While CSPMs (Cloud Security Posture Management) are everywhere, ironically enough they are not the right solution for a secure cloud.

One of the key lessons I have learned from leading the platform group at a prominent CNAPP (Cloud Native Application Protection Platform) company, is that getting your cloud infrastructure under control starts with Infrastructure as Code (IaC). The truth is, security best practices and cloud configuration management aren't just about scanning for vulnerabilities or misconfigurations; they are about establishing a sustainable, scalable, and secure cloud environment from the ground up.

Traditional tools like CNAPP and CSPM have played a significant role in optimizing cloud configurations and scanning for security best practices. These cloud security companies have been pioneers in this space, helping organizations identify issues like publicly accessible S3 buckets or IAM roles without Multi-Factor Authentication (MFA), and other known cloud pitfalls and misconfigurations that expose your cloud and organization to unnecessary risk.

However, as cloud environments become more complex, CSPMs are proving to be great for surfacing these issues, but addressing them through IaC is where the real power lies. Eventually, scanning for vulnerabilities is not the goal, it's the  means to keeping our cloud secure and governed. Which means, we need to make sure we don't enslave the entire platform engineering team to chasing security tickets from the scanner’s output.

Imagine all your cloud configurations—from MFA-enforced IAM roles to automated key rotations—being managed through IaC. Not only are they configured securely today, but any changes made in the future will be validated against the same security best practices before deployment. This is what gives you true control over your cloud security. And this is just one example. 

The truth is, if you don't fix it in IaC, the fix won't last.  What will happen is that your changes will create drifts, they will not be documented or immutable, and it will be out of scope for testing.  The crux of the problem remains in security teams’ dependency on platform teams to generate the IaC and that where automation tools like Firefly help achieve this automatically. The future of cloud security lies in Infrastructure as Code (IaC), which is the backbone to ensuring consistency, security, and efficiency in dynamic cloud environments.

Why CSPMs Became Popular

In the early stages of cloud adoption, organizations faced a significant challenge: managing and securing a rapidly expanding and complex cloud environment. Traditional security tools weren't designed to handle the dynamic nature of cloud infrastructure, leading to a gap that needed to be filled. This is where CSPM solutions came into play.

CSPMs became popular for several reasons:

• Visibility into Cloud Assets: They provided organizations with much-needed visibility into their cloud resources, configurations, and potential vulnerabilities.
• Automated Misconfiguration Detection: CSPMs could automatically scan cloud environments to identify misconfigurations, such as publicly accessible S3 buckets or IAM roles without Multi-Factor Authentication (MFA).
• Compliance Assurance: They helped ensure that cloud configurations adhered to industry standards and regulatory requirements by continuously monitoring and reporting compliance status.
• Risk Mitigation: By identifying security gaps early, CSPMs allowed organizations to address issues before they could be exploited by malicious actors.

These tools were essential at a time when the rapid pace of cloud adoption outstripped the ability of organizations to manage security manually. CSPMs filled a critical need by providing automated scanning and reporting capabilities that were otherwise lacking.

This, however, raises a pertinent question. We've been using CSPMs for almost a decade now, yet we still have so many vulnerabilities, misconfigurations and alerts being thrown non-stop - why is that? Because, we aren’t treating the root problem.

The cloud is so complex and built upon so many moving parts, that security simply can’t be treated only after the fact. We need to establish a secure baseline with 'golden images' of proper architecture and high security standards before deployment and as a shared responsibility of the entire engineering team. We also need to enforce changes to the cloud when it doesn’t meet those criteria. After a secure baseline is established, it’s then possible to closely monitor for drift, and then also quickly remediate it.

The Shift Towards IaC and Policy as Code

As cloud technology matured, so did the strategies for managing it. Organizations began to recognize the limitations of relying solely on CSPMs, particularly the reactive nature of detecting and remediating issues after deployment. This realization sparked a shift towards Infrastructure as Code (IaC) and policy as code.

By governing cloud infrastructure through code, organizations can prevent & mitigate misconfigurations, drift, ghost assets and more, rather than just detect them. This shift reduces the overhead associated with managing and remediating issues identified by CSPMs.

The Power of IaC in Context

We speak about the power of everything-as-code tirelessly, as we truly believe the *-as-code revolution has impacted and evolved every single engineering domain––from the systems themselves, to how they are secured, scaled, and governed.

Just to reiterate the benefits, IaC governs your entire cloud infrastructure through version control, deriving all the same benefits it has brought to other engineering domains. 

In the context of security this includes:

• Consistent Configurations: All deployments follow predefined security best practices.
• Automated Deployments: Changes are made through CI/CD pipelines, reducing the risk of human error.
• Controlled Changes: Unauthorized manual deployments or changes via CLI are minimized.
• Drift Detection: It's easier to monitor and rectify configuration drift or unmanaged resources.

When you manage your cloud through code, every change is deliberate and traceable. Security checks become an integral part of your deployment pipeline, ensuring that only compliant configurations make it to production.

The Reality of Cloud Deployments

Even the most secure CI/CD pipelines can't prevent all risks. Manual interventions, command-line changes, or actions by external contractors can introduce vulnerabilities. These changes often bypass standard security checks, leading to a contaminated cloud environment.

IaC addresses this by enforcing strict governance. Since all changes must go through code reviews and automated pipelines, the chances of unauthorized modifications diminish significantly. This not only enhances security but also improves overall operational efficiency.

Moving Beyond Scanning

Simply scanning for misconfigurations is an outdated approach. A decade ago, it was innovative, but today's cloud environments require proactive measures. CSPM tools add layers of complexity—from having to manage the tool itself, to interpreting the findings, prioritizing (the many!) issues they output, and then the creme de la creme, manually fixing them.

With IaC, you eliminate many of these steps. Security is baked into your infrastructure from the start. Instead of reacting to problems, you're preventing them from occurring in the first place.

Integrating CSPM Functionality into Cloud Asset Management Platforms

As organizations strive for more efficient and integrated approaches to cloud security and governance, cloud asset management is emerging as a core solution. These platforms extend the capabilities of Infrastructure as Code (IaC) by not only managing and provisioning resources but also by codifying existing assets, detecting drift and misconfigurations, and identifying ghost or unmanaged assets within the cloud environment.

Platforms like Firefly operate by scanning your cloud infrastructure to discover all assets, including those that may have been created outside of your standard IaC pipelines—often referred to as "shadow IT." Once these assets are identified, the platform codifies them into your IaC framework, bringing them under the same governance and management processes as your existing codebase. This codification ensures that all resources, regardless of their origin, are now managed as code.

By integrating these unmanaged assets into your IaC practices, these platforms enable continuous detection of drift—the divergence between the desired state defined in your code and the actual state in the cloud. They alert you to any unauthorized changes or misconfigurations, allowing for prompt remediation through your established IaC pipelines. This continuous monitoring and enforcement help maintain compliance with security policies and regulatory standards.

Moreover, these cloud asset management platforms effectively bake CSPM functionalities into your "as code" practices. They provide enhanced visibility and control over your entire cloud environment and the resources and assets running in your cloud environments, alongside enforcing policies and governance. This integration eliminates the need for separate CSPM tools, as security checks and compliance validations are embedded directly into your code management processes, as they should be. We need to be consolidating tooling to not overwhelm engineers and simplify cloud management.

The Future of Cloud Governance

The cloud is more than just a collection of servers and services—it's a dynamic environment that requires modern solutions. CSPM tools have served us well, but the future is moving towards cloud asset management through infrastructure as code. By managing your cloud through code, you gain comprehensive control, enhanced security, and operational efficiencies.

This approach aligns with the industry's shift toward proactive security measures, where building secure configurations from the ground up replaces the reactive model of detecting and fixing issues post-deployment. By managing your cloud infrastructure through code—and enhancing it with platforms that offer comprehensive asset management and policy enforcement—you position your organization at the forefront of cloud security and operational excellence.

Embrace IaC, and transform the way you approach cloud security. Not only will you achieve what CSPM offers, but you'll do so more effectively, efficiently, and securely.

‍