4 types of cloud security tools organizations need in 2024

1. Cloud security posture management tools

Organizations should implement cloud security posture management (CSPM) tools and services, especially in multi-cloud environments. CSPM tools help automate discovery, monitoring and remediation of misconfigurations and compliance risks in the cloud.

Most leading cloud service providers have basic service offerings in this category, including Amazon GuardDuty, AWS Security Hub, Microsoft Defender Security Center and Google Cloud Security Command Center. For smaller or less complex organizations, especially those wholly invested in just one cloud environment, these native services could suffice to manage misconfigured assets, missing best practices or exposed assets and services.

Larger enterprises and those in more than one cloud warrant a third-party tool to help centralize the monitoring, reporting and remediation of vulnerable and poorly configured cloud infrastructure.

CSPM tools include the following:

• Wiz works in hybrid cloud deployments, features more than 1,400 cloud misconfiguration rules and offers compliance monitoring.
• Orca Security monitors cloud workloads, misconfiguration and policy violations, container security and more for the software development lifecycle (SDLC).
• Sysdig helps discover and fix misconfigurations, conduct attack path analysis and more.

2. Cloud-native application protection platforms

Organizations should also consider cloud-native application protection platforms (CNAPPs). This category is growing rapidly to encompass cloud workload protection, some CSPM capabilities, and data- and identity-related security controls, as well as DevOps pipeline security controls.

CNAPPs fill the gaps where traditional security processes cannot adequately provide prevention, detection and response for cloud-native workload types, such as containers, Kubernetes services and serverless functions. Additional CNAPP features, such as assessment of infrastructure-as-code and container workload images in the pipeline, also help spot issues before deployment.

CNAPP software includes the following:

• Sysdig provides cloud detection and response, vulnerability management, posture management, and permissions and entitlements monitoring.
• Aqua provides software supply chain security, scans for vulnerabilities, and detects and responds to attacks and threats in the SDLC.
• Palo Alto Networks' Prisma Cloud helps discover and remediate security flaws in code repositories, protect runtime cloud workloads and defend against zero-day vulnerabilities.

3. Security service edge tools

Organizations moving to more cloud-based infrastructure and making heavy use of SaaS offerings should look into security service edge (SSE), sometimes combined with the larger category of secure access service edge, which includes software-defined WAN offerings.

SSE helps offload traditional security controls, such as network firewalls, content filtering proxies, data loss prevention and end-user access controls. The cloud security tool offers authentication and authorization alignment to a cloud service instead of a traditional VPN to the data center, which is often tied to zero-trust network access. This improves flexibility and performance for end users who primarily use cloud tools instead of on-premises resources.

SSE products include the following:

• Zscaler SSE provides policy-based access to applications and services for users, customers and third parties.
• Netskope Intelligent SSE provides granular policy security enforcement to protect workflows for users with data protection features and threat protection.
• Palo Alto Networks' Prisma Access secures cloud application traffic through a standard policy framework to reduce data breaches and data exfiltration.

4. Cloud infrastructure entitlement management tools

Another tool to consider is cloud infrastructure entitlement management (CIEM). All assets in PaaS and IaaS clouds have some type of identity orientation, and identity and access management (IAM) policies can proliferate quickly, often with excessive privileges. CIEM can help automate this.

Smaller organizations might get away with using the native cloud provider services that evaluate identity roles and policies, for example, AWS IAM Access Analyzer. Larger organizations with many cloud resources and complex deployments could benefit from CIEM tools that evaluate identity relationships and policies, report on possible attack paths and excessive privileges, and remediate issues when they're discovered.

CIEM tools include the following:

• Tenable CIEM helps identify and monitor access and permissions, automates analysis and remediation efforts, and keeps an inventory of all identities, entitlements and resources.
• Sonrai Security helps identify and remediate unknown admin accounts, cleans up old and unused identities, and implements least-privilege access policies.
• CrowdStrike Falcon Cloud Security monitors and remediates security issues, including disabled MFA, identity misconfigurations and account compromises, and detects and responds to identity-based attacks.

Worth considering: SSPM and DSPM

Many of these cloud security tools are evolving and even converging into new, consolidated product suites that could easily change in the next several years. The common element of all the tools mentioned is addressing security challenges unique to cloud deployments.

A couple emerging cloud security tools that might be worth adopting in the future are SaaS security posture management (SSPM) and data security posture management (DSPM), but the four listed here are at the top of many cloud security teams' lists today.

Dave Shackleford is founder and principal consultant with Voodoo Security; SANS analyst, instructor and course author; and GIAC technical director.