Today, organizations know the on-premises security tools they need, but when it comes to securing the cloud, they don't always understand which cloud security tools to implement.
While many traditional on-premises tools and controls operate in the cloud, organizations should consider four newer cloud security tools designed to handle the unique challenges that arise from using the cloud.
Read on to learn about each cloud security tool, as well as the best vendors for each. Tools and vendors were selected based on direct experience with consulting clients, as well as vendor demonstrations and product management insights. This list has not been categorized in any way.
1. Cloud security posture management tools
Organizations should implement cloud security posture management (CSPM) tools and services, especially in multi-cloud environments. CSPM tools help automate the detection, monitoring, and remediation of misconfigurations and compliance risks in the cloud.
Most of the leading cloud providers have core service offerings in this category, including Amazon GuardDuty, AWS Security Hub, Microsoft Defender Security Center, and Google Cloud Security Command Center. For smaller or less sophisticated organizations, especially those fully invested in just one cloud, these native services can be sufficient to manage misconfigured assets, missing best practices, or exposed assets and services.
Larger organizations and those in more than one cloud require a third-party tool to help centralize monitoring, reporting, and remediation of weak and poorly configured cloud infrastructure.
CSPM tools include:
Wiz works in hybrid cloud deployments, features more than 1,400 cloud misconfiguration rules and provides compliance monitoring. Orca Security monitors cloud workloads, misconfigurations, policy violations, container security, and more for the software development lifecycle (SDLC). Sysdig helps detect and fix misconfigurations, perform attack path analysis, and more.
2. Cloud-native application protection platforms
Organizations should also consider cloud-native application protection platforms (CNAPPs). This category is rapidly growing to include cloud workload protection, some CSPM capabilities, data and identity-related security controls, as well as DevOps pipeline security controls.
CNAPPs fill gaps where traditional security operations cannot adequately prevent, detect, and respond to cloud-native workload types, such as containers, Kubernetes services, and serverless functions. Additional CNAPP features, such as infrastructure-as-code assessment and container workload images in the pipeline, also help detect issues before deployment.
The CNAPP program includes:
Sysdig provides cloud detection and response, vulnerability management, posture management, and permissions and entitlements monitoring. Aqua provides software supply chain security, scans for vulnerabilities, and detects and responds to attacks and threats in the SDLC. Palo Alto Networks' Prisma Cloud helps discover and remediate security flaws in code repositories, protect cloud workloads at runtime and defend against zero-day vulnerabilities.
3. Security service edge tools
Organizations that move to cloud-based infrastructure and make extensive use of SaaS offerings should consider security service edge (SSE), which is sometimes combined with the larger category of secure access service edge, which includes software-defined WAN offerings.
SSE helps offload traditional security controls, such as network firewalls, content filtering proxies, data loss prevention, and end-user access controls. A cloud security tool provides authentication and authorization compliance for a cloud service rather than a traditional data center VPN, which is often associated with trustless network access. This improves flexibility and performance for end users who primarily use cloud tools rather than on-premises resources.
SSE products include:
Zscaler SSE provides policy-based access to applications and services to users, customers, and third parties. Netskope Intelligent SSE provides granular policy security enforcement to protect users' workflow with data protection and threat protection features. Palo Alto Networks' Prisma Access secures cloud application traffic with a standard policy framework to reduce data breaches and data leaks.
4. Cloud infrastructure entitlements management tools
Another tool to consider is Cloud Infrastructure Entitlements Management (CIEM). All assets in PaaS and IaaS clouds have some form of identity routing, and identity and access management (IAM) policies can mushroom quickly, often with excessive privileges. CIEM can help automate this.
Small organizations may get away with using cloud-native provider services that evaluate identity roles and policies, for example, AWS IAM Access Analyzer. Larger organizations with multiple cloud resources and complex deployments can benefit from CIEM tools that evaluate identity relationships and policies, flag potential attack paths and excessive privileges, and address issues when they are discovered.
CIEM tools include:
Tenable CIEM helps define and monitor access and permissions, automate analysis and remediation efforts, and maintain an inventory of all identities, entitlements, and resources. Sonrai Security helps identify and remediate unknown administration accounts, clean up old and unused identities, and implement least privilege access policies. CrowdStrike Falcon Cloud Security monitors and addresses security issues, including disabling multi-factor authentication (MFA), identity misconfigurations, and account compromises, and detects and responds to identity-based attacks.
Worth considering: SSPM and DSPM
Many of these cloud security tools are evolving and even converging into new standardized product families that could easily change in the next several years. The common element of all the tools mentioned is addressing the unique security challenges of cloud deployments.
Emerging cloud security tools that may be worth adopting in the future include SaaS Security Posture Management (SSPM) and Data Security Posture Management (DSPM), but the four mentioned here are at the top of many cloud security teams' lists today.
Dave Shackelford is founder and principal consultant at Voodoo Security; SANS analyst, instructor, and course author; and Technical Director of GIAC.
