Anthony (Tony) Sabaj is currently the Director of Channel Security Engineering for North America at Check Point, with over 25 years of experience in the Cyber/Information/Network security. Tony has been at Check Point since 2002 in a variety of sales and technical roles. Prior to joining Check Point, Tony was a Senior Product Manager at Telenisus, a startup MSSP/VAR in Chicago. In 2001 the MSSP business of Telenisus was sold to Verisign to start their MSSP business and the VAR business was sold to Forsythe to start their Security Practice. Tony joined Forsythe shortly after that acquisition as a Security Consultant and Certified Check Point trainer. Tony started his career with Arthur Andersen/Andersen Consulting, building their worldwide IP network, designing the security controls for the firm and helping build their external Security Consulting Practice.
In this interview, Tony Sabaj discusses how to evaluate Cloud Security Posture Management (CSPM) tools, whether or not to combine cloud security services from multiple vendors, how to build a successful cloud security governance program and more. This interview provides premium cyber security insights.
See part 1 of this interview series here.
Cloud security tools are complex. How can CISOs compare new CSPM tools effectively?
CISOs need to consider their cloud environment makeup. Is their cloud presence made up of mostly Infrastructure-as-a-Service (IaaS), virtual machines, database instances and storage or is (or will be) made up of a more agile cloud environment that utilizes workloads, functions as a service (FaaS), containers and APIs/Platform as a Service (PaaS)?
A basic CSPM solution may provide good visibility and inventory for a IaaS deployment and as more organization move to a more agile, cloud-first environment, CISOs need to look at extension of CSPM functionality called Cloud Workload Protection Platform (CWPP). CWPP will help secure and monitor workloads in a PaaS, FaaS and container environments. CSPM views the cloud from an outside in approach, whereas CWPP focuses from the inside out. A good CSPM tool needs to have both the capabilities of a CSPM and CWPP.
As mentioned earlier, a CISO also needs to make sure that the CSPM tool is covering the appropriate regulatory requirements and supports the cloud platforms/providers that the organization utilizes. One of the great features of CSPM tools is the ease of deployment and evaluation. Different tools can run simultaneously with little to no impact on the environment, making the comparison of different tools easy.
Would you recommend that organizations combine services from multiple vendors or opt for a single vendor?
No single vendor is going to meet all of your cloud security needs. Utilizing the capabilities of a single vendor for as much as possible has many benefits. For starters, the total cost of ownership (TCO) will be lower through subscription cost/price and cost to operate/configure the solutions. The risk of misconfiguration is also much lower with a single/fewer vendor solutions. Misconfiguration are the leading cause of cloud security incidents, misconfiguration of the security tools is just as dangerous. A misconfigured security solution can give an organization a false sense of protection. As we see the CSPM and CWPP markets merge, a single vendor solution will have better interoperability and provide overall better security effectiveness than multiple point solutions. A vendor that provides additional functionality will also have better intelligence to apply to the cloud environment. The use of real-time intelligence is one of the most effective solutions to secure cloud environments. Notably, niche product vendors will not have quality intelligence to apply in a holistic cloud security program.
What level of experience is needed in order to implement and run CSPM solutions? Could a CISO give ‘ownership’ to another professional?
CSPM solutions are unique in that you do not need vast cloud expertise to configure and manage them on an ongoing basis. A high quality CPSM tool will come with predefined rule sets based on industry and regulatory frameworks. Organizations can easily apply the predefined rulesets to their cloud environment. CSPM solutions utilize the APIs exposed by the platform provider; the vendor of the CSPM tool has already done the integration for you. A quality CSPM solution provides updates to these rulesets in real-time, and takes advantage of newly exposed APIs from the cloud providers.
What does the forecast look like in terms of CSPM market size?
CSPM is one of the first security tools that most organizations implement as they move or grow their cloud presence. According to Markets and Markets, the CSPM market is about $4.0 billion today and expected to grow to $9.0 billion by 2026, almost a 15% compound growth over the next 4-5 years. Just as the cloud will evolve over the next 5 years, so will CSPM tools and I expect this market to grow at a faster rate as CSPM and CWPP markets merge into a single solution.
Further recommendations for building a successful cloud infrastructure security governance program?
We covered many of the important points as they relate to CSPM and CWPP. Security for the cloud does not stop with CSPM and CWPP, an organization needs to build security into the lifecycle of their cloud infrastructure. CSPM and CWPP tools incorporate security into the Continuous Integration and Continuous Development (CI/CD) process.
Cloud native security tools, of which CSPM is one, do not require redirection of traffic or proxies to gain visibility. Instead, they are utilizing native functionality of the platforms to perform their security functions. This native integration not only allows for security insertion at run time, but also enables security enforcement to happen during the code development. This concept, commonly referred to as ‘shift left’ security, allows for continuous monitoring and compliance thought the CI/CD process. A robust CSPM solution can scan and monitor formation templates, scripts/APIs and code repositories to achieve full life cycle security.
Discover new cyber security and business insights in CyberTalk.org’s newsletter. Sign up here.