1 Introduction / Executive Summary

The KuppingerCole Leadership Compass provides an overview of a market segment and the vendors in that segment. It covers the trends that are influencing that market segment, how it is further divided, and the essential capabilities required of solutions. It also provides ratings of how well these solutions meet our expectations.

This Leadership Compass covers solutions that ….

provide a way to continuously identify and control certain risks associated with the use of cloud services. They provide visibility into vulnerabilities in the way these services are configured, secured, and used and assess the risks against common regulatory obligations, security frameworks, and organizational policies. They automate the discovery and reporting of these risks and automate appropriate corrective action.

Most organizations now have a hybrid IT environment where services are delivered in multiple ways, some on premises or at the edge while others are delivered as cloud services. Cloud IaaS is now extensively used to develop and deliver new applications and reengineer existing ones. This is often because cloud services provide an environment for accelerated development without the need for capital expenditure and avoids lengthy procurement delays to obtain hardware. However, security is a shared responsibility for cloud services, and this increases complexity. While the CSPs (Cloud Service Providers) must take steps to secure the service they provide it is up to the customer to secure the way they use the service. CSPM tools are intended to reduce this complexity by helping organizations using cloud services to identify and manage the risks under their control.

There are many acronyms for tools that help to secure cloud services, and these are described in the report. CASB (Cloud Access Security Brokers) together with SASE (Secure Access Service Edge) implement controls which largely focus on SaaS (Software as a Service); however, the risks extend to all cloud service delivery models. CNAPP (Cloud Native Application Protection) focuses on helping to secure the cloud infrastructure elements and the tools used in the DevOps lifecycle. CWPP (Cloud Workload Protection) helps to identify vulnerabilities and misconfigurations within the cloud Virtual Machines and Container hosts. CIEM (Cloud Infrastructure Entitlement Management) provides controls over the entitlements related to virtual resources. CDR (Cloud Detection and Response) helps to detect and respond to threats and active attacks on the customer’s cloud service elements.

CSPM does not replace the controls provided by these tools. Rather, it provides visibility into IaaS and PaaS and helps organizations to ensure that the controls over their multi-cloud environment are deployed in a way that meets the organization's risk appetite. It helps to enable agile governance through the management of guardrails.

1.1 Highlights

The highlights from this report are:

• The responsibility for security and compliance is shared between the cloud customer and the CSP.
• The security and compliance risks are not unique to the use of cloud services but there are several factors which increase risks when using the cloud.
• Cloud services are dynamic and a traditional static approach to security is not effective. In addition, many organizations fail to adapt and apply their normal internal security and compliance controls.
• Good governance, with a consistent approach to the security of IT services regardless of how they are delivered, is the best approach. Guardrails provide an agile approach to good governance.
• There is an emerging market in tools to help manage the cloud customers’ security responsibilities for various details of cloud services.
• CSPM solutions provide overall visibility into cloud customers’ risks to help them to manage their security responsibilities and compliance obligations.
• This report describes the major capabilities that CSPM solutions should provide to achieve these aims and then evaluates how well solutions from several vendors provide these capabilities.
• These capabilities include covering the major IaaS cloud services, providing an inventory of the cloud service elements used by the customer, and identifying the risks that stem from the way that these are configured and used.
• The solutions should cover risks associated with users and their entitlements, the types of data stored and how this is protected, how the in-cloud network is configured to support a Zero Trust approach, failure to mitigate CVEs (Common Vulnerabilities and Exposures) and failure to follow security best practices.
• Solutions should report security posture against a range of common security frameworks and best practices as well as major regulatory obligations.
• The report identifies vendors that, in our opinion, are leaders in four categories in this market segment. These are product leaders with leading edge products, market leaders with a large global customer base, innovation leaders that are driving change in the market and overall leaders.
• In addition, we identify those vendors that we believe have the potential to disrupt the market.