Welcome to the KuppingerCole Analyst Chat. I'm your host. My name is Matthias Reinwarth, I'm the Director of the Practice Identity and Access Management here at KuppingerCole Analysts. My guest today is Mike Small. He is a Senior Analyst working with KuppingerCole as long as I can remember. And he's working out of the UK. Hi, Mike. Good to have you.
Hi, Matthias. Thank you for inviting me.
Great to have you. You are my go to person when it comes to cloud security, to cloud governance, to governance and security without the cloud topic. And you have done some research on the topic of Cloud Security Posture Management, and that is a topic that at least as a term, is rather new. But you are watching that space for quite a while. So how did that topic, Cloud Security Posture Management, evolve over time, and why do you believe it is getting more and more important? What are the drivers behind that?
Okay, Well, so Cloud Security Posture Management, CSPM, is part of an alphabet soup of acronyms that relate to different tools and techniques to do with securing the cloud. So in terms of the evolution, in the beginning, organisations were frightened of the cloud because they didn't control the infrastructure and they were worried that the cloud service provider might not be as diligent as they were. Well, in fact, the reverse has turned out to be the case with the cloud. You have this shared security model where the service provider is responsible for the security of the infrastructure and the service they provide. But organisations are responsible for how they use it. And over time, it has become clear that the majority of breaches have come because of failures of the organisation using the cloud to fulfil their responsibilities. And so this is what has led to this raft of tools and technologies to help organisations to secure the way they use the cloud.
Right. You mentioned that that shared responsibility model, and I think that is one of the first things that I learned from you when we talked about cloud security and how the two partners in that game played together. Are there common misconceptions that lead to that what you just described, that the breaches occur still on the customer side and not on the provider side? And what are the potential pitfalls behind that?
Well, I think that most of the cloud providers have made it abundantly clear in their contracts and in the services that they provide to their customers. Who is responsible for what? What actually has become the problem, is that the cloud? Whilst securing the cloud involves many of the same elements that securing non-cloud or traditional IT, the challenge is that the dynamic nature of cloud services pose new challenges. And it is this dynamic nature that is the biggest challenge for customers.
Okay, got it. We have not yet talked about the definition of what CSPM actually is. And you've mentioned that alphabet soup, and there are lots of acronyms around that. And I think, I see there are overlaps. But what do you consider to be, or what constitutes the market of CSPM and what should be in there at least?
Well, in a sense, the issue is that the way in which IT has changed and the way in which securing IT has changed, it has changed because of the dynamic nature of the cloud and virtual services. So that in the cloud a server can be instantiated in milliseconds and exists in an environment that where it has to identify itself to belonging to you rather than to anybody else. And so the way in which you approach managing the security of this has to be different, that with a traditional model you could rely on the fact that it would take several months to order a piece of equipment. When you got it, you had physical control over it and you then had processes that were involved in securely deploying your applications on it. All of this now happens in milliseconds. And so the notion of governance, where this is a slow process based on static controls no longer works, you have to have a much more dynamic approach. And so because every generation likes to reinvent its words for what it does, governance in the cloud has become posture management, controls have become guardrails because static controls are not sufficient. You have to have something that will make sure that you cannot go wrong rather than that you can check that you didn't go wrong after the event. So all of this leads to the same conclusion that when you were governing your traditional IT, you needed to have some kind of a dashboard that told you whether or not your appetite for risk was being realised, whether or not you were in fact achieving the compliance that you needed. And so what Cloud Security Posture Management does is in this dynamic cloud environment, it actually allows you to visualise whether or not you're on track to give you an early warning if you're not on track. And to give you reassurance that you are in fact complying. Now, it actually depends upon this alphabet soup, because underneath the Cloud Security Posture Management, in order to secure these things in the cloud, you need to have the same kinds of tools that those tools have to have slightly different characteristics and a different focus. So, for example, I've talked about the issue to do with the fact that your server or your resource in the cloud has to know that it is owned by you and nobody else can do it, can do things to it. And that means that has to have an identity and it has to have access controls or entitlements. So here is something that's different. You know, when I was dealing with physical computers, their physical presence was sufficient to determine what they could connect to. I could physically connect a network or disconnect a network. Now, all of this is virtual. So you need to have control over these entitlements. So one of the elements of this alphabet soup is cloud infrastructure entitlement management. And so unless you're doing that properly, you aren't actually protecting your and securing your use of the cloud. Another challenge is the way in which you can check for vulnerabilities. Now, traditionally, what you would do is you would do a vulnerability scan of your live servers. Well, this is too late. This is too late because the server has already been instantiated and may be there for milliseconds and go away. So you have to move to something that produces a policy that scans things in advance. And this means integrating with the deployment model in the cloud, which is largely speaking, now described as being the CI/CD deployment model based on the notion that most of the native applications that run in the cloud are written using DevOps techniques based around microservices and Kubernetes. And so the development process has to ensure that the images which are going to be deployed will be scanned in advance of them being deployed, that the structure of the code and the dependencies of that code will have had vulnerabilities removed before they are deployed. This extends to things like software build. So you need to have your understanding of the potential for risks inside the third party modules that you might be including in your build. And at the same time, the network that you're working on is a network that is virtual, and yet it contains control points like a lot like, for example, firewalls and so forth. But all of these need to be secured in the same way, and you can't just do it after the event. So network cloud security, build security, all of these things are coming in into this. And they have basically been put together under another acronym, which is CNAPP at Cloud Native Application Protection Platforms and Cloud Workload Protection Platforms, CWPP. So these platforms give you, these components give you control and Cloud Security Posture Management gives you visibility, you need the two together. So a good Cloud Security Posture Management tool within the cloud fits as part of a coherent Cloud Native Application Protection Platform. Now you might say, well, if you look at all of the big cloud service providers, they all provide something. They all provide some pretty good tools. The problem is that every cloud is different. So Azure is different to Google Cloud is different to AWS is different to Red Hat OpenShift and so forth. And so any cloud is different to what you have on premises. And so one of the big things about these platforms and Cloud Security Posture Management is the move towards bringing you a coherent and single point of view and single point of control across these multiple cloud environments.
Right. And totally interesting because this really takes one step back and gives kind of a meta approach towards securing the cloud. You've mentioned the term guardrails earlier as a new concept that replaces or augments the term policies in the beginning. So it's an agile approach to governance and what you just just described, I think that is part of this move towards guardrails. Can you explain a bit more how organizations can really define, implement and just live these guardrails to be up to the task?
Yeah, well, this is an interesting challenge that the problem with - well, controls can come in three different forms. They can be preventative, they can be detected or they can be remedial. And in traditional security, in a traditional environment, things moved sufficiently slowly that you could depend heavily on detective and remediation type controls. In the cloud, things happened so quickly and the vulnerabilities and the threats are so widespread and so imminent that you have to move towards a policy based, a preventative approach to cloud security. And interestingly, that leads to two things. First of all, that you need to be doing all of the things in advance, like I talked about, that it's no good scanning the live server or the live app. You need to be doing that beforehand and the move is, in the future is even further back than that, because the problem that has always been there is knowing whether or not your security is actually complete. And so really what is needed is a move to what you might call provable security. So that when you create your policies, when you implement your guardrails or controls, how do you know that they are sufficient, that there aren't gaps in the combinations of them? And so the future of all of this, in my humble opinion, is moving to a point where you have a way of proving the totality of your controls actually is sufficient and complete.
Right. And the research that you did is a leadership compass. So we are talking about products, about implementations of exactly the software that implements this paradigm of Cloud Security Posture Management that you just described when organizations now decide that they need to go there. And I think they should. What are the most common challenges that organizations will face when implementing such a solution, apart from this paradigm shift that you just described? And how can they overcome them? How can you how can they adapt to this changed world that they are already living in?
Well, first of all, most of the solutions that I've been talking about are delivered as cloud services. That's the first thing. So if you want to secure the cloud, actually you need to be in the cloud in order to do it. So that's kind of an obvious but a first critical step that the change in mindset is a change that has evolved. I mean, we're calling it DevSecOps that you cannot really separate security from development and operation. And yet in a traditional world they are separated. If you talk to a CISO, they will say, Well, we're responsible for the controls, but we're not responsible, say for, for example, for installing the software on a particular system, that's operations. Well, the trouble is that it's all in the cloud. It's so fast, it's all one. So the whole team have to be involved in doing this. And that's why the move towards these overarching platforms, the CNAPP type platform, is rather critical. And CSPM is a an essential component of it, but is not in itself sufficient.
Understood. I think many organizations, especially the larger ones, have already understood that shift because it's their daily business. So if you talk about Fortune 500 companies, I think they will be working on that. And they are already preparing for that. But if we look at the smaller organizations, the startups, the SMEs who are using and deploying cloud services, at least at the same level, what can they do? They don't have the budget to spend on everything that's possible. If we look at these platforms, what would be your top recommendations for these smaller organizations with limited budget to maintain a strong cloud posture, security posture without being killed by success or breaking the bank?
Well, I think there are several different threads in the answer that you in answer to the question you've just posed. So, for example, if you look at the start ups that are exploiting the cloud, then they know exactly what they're doing and they may be making choices about feature function availability over security, but that's their choice. At least they're doing it with some understanding of what they're doing. Now, from the perspective of the small to medium sized enterprise that is in fact running a business that needs services from the cloud, then the challenge there is there are two solutions. One is the growth in good software as a service where in effect there are vendors or cloud vendors providing specific software services delivered through the cloud that are targeted on specific industries, and they are probably going to be more cost effective than the small businesses trying to run it themselves. Equally, the small business is probably better using a cloud service than trying to run their own server. You know, having a server under your desk is inherently going to be less secure than having one in the cloud. And ultimately you have to decide what your business is. And if your business is making widgets, then it may well be that you are better to buy a managed service from an organisation that knows what they're doing. And that was true when you were running your own computer services and it is still true for many of the things that organisations want to do with the cloud.
Right. So now we are approaching the cyberevolution event that KuppingerCole will be holding in Frankfurt in mid of November. And of course, apart from the research that we already have that hands the personal experiences but also the outlook of view as the expert, the analyst into the future and leading the discussion with peers on the other hand will be important parts there as well. So if I asked you personally, what were the most striking new facts that you came across and, part two of that question, if you pull out your crystal ball, what do you expect for the next, say, 2 to 5 years to even change in addition to what we've seen already when it comes to cloud security and CSPM and CNAPP and whatever that you just mentioned?
Well, I think there are a number of threads to this. First of all, there is a geopolitical factor, which is that the IT world, the Internet, has been weaponized in all of the various geopolitical conflicts that we now see in the world and the fact that organisations have become so dependent upon IT, means that you can actually use attacks through the Internet as weapons to attack to the states. To give quite a local example, in the UK, the Postal Service was subject to some kind of a ransomware attack which actually led to it being almost impossible for two or three weeks for businesses to deliver parcels through Royal Mail that went out of the country. So that's the kind of impact that you can have. So weaponization by the nation state as part of global conflict. The second thing is that artificial intelligence has proved to have many benefits, but it's also giving benefits to the cybercriminals to allow them to hone and to optimise the methods of attack and the attack vectors that they use based on the data that they can collect. And so the threat level is becoming higher and you need to attend this conference to see the things that - these kinds of threats. And the second thing is that actually artificial intelligence itself is becoming an unknown threat because people are not aware of the extent to which, if they use it, that they may inadvertently be releasing their secrets, their intellectual property or their due diligence to in fact, to a large pool of data that then can be tapped into without their knowledge. So there are many reasons to come and listen to, and to join us in Frankfurt in November.
Right. All this and more. And this is really interesting. It really also moves it away from the pure IT perspective or the pure cybersecurity perspective into real life, into real life politics, into geopolitics, just as you mentioned. So your research is out. The leadership campus, CSP is available. It's available for download on our website clicking a cold dot com. And that is much more information on the topics that you cover, including cloud governance, cloud security, but much more. And yeah, I can only recommend downloading that document and reading more. Mike, thank you very much for being my guest today. Thank you very much for contributing to cyberevolution in November. I'm looking forward to that event and if there are any questions to you or to me, but most probably to you, as the expert, So drop your comments, drop your questions into the comments section below that video. If you're watching or listening that video or the audio part of it in some other platform, just reach out to Mike and or me or anybody at KuppingerCole. Leave your questions, do suggestions for that podcast and join us at cyberevolution in Frankfurt in November. Thanks again Mike, for being my guest today. That was a great conversation and I learned a lot. Thank you very much.
Thank you, Matthias.
