Real Life Use Cases CIEM vs CWPP vs CSPM

CISO Cloud Security Skill Level: Executive
Reading Time: 6 minutes

Cloud practitioners and even CISOs may find themselves overwhelmed with the variety of security solutions in the market today. Each one focusing on a different aspect of securing your cloud environment, and then being multiplied by all the different vendors providing them.

Some top solutions and acronyms we see in the market today that we’ll focus on include: Cloud Security Posture Management (CSPM), Cloud Infrastructure Entitlements Management (CIEM), and Cloud Workload Protection Platform (CWPP.)

ciem vs cwpp vs cspm

Briefly, CSPM aims to ensure the foundation to your cloud environment is secure. It begs the question, are you securing your cloud correctly? Do you have all the controls in place to prevent simple risks from arising and/or addressing them when they do? A CSPM solution will enable you to get to a secure baseline and then continuously evaluate against that secure baseline to detect when misconfigurations occur. Examples of this include datastores being exposed to the internet, logging not being turned on, encryption not being turned on, or lack of MFA, appear. The right CSPM solution will provide the ability to respond to these deviations at the speed and scale of the cloud using intelligent workflows and automation.

CIEM aims to govern and secure all things identity related in your environment. Identity is the stepping stone for malicious lateral movement in the cloud and accessing your organization’s most precious data. CIEM solutions start by taking a full inventory of all your identities, people and non-people. From there should calculate the full scope of effective permissions for all identities in your cloud, and hopefully visualize this as an identity chain. Finally, you need continuous monitoring to make sure least privilege is maintained.

Lastly, we’ll define CWPP. Cloud Workload Protection Platforms were created to take an age-old problem, detecting security vulnerabilities, and evolve it to the cloud. According to Gartner, Cloud Workload Protection Platform is a “workload-centric security solution that targets the unique protection requirements” of the workloads operating in today’s cloud. In other words, it’s vulnerability scanning for the cloud. Any workload performing a service, be it an EC2, a VM in Azure or GCP, containers in any cloud, etc. offers an opportunity for attack, no matter how briefly it is being spun up.

Now that we’ve covered these three major cloud security solutions, let’s get back to the overwhelm you might be facing when implementing a new solution. Even once your organization has determined what their security needs are, and what the right solution for those problems are, the actual use cases for these overarching solutions can still feel abstract. 

This blog aims to map out real world use cases, to point out where each solution could have stepped in. In the end, we’ll describe a common narrative seen in real data breaches and how each solution, in one integrated platform could have helped.

CIEM vs CWPP vs CSPM

Use Case #1 

Your business quickly moved to the cloud after great pressure to migrate from your CEO. Some factors were sacrificed in the name of speed. So you’re already in the cloud, but now you need to make sure your environment is secure at a foundational level with some built-in accountability. Is MFA turned on? Do you have logging and auditing enabled across the cloud? How can you lock in a secure baseline so that you can continuously evaluate for any irregularities and alert when they are noticed?

Recently a big name in the paper was breached after an S3 bucket was publicly accessible. It raised some alarm bells for your security team and now you’re looking for a way to tighten up your security posture. First, you need to discover all your datastores. Whether or not there is an intended home for your data, you must discover where it actually exists right now. Once you know where your data is, how do you ensure all the appropriate controls are in place? Is your data publicly accessible? Are all your datastores encrypted? Do you have audit enabled, especially secondary audit? Without every precaution taken, you worry you might just be the next name in the paper.

The solution you need: CSPM

Use Case #2 

Your cloud is expanding at rapid rates, in fact it is reported organizations have just short of an average of 8,000 identities in their environment. Your business recently faced the consequences of a lack of visibility into all the identities in your cloud when a dormant non-person identity still held a variety of over privileged access rights and was used unknowingly by a DevOps engineer  leading to a data breach. You need a way to inventory all the identities in your environment, at a massive scale, to ensure this never happens again. 

With an inventory, you learn who and what are all the identities. That’s right, this means understanding not only all the people-identities, but also all the non-person identities, like Roles, Service Principles and Accounts, virtual machines,serverless functions, so on. You need to know all the effective permissions, or the full scope of permissions all these identities hold. Understanding the effective permissions of every identity is the only way to expose the permissions that fall out of policy, or are excessive permissions. Next, you must achieve least privilege by stripping identities of unnecessary permissions and ensuring everyone and everything can only do the actions absolutely necessary to their job function. Great, you’re at least privilege now, but it doesn’t end there. You need to remain there and find a way to constantly monitor your environment to detect any out of policy changes or strange behavior relating to permission use.

The solution you need: CIEM

Use Case #3

Your business is using several virtual machines to run an application. However, you recently heard about a breach in the news where the attacker exploited a vulnerability in a workload as their entryway to the environment, and you want to make sure the same doesn’t happen to you. The task at hand is inventorying all virtual machines in use. You need complete visibility into the potential vulnerabilities in your VMs. But wait, your team is actually finding several security concerns, and is quickly becoming overwhelmed. You need a way to prioritize which vulnerabilities to address first because the potential impact of every vulnerability is unique. Each workload ties back to data and identities only exacerbating the potential impact if a VM is exploited. How do you discover if your non-person identities (VMs) have excessive permissions? Are they using these permissions? What data do they have access to? How sensitive is that data? Each question influences the blast radius of a vulnerability being exploited on your VMs. Context is critical … more critical than ever before.

The solution you need: CWPP

Use Case #4

Picture this: There is a vulnerability on a workload, a virtual machine, and a malicious attacker exploits it and gains access. There is a non-person identity on this workload that is grossly over permissioned and has access to a bunch of data stores containing some very sensitive information. Once an attacker has exploited the vulnerability, now they have access to this non-person identity. It gets worse. With the identity in hand, the attacker now enumerates the data stores looking for sensitive data. Bingo, they’ve found the data they’re looking for, and again, with the compromised non-person identity, and therefore all the permissions of that identity, they can exfiltrate the sensitive data out of the environment. 

To put salt in an open wound, because secondary audit is not enabled on the data stores involved, the affected company is entirely unaware of any of this. In fact, they know nothing of it until a 3rd party informs them that their data is for sale on the internet.

How do CSPM, CIEM and CWPP work together?

This last story should sound like a nightmare to you. However, as bad as it sounds, this is a common narrative happening to many organizations today. It is the perfect example to map out how individual risks in your cloud all tie together into a recipe for disaster.

In this case, it all starts with a high-vulnerability present in a virtual machine, this is where CWPP comes in. In an ideal world, with a working cloud protection solution, this vulnerability would have been detected in a scan. But let’s continue – how serious is this vulnerability? Well, it turns out the VM is exposed to the Internet via a poorly designed NSG. Not only do we see CWPP in play, but now CSPM is involved. CSPM’s abilities are aimed at detecting flagrant misconfigurations like publicly accessible data or resources. Once this misconfiguration was detected, your team could remediate the concern, thwarting the attack.

Looking into things further, the virtual machine has a non-person identity on it that has permission to access all of your sensitive data and take any action. Because the virtual machine has been compromised, the NPI attached is too. Cue: CIEM. With a mature CIEM solution in place, this over privileged identity would have been detected and flagged for your teams to address, preventing this compromise entirely.

The scenario is exacerbated by the fact that the involved datastore does not have secondary audit enabled, or read/write permissions. This is the critical point that leaves the business completely unaware of their breach. With a CSPM solution, this type of basic misconfiguration would be detected as it deviates from the most secure best practices your business defines.

One Integrated Platform

If you take anything away from this potential story, understand the power that integrating   CSPM, CIEM and CWPP solutions together provides your business. Use cases for each point solution have existed for some time now, but modern business needs are more complex and warrant the context that integrating all three of these solutions together provides. Why not get every line of defense you can?

Sonrai Dig was created, leveraging CSPM, CIEM and CWPP together, to address this exact business need. Our workload protection reveals vulnerabilities you didn’t know were there and prioritizes them by risk. This context is only possible through our patented graphing technologies that connect every pathway between all the identities in your cloud and the data they can access. Tie it all together with foundational CSPM checks to make sure you have all the proper configurations to utilize your cloud to its fullest (and most secure) potential.

If you’re ready to see Dig in action, request a demo today.