Solving the Multicloud Security Puzzle with CSPM

These tools examine and compare a given cloud environment against a defined framework, security best practices and known risks. When a risk is revealed, CSPM sends alerts to the security team, which can manually review and address the risk or set up a tool for automated remediation.

“As organizations struggle to have security resources in place, CSPM offers a magic box,” says Rod Wallace, general manager of vulnerability products at Amazon Web Services. “CSPM is a cloud operations team, a security engineering team, a compliance team, a threat modeling team, a triage team, all rolled into one. It’s a tool that helps organizations set security guardrails and ensure controls are in place, providing a variety of valuable security functions for cloud resources.”

CSPM Addresses Rising Security Responsibilities and Limited Talent

Cloud security’s original sin is its shared-responsibility model, where the cloud provider is on the hook for the overall security of the cloud platform while the client is responsible for securing the applications and resources being used on the platform. As agencies increasingly embrace multicloud, the overall security responsibility has grown increasingly complex.

“This complexity, with federal agencies running data and apps across numerous clouds, creates a security challenge,” says Sai Balabhadrapatruni, vice president of marketing for Prisma Cloud at Palo Alto Networks. “These cloud infrastructures have allowed developer teams to move very fast, but such growth creates unique security risks.”

Along with multicloud complexity, the cybersecurity skills gap faced by agencies and their private sector counterparts is also expanding. These sectors need an additional 225,000 cybersecurity workers to close that gap, according to data released by market analysis tool CyberSeek.

As a result, many agencies lack the staff to manage their increasing multicloud security responsibilities, paving the way for CSPM tools.

The Primary Threats CSPM Combats

Misconfigurations are an inherent part of working in the cloud, and attackers have become very proficient at exploiting them. The reasons are numerous. Among them: to steal personal identifiable information, to export classified information or to gain access to compute resources to support illicit crypto mining operations.

The exploits themselves tend to fall into two categories.

"Identity-based attacks are widespread," Balabhadrapatruni says. "Attackers are exploiting weak authentication policies and stolen user credentials to gain a foothold within the cloud and then escalate privileges to steal or hold data for ransom.”

The other major threat is exploiting unpatched vulnerabilities in application code. Nearly two-thirds of code used in production has unpatched vulnerabilities, according to Palo Alto Networks’ recent Unit42 cloud threat report.

“Cloud storage buckets that are left inadvertently accessible to the public are another common vulnerability,” Wallace says. “We are also seeing attackers attempting to seek out misconfigured cloud-edge security, where some ports have been left open, allowing the attackers access to the organization’s cloud assets.”

CSPM Helps Agencies with FedRAMP Compliance

The Federal Risk and Authorization Management Program looms large over agency cloud operations, helping maintain the confidentiality, integrity and availability of information and systems in the cloud. CSPM tools are uniquely suited for meeting an agency’s FedRAMP compliance needs.

“The AWS Security Hub service gives you a longitudinal overview of your assets, allows you to set guardrails from the top down and offers flexibility for dev teams when needed,” Wallace says. “CSPM is great for driving best practices down to development teams working in the cloud, allowing them to run fast but securely.”

DISCOVER: Complying with civilian and defense security frameworks is tricky but not impossible.

Being able to monitor security compliance across multiple cloud resources and then gather all of that data in one feed for the cloud security team to act on is part of what makes CSPM so valuable. In its 2024 State of Cloud-Native Security Report, Palo Alto Networks found that 91% of organizations blame the growing number of point tools for creating blind spots.

"Noisy alerts from multiple sources make it hard to spot real threats, turning cloud security into a data analysis challenge,” Balabhadrapatruni says. “With data scattered across platforms and tools offering only narrow views, security teams struggle to identify the most critical risks to protect their applications.”

Prisma Cloud connects the all-important dots of application risk, security signals and runtime threats across the entire app life cycle to deliver actionable context, with more than 1,500 prebuilt cloud security policies running in the background to prevent misconfiguration and drift, he says.

Automation and Artificial Intelligence Support CSPM

Another aspect of growing cloud complexity is the increasing activity across all of an agency’s clouds. These assets and resources, all delivering a steady stream of log data and alerts, still require monitoring, which artificial intelligence can assist with.

“The talent and skills shortages, all of these conditions create a need for AI to counter attacks, including the rising number of AI-based attacks,” Balabhadrapatruni says. “Prisma Cloud Copilot helps understaffed security teams by using simple natural language queries to quickly find, understand and stop threats before they escalate.”

EXPLORE: What is AI-capable infrastructure? What do agencies need to know?

The beauty of a CSPM tool is that it is able to take in this flood of data and make sense of it, prioritizing and giving context to the security team, who can then triage and set priorities for which threats require immediate remediation and which can wait.

“At the compliance level, AWS Security Hub provides a security score, and customers can then drive action at the systems level to fix problems,” Wallace says. “They can choose direct remediation, where the security team directly communicates remediation steps to individual teams, or they can use automation rules, for example, and have the CSPM tool integrated with a ticketing system that automates the remediation process.”

To meet the needs of short-staffed security teams, many CSPMs also use AI to offer simple, clear directions on needed remediation steps.

“The laborious task of going through documentation, navigating multiple dashboards and writing complex queries to find and fix a security issue can be completely automated with Prisma Cloud Copilot,” Balabhadrapatruni says. “With generative AI assistants like the Copilot, security teams can save time, automate routine tasks and, in some cases, overcome the challenges around talent shortage when it comes to cloud security.”