Key Criteria for Evaluating Cloud Security Posture Management Solutionsv1.0

An Evaluation Guide for Technology Decision Makers

Table of Contents

  1. Summary
  2. Cloud Security Posture Management Primer
  3. Report Methodology
  4. Decision Criteria Analysis
  5. Evaluation Metrics
  6. Key Criteria: Impact Analysis
  7. Analyst’s Take
  8. About Chris Ray

1. Summary

Too often, security teams struggle to make do with suboptimal, legacy on-premises architectures. These architectures are filled with bolt-on security solutions that may perform well enough but aren’t able to provide the depth of insight or degree of security that organizations require today.

The widespread—and accelerating—adoption of the public cloud can be a catalyst for change and an opportunity for security teams to start anew. Many security teams are finding that engineering and product teams are looking to them for guidance when shifting processes and workloads to the cloud and architecting and creating public cloud services.

While cloud security posture management (CSPM) solutions can’t provide proactive architectural guidance for engineering teams, they can provide invaluable insights into the chosen architecture, the services in use in the public cloud, the identities (users) managing the public cloud, and even the workloads running in the cloud.

CSPM offerings are typically cloud-native security solutions that leverage the numerous application programming interfaces (APIs) available through public cloud providers to collect data. The data gathered through these APIs is sorted and then analyzed in various ways to identify risks, such as misconfigurations and vulnerabilities. A CSPM solution’s ability to gather public cloud configuration data and workload events allows it to provide detailed visualizations of the cloud architecture. CSPM solutions also enable users to identify relationships among cloud services, workloads, and other various cloud assets.

Together, these features provide deep visibility into a technology that is often regarded as opaque.

CSPM solutions started as simple API monitoring and data visualization solutions meant to give security teams visibility into cloud infrastructure. However, these solutions quickly grew beyond that use case and now include identity and access management (IAM) and workload monitoring. And soon, they might include forms of application security like static application security testing (SAST) or source code analysis (SCA) as vendors attempt to build one-stop-shops for cloud security.

This GigaOm Key Criteria report details the criteria and evaluation metrics for selecting an effective CSPM solution. The companion GigaOm Radar report identifies vendors and products that excel in those criteria and metrics. Together, these reports provide an overview of the category and its underlying technology, identify leading CSPM offerings, and help decision-makers evaluate these platforms so they can make a more informed investment decision.

How to Read this Report

This GigaOm report is one of a series of documents that helps IT organizations assess competing solutions in the context of well-defined features and criteria. For a fuller understanding, consider reviewing the following reports:

Key Criteria report: A detailed market sector analysis that assesses the impact that key product features and criteria have on top-line solution characteristics—such as scalability, performance, and TCO—that drive purchase decisions.

GigaOm Radar report: A forward-looking analysis that plots the relative value and progression of vendor solutions along multiple axes based on strategy and execution. The Radar report includes a breakdown of each vendor’s offering in the sector.

Solution Profile: An in-depth vendor analysis that builds on the framework developed in the Key Criteria and Radar reports to assess a company’s engagement within a technology sector. This analysis includes forward-looking guidance around both strategy and product.