Growing complexity requires security and risk teams to wade through an assortment of tools and technologies, but many of these traditional technologies are ill-suited to the two-pronged concern of identity and SaaS hijacking. Given their origins in network-based architectures, traditional security controls are hard to adapt to this new reality, so a new architectural model for security is needed.
“Increasingly, business-critical operations are performed via SaaS services, existing entirely outside the corporate network, making traditional controls ineffective. New controls are needed to address these new realities.”
- Gartner, 2022
Security leaders repeatedly express the same concerns about their overall cloud security exposure and risk, and in 2023, visibility, risk, and access control remain the top challenges.
Cloud Security Posture Management (CSPM)
A automated data security solution category that manages monitoring, identification, alerting, and remediation of compliance risks and misconfigurations in cloud environments. One of its most critical functions is the continuous proactive process of enterprise-wide asset visibility, configuration assessment, and transformation to reach a target security state.
Cloud Infrastructure Entitlement Management (CIEM)
Typically used to monitor and manage account entitlements across user accounts to cloud infrastructure (IaaS), cloud infrastructure entitlement management (CIEM) identifies dormant and unnecessary entitlements on user accounts and enables remediation and enforcement of least privilege security approaches. One of its most critical functions is identifying excessive entitlements by continuously monitoring the permissions and activity of human and nonhuman entities related to IaaS, both for the public and private clouds.
Cloud Workload Protection Platform (CWPP)
A workload-centric solution for securing application targets with unique protection requirements, often as a translation of protection schemes migrating from on-premise application controls. Workloads in modern cloud environments can include physical servers, virtual machines (VMs), containers, microservices, and serverless workloads. One critical function for CWPP is the combination of system integrity protection, application control, behavioral monitoring, and optional anti-malware from some vendors.
Cloud-Native Application Protection Platform (CNAPP)
A solution with an integrated approach intended to consolidate key functions of cloud security tools such as configuration and posture management as well as cloud workload protection capabilities.
Additionally, CNAPP functions as a unifying solution across siloed capabilities, including container security, infrastructure as code scanning (IaC), infrastructure entitlements (CIEM), runtime workload protection (CWPP), and monitoring cloud security posture (CSPM). One critical function for CNAPP is improving developer and security professional effectiveness and collaboration, shifting security controls left and right throughout the cloud application lifecycle.
SaaS Security Control Plane (SSCP)
An identity-based architectural element commonly leveraged to discover SaaS services and user-SaaS relationships, identifying risky access controls, malicious or abandoned SaaS services, credential exposures, and accumulated risk throughout the SaaS service layer.
One critical function of SSCP is unified visibility and control over SaaS services, leveraging identities as the primary enforcement point in user-SaaS connections, including automating offboarding for SaaS services, SaaS users, or any combination of the two.
SSCP is typically part of a broader enterprise security strategy, complementing capabilities such as cloud security posture management (CSPM), cloud infrastructure entitlement management (CIEM), identity and access management (IAM), and cloud access security brokers (CASB).
SaaS Security Posture Management (SSPM)
A solution for continuously assessing security risk for specific SaaS applications, generally related to 10-20 SaaS services per organization. Typically, SSPM follows the implementation of SSCP in most cloud security programs. SSPM’s core capability includes reporting on configuration failures or exposures within SaaS services, managing authorization, and insider threat indicators. Some SSPM solutions offer optional benchmarking, compliance comparisons with security and industry frameworks and auto-reconfiguration for SaaS permissions.
Also known as identity and access management as a service (IDaaS) or IAM as a service, this tool set is a subset of identity management and identity governance solutions, deployed as a service instead of on-premises, or IaaS hosted services.
One key function for SaaS-Delivered IAM is the ability to provide single sign-on (SSO) access control and governance, typically via secure assertion markup language (SAML) or OAuth access authentication controls. Optional functions for privileged access management (PAM) and customer identity and access management (CIAM) help to add value to SaaS-Delivered IAM tools.