingly important to both IT and security teams alike.
Here’s Where Things Get Fuzzy - And The Battle Begins
The market is beginning to see a convergence of cloud security technologies resulting in significant confusion amongst vendors, analysts, and specifically the CISO and CIO purchasers. Where we previously had the choice of CSPM, CWPP, and CMDB point solutions, there is a merging of offerings occurring that will result in much more value at lower overall total cost of ownership for the customer. Let’s look at the two most prominent “better together” stories.
CSPM + CWPP = Cloud Native Application Protection Platform
CNAPP is a very nascent term that Gartner is using to describe the unification and blending of value propositions from CSPM and CWPP technologies. Securing your cloud environment requires both configuration and runtime protection to be successful. Because of this, we are seeing a movement towards vendors offering the breadth of both solutions in a single package. Most of the more recent products that have come to market are targeting this new approach. They target being competitive in cloud native security both at runtime and at rest and are crafting a story where the combination of these offerings are much better together than they are separately.
CSPM + CMDB = Cloud Native Cyber Asset Management (or Cloud Native CMDB)
When we think of security and asset tracking in the cloud we come to the realization that CMDB solutions that collect configuration information can’t be too far off from CSPM solutions that collect configuration information. The primary difference between them is the type and depth of the CI that they collect and how they analyze it to provide value to the CISO or IT leader.
It’s not far of a leap to think that CSPM will eventually be the replacement for CMDB until you realize that CMDB has way more asset classes than just cloud configuration. If a traditional CMDB tackles primarily end points and mobile devices, a modern cloud native CMDB is smart enough to tackle any class of asset that you can draw a software defined box around. Anything from user identities, to CSP configuration, workload status, GitHub repositories, vulnerabilities, code commits, training levels and more can and should all be tracked in a modern cloud native cyber asset management approach.
The Final Verdict - The Fight Of The Century
I bet you thought I would eventually declare one a winner. That’s obviously what I’ve been driving to throughout this entire post. But at the end of the day, I don’t think that if we decided to have a Tyson Vs. Ali moment between CNAPP and Cloud Native Cyber Asset Management one would really come out on top.
A closer analogy would be the top boxer in the world against one of the best MMA fighters on the planet. The winner would really depend on how you frame the fight and what rules you put into place. I don’t think there is much difference between that and CNAPP vs. Cloud Native Cyber Asset Management.
The use cases for Cloud Native Cyber Asset Management are clear. Understanding your cyber asset landscape and the relationships between those cyber assets will help you to build the underlying requirements for an overall strong security program. CNAPP or CSPM + CWPP both result in a rather robust runtime protection system for cloud workloads that is built on top of an asset collection that complements that single use case. With a complete understanding of your modern cyber assets you can deliver improvements in not only cloud security, but also incident response, security operations, ease the burden on compliance and governance, as well as CSPM capabilities. The breath of the solution and possible extensibility is vast.
The net and final result is that Cloud Native Cyber Asset Management is the ultimate system for overall better cyber security program delivery. Every company needs modern cyber asset management.
If you are looking for a cloud security solution that targets your CSPs and provides a running protection of your workloads it’s clear that CNAPP is the way to go. If you are looking for an extensible platform that you can build your entire modern cyber security program on top of, then you really can’t beat the breadth of asset management and relationship context that comes from a modern cloud native cyber asset management platform